Breaking change: Alpine image dependencies changing (size and CVE affecting)

[richlander]

.NET Alpine images are being changed to force package upgrades, which may reduce CVEs in .NET images and/or increase images sizes. .NET 8 Alpine images are (in addition) being updated to no longer install krb5-libs (Kerberos) and use a different version of ca-certificates, which will provide a minor size improvement.

If you require Kerberos, you will need to install the krb5-libs yourself in your .NET 8+ images.

Note: These changes only apply to packages installed in .NET images (that Microsoft publishes) and don't affect packages installed at higher layers.

Context:

• Package installation in Alpine should be configured to upgrade #4776
• Consider removing Kerberos and ca-certificates from Alpine runtime-deps image (.NET 8) #4751

Details

The following information details size changes, all based on live data (as of July 28, 2023) on the x64 architecture.

Status quo:

• alpine -- 7.33MB (updated 6 weeks ago)
• mcr.microsoft.com/dotnet/runtime-deps:6.0-alpine -- 12.3MB (updated 2 weeks ago)
• mcr.microsoft.com/dotnet/runtime-deps:7.0-alpine -- 12.3MB (updated 2 weeks ago)
• mcr.microsoft.com/dotnet/runtime-deps:8.0-preview-alpine -- 12.3MB (updated 2 weeks ago)

New approach (starting August; using alpine image and package archive as of today):

• mcr.microsoft.com/dotnet/runtime-deps:6.0-alpine -- 17.9MB
• mcr.microsoft.com/dotnet/runtime-deps:7.0-alpine -- 17.9MB
• mcr.microsoft.com/dotnet/runtime-deps:8.0-preview-alpine -- 14.9MB

The fact that the alpine image is six weeks old means that packages we install have likely been updated (and they have been). If a new alpine image shipped today, then there would be just one set of packages amongst all image layers. We'd expect the following image sizes in that scenario.

• mcr.microsoft.com/dotnet/runtime-deps:6.0-alpine -- 12.3MB
• mcr.microsoft.com/dotnet/runtime-deps:7.0-alpine -- 12.3MB
• mcr.microsoft.com/dotnet/runtime-deps:8.0-preview-alpine -- 9.88MB

You might ask if there is a way for us to avoid the bloating of these images as packages get updated. We have considered producing Alpine distroless images. Please provide us feedback on that if you think it is important.

Note: Our Ubuntu Chiseled images don't have the image bloat problem. They only ever contain one version of each package.

The following sections go into more detail.

Force package upgrades

We recently discovered that we were not forcing upgrades of the packages we install, for Alpine. Our Debian and Ubuntu images do not have this problem. Alpine requires the use of apk add --upgrade to force upgrade of packages that are already installed. We did not know that nor did anyone report this to us. Oops!

libssl3 is a critical package that we install, per ~/src/runtime-deps/8.0/alpine3.18/amd64/Dockerfile. .NET 6 and 7 variants are the same. That means that libssl3, for example, will not have been updated when a new package is available beyond what is installed in the alpine base image.

You can see this behavior in the following example.

$ docker run --rm -it alpine
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/aarch64/APKINDEX.tar.gz
v3.18.2-538-gcb525af9a63 [https://dl-cdn.alpinelinux.org/alpine/v3.18/main]
v3.18.2-537-gb9181bdeaa6 [https://dl-cdn.alpinelinux.org/alpine/v3.18/community]
OK: 19945 distinct packages available
/ # apk list libssl3
libssl3-3.1.1-r1 aarch64 {openssl} (Apache-2.0) [installed]
libssl3-3.1.1-r3 aarch64 {openssl} (Apache-2.0) [upgradable from: libssl3-3.1.1-r1]
/ # apk add libssl3
OK: 8 MiB in 15 packages
/ # apk list libssl3
libssl3-3.1.1-r1 aarch64 {openssl} (Apache-2.0) [installed]
libssl3-3.1.1-r3 aarch64 {openssl} (Apache-2.0) [upgradable from: libssl3-3.1.1-r1]
/ # apk add --upgrade libssl3
(1/3) Upgrading musl (1.2.4-r0 -> 1.2.4-r1)
(2/3) Upgrading libcrypto3 (3.1.1-r1 -> 3.1.1-r3)
(3/3) Upgrading libssl3 (3.1.1-r1 -> 3.1.1-r3)
OK: 8 MiB in 15 packages
/ # apk list libssl3
libssl3-3.1.1-r3 aarch64 {openssl} (Apache-2.0) [installed]

Starting in August 2023, our runtime-deps Dockerfiles for Alpine will be updated to include --upgrade for our apk add commands. We will make this change for .NET 6, 7, and 8 images. We consider this a correctness change. It is unfortunate that image sizes will increase, but we don't feel we have any choice.

Removing krb5-libs and ca-certificates

For .NET 8 images, we found opportunities to reduce images size. We are not applying these changes to .NET 6 and 7 because these changes are breaking.

We found that Alpine images include the ca-certificates-bundle package. It includes everything we need from the ca-certificates package that we have been installing. That means that we've been unknowingly duplicating content. We will not install the ca-certificates package going forward (for .NET 8+).

We've always seen the Alpine images as more opinionated than our Debian and Ubuntu images. For example, we don't installed the ICU (globalization) package. Kerberos is much more niche than ICU in our view. We will not install the krb5-libs package going forward (for .NET 8+).

Kerberos is often used with LDAP. We don't install install LDAP packages, so for folks that are installing LDAP and using it with Kerberos, this change should not be too onerous.

Kerberos can be installed via the following command.

RUN apk add --upgrade krb5-libs