Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Images contain *-dev packages that are used to build HAProxy but which are useless at runtime #225

Closed
L3n41c opened this issue Apr 5, 2024 · 0 comments · Fixed by #226
Closed

Images contain *-dev packages that are used to build HAProxy but which are useless at runtime #225

L3n41c opened this issue Apr 5, 2024 · 0 comments · Fixed by #226

Comments

@L3n41c
Copy link
Contributor

L3n41c commented Apr 5, 2024

The haproxy docker images are containing some *-dev packages:

$ docker run --rm -it --user 0 --entrypoint /usr/bin/bash haproxy:2.4.25
root@f6106d13cb42:/# apt search -- -dev
Sorting... Done
Full Text Search... Done
dpkg/now 1.21.22 amd64 [installed,local]
  Debian package management system

libc-dev-bin/now 2.36-9+deb12u4 amd64 [installed,local]
  GNU C Library: Development binaries

libc6-dev/now 2.36-9+deb12u4 amd64 [installed,local]
  GNU C Library: Development Libraries and Header Files

libcrypt-dev/now 1:4.4.33-2 amd64 [installed,local]
  libcrypt development files

libnsl-dev/now 1.3.0-2 amd64 [installed,local]
  libnsl development files

libtirpc-dev/now 1.3.3+ds-1 amd64 [installed,local]
  transport-independent RPC library - development files

linux-libc-dev/now 6.1.76-1 amd64 [installed,local]
  Linux support headers for userspace development

Whereas those packages are needed to build haproxy, they contain only header files and static libraries which are useless at runtime.
Hence, they shouldn’t be shipped in the final image.
L3n41c added a commit to L3n41c/haproxy that referenced this issue Apr 5, 2024
@L3n41c
Remove the *-dev packages from the final image
cffd922 
Fixes docker-library#225

The issue comes from the logic that aims at removing the packages that were
needed to build `haproxy` but which are not needed at runtime anymore.

```bash
        find /usr/local -type f -executable -exec ldd '{}' ';' \
                | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
                | sort -u \
                | xargs -r dpkg-query --search \
                | cut -d: -f1 \
                | sort -u \
                | xargs -r apt-mark manual \

```

The `ldd` looks for the libraries that `haproxy` depends on, among which, `libc.so.6`.
The `awk` command reformats the output of `ldd` and produces, among other libraries:
```
lib/x86_64-linux-gnu/libc.so.6
```

Those files are then passed to `dpkg-query` to find their owning package.
And this is where the issue is coming from:

```
root@f6106d13cb42:/# dpkg-query --search lib/x86_64-linux-gnu/libc.so.6

libc6-dev:amd64: /usr/share/gdb/auto-load/lib/x86_64-linux-gnu/libc.so.6-gdb.py
libc6:amd64: /lib/x86_64-linux-gnu/libc.so.6
```

The issue is that the library we are interested in happens to also be a substring
of a GDB pretty-printing script that is obviously not needed at runtime by `haproxy`.
L3n41c added a commit to L3n41c/haproxy that referenced this issue Apr 5, 2024
@L3n41c
Remove the *-dev packages from the final image
05168d3 
Fixes docker-library#225

The issue comes from the logic that aims at removing the packages that were
needed to build `haproxy` but which are not needed at runtime anymore.

```bash
        find /usr/local -type f -executable -exec ldd '{}' ';' \
                | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
                | sort -u \
                | xargs -r dpkg-query --search \
                | cut -d: -f1 \
                | sort -u \
                | xargs -r apt-mark manual \

```

The `ldd` looks for the libraries that `haproxy` depends on, among which, `libc.so.6`.
The `awk` command reformats the output of `ldd` and produces, among other libraries:
```
lib/x86_64-linux-gnu/libc.so.6
```

Those files are then passed to `dpkg-query` to find their owning package.
And this is where the issue is coming from:

```
root@f6106d13cb42:/# dpkg-query --search lib/x86_64-linux-gnu/libc.so.6

libc6-dev:amd64: /usr/share/gdb/auto-load/lib/x86_64-linux-gnu/libc.so.6-gdb.py
libc6:amd64: /lib/x86_64-linux-gnu/libc.so.6
```

The issue is that the library we are interested in happens to also be a substring
of a GDB pretty-printing script that is obviously not needed at runtime by `haproxy`.
L3n41c added a commit to L3n41c/haproxy that referenced this issue Apr 5, 2024
@L3n41c
Remove the *-dev packages from the final image
55c8766 
Fixes docker-library#225

The issue comes from the logic that aims at removing the packages that were
needed to build `haproxy` but which are not needed at runtime anymore.

```bash
        find /usr/local -type f -executable -exec ldd '{}' ';' \
                | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
                | sort -u \
                | xargs -r dpkg-query --search \
                | cut -d: -f1 \
                | sort -u \
                | xargs -r apt-mark manual \

```

The `ldd` looks for the libraries that `haproxy` depends on, among which, `libc.so.6`.
The `awk` command reformats the output of `ldd` and produces, among other libraries:
```
lib/x86_64-linux-gnu/libc.so.6
```

Those files are then passed to `dpkg-query` to find their owning package.
And this is where the issue is coming from:

```
root@f6106d13cb42:/# dpkg-query --search lib/x86_64-linux-gnu/libc.so.6

libc6-dev:amd64: /usr/share/gdb/auto-load/lib/x86_64-linux-gnu/libc.so.6-gdb.py
libc6:amd64: /lib/x86_64-linux-gnu/libc.so.6
```

The issue is that the library we are interested in happens to also be a substring
of a GDB pretty-printing script that is obviously not needed at runtime by `haproxy`.
@L3n41c L3n41c mentioned this issue Apr 5, 2024
Merged
L3n41c added a commit to L3n41c/haproxy that referenced this issue Apr 6, 2024
@L3n41c
Remove the *-dev packages from the final image
e3b5621 
Fixes docker-library#225

The issue comes from the logic that aims at removing the packages that were
needed to build `haproxy` but which are not needed at runtime anymore.

```bash
        find /usr/local -type f -executable -exec ldd '{}' ';' \
                | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' \
                | sort -u \
                | xargs -r dpkg-query --search \
                | cut -d: -f1 \
                | sort -u \
                | xargs -r apt-mark manual \

```

The `ldd` looks for the libraries that `haproxy` depends on, among which, `libc.so.6`.
The `awk` command reformats the output of `ldd` and produces, among other libraries:
```
lib/x86_64-linux-gnu/libc.so.6
```

Those files are then passed to `dpkg-query` to find their owning package.
And this is where the issue is coming from:

```
root@f6106d13cb42:/# dpkg-query --search lib/x86_64-linux-gnu/libc.so.6

libc6-dev:amd64: /usr/share/gdb/auto-load/lib/x86_64-linux-gnu/libc.so.6-gdb.py
libc6:amd64: /lib/x86_64-linux-gnu/libc.so.6
```

The issue is that the library we are interested in happens to also be a substring
of a GDB pretty-printing script that is obviously not needed at runtime by `haproxy`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix dpkg-query --search to be more specific L3n41c/haproxy
1 participant
@L3n41c