Skip to content

Simplify Dockerfile, bump some versions and reduce final snapshot size #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
endersonmaia merged 4 commits into from
Oct 24, 2025
Merged

Simplify Dockerfile, bump some versions and reduce final snapshot size #76

endersonmaia merged 4 commits into from
Oct 24, 2025

Conversation

@endersonmaia
Copy link
Contributor

@endersonmaia endersonmaia commented Oct 24, 2025
edited
Loading

This pull request refactors all language Dockerfiles to improve security, reproducibility, and maintainability when installing the machine-guest-tools package. The changes standardize the way the package is downloaded and verified, moving from an in-container download and manual checksum verification to using Docker's ADD command with a SHA256 checksum. Additionally, the base image setup is streamlined by removing unnecessary dependencies after use.

Key changes:

Security and reproducibility improvements:

  • Replaced in-container download and manual SHA512 checksum verification of machine-guest-tools_riscv64.deb with Docker's ADD command using a SHA256 checksum (MACHINE_GUEST_TOOLS_SHA256SUM). This ensures the downloaded file is verified before the build continues, reducing the risk of supply chain attacks. [1] [2] [3] [4] [5] [6] [7] [8]

  • Standardized the installation of machine-guest-tools across all Dockerfiles by removing the use of busybox wget and manual checksum verification, and instead using the ADD command with checksum and then installing the .deb package directly. [1] [2] [3] [4] [5] [6] [7] [8]

Base image cleanup and dependency management:

  • Improved base image hygiene by removing ca-certificates after use in the base stage and running apt-get autoremove to clean up unnecessary packages, reducing image size and potential attack surface. [1] [2] [3] [4] [5] [6] [7] [8]

  • Ensured required build dependencies (ca-certificates, curl) are only installed where needed, improving clarity and minimizing the installed package set in each build stage. [1] [2]

General maintainability:

  • Centralized version and checksum arguments (MACHINE_GUEST_TOOLS_VERSION and MACHINE_GUEST_TOOLS_SHA256SUM) at the top of each Dockerfile for easier updates in the future. [1] [2] [3] [4] [5] [6] [7] [8]

Size Summary

Rootfs Before After Difference
cpp-low-level-rootfs 73.9 MB 67.7 MB -6.2 MB
cpp-rootfs 74.7 MB 68.5 MB -6.2 MB
go-rootfs 82.1 MB 76.5 MB -5.6 MB
java-rootfs 212 MB 212 MB 0 MB
javascript-rootfs 161 MB 155 MB -6 MB
lua-rootfs 92.9 MB 91.6 MB -1.3 MB
python-rootfs 98.5 MB 92.3 MB -6.2 MB
ruby-rootfs 103 MB 98 MB -5 MB
rust-rootfs 76.2 MB 70.1 MB -6.1 MB
typescript-rootfs 161 MB 155 MB -6 MB

References:

@endersonmaia endersonmaia self-assigned this Oct 24, 2025
tuler
tuler requested changes Oct 24, 2025
View reviewed changes
Copy link
Member

@tuler tuler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build failed

@endersonmaia endersonmaia force-pushed the chore/simplify-dockerfile branch from 8934951 to a95da54 Compare October 24, 2025 16:41
@endersonmaia
chore: remove ca-certificates after update
6479f1b
@endersonmaia
chore: use ADD instead of busybox wget
2d669c1 
Since the final rootfs is flat, we don't get any advantage of reducing
size on container image layers, and we get a simpler code using ADD

Also, we put the version and checksum for machine-guest-tools on top
@endersonmaia
chore(go): bump golang to v1.25.3
8022073
@endersonmaia
chore(rust): bump rust to v1.90.0
27687e3
@endersonmaia endersonmaia force-pushed the chore/simplify-dockerfile branch from a95da54 to 27687e3 Compare October 24, 2025 16:51
@endersonmaia endersonmaia changed the title Chore/simplify dockerfile Simplify Dockerfile, bump some versions and reduce final snapshot size Oct 24, 2025
@endersonmaia endersonmaia requested a review from tuler October 24, 2025 17:23
@endersonmaia endersonmaia merged commit 3ae500d into prerelease/sdk-12 Oct 24, 2025
10 checks passed
@endersonmaia endersonmaia deleted the chore/simplify-dockerfile branch October 24, 2025 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tuler tuler tuler approved these changes

Assignees

@endersonmaia endersonmaia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@endersonmaia @tuler