diff --git a/README.md b/README.md index 76bde8c..9703edb 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,20 @@ The following files are added (taken from Debian) to fix some common issues: - `/etc/services` : for named ports resolution - `/lib/x86_64-linux-gnu/libpthread.so.0` : common required lib for project binaries that cannot be statically built. +### prom/busybox:alpine-glibc : glibc + +Based on the official `busybox:glibc` base image. + +The `busybox` executable is replaced by the [statically linked busybox](https://pkgs.alpinelinux.org/package/v3.16/main/x86_64/busybox-static) from `alpine:latest`. +The Alpine project provides far more timely security patches to `busybox` that the official `busybox` release. No other parts of Alpine are needed or used in this image. + +The following files are added (taken from Debian) to fix some common issues: + +- `/etc/ssl/certs/ca-certificates.crt` : for HTTPS support +- `/usr/share/zoneinfo` : for timezones +- `/etc/services` : for named ports resolution +- `/lib/x86_64-linux-gnu/libpthread.so.0` : common required lib for project binaries that cannot be statically built. + ## Build Docker images locally ``` diff --git a/alpine-glibc/Dockerfile b/alpine-glibc/Dockerfile new file mode 100644 index 0000000..09defad --- /dev/null +++ b/alpine-glibc/Dockerfile @@ -0,0 +1,49 @@ +ARG ARCH="" +FROM ${ARCH}debian:buster-slim + +RUN \ + apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates \ + gcc \ + netbase \ + && rm -rf /var/lib/apt/lists/* + +RUN set -x \ + && mkdir -p rootfs/lib \ + && set -- \ + /etc/nsswitch.conf \ + /etc/ssl/certs/ca-certificates.crt \ + /usr/share/zoneinfo \ + /etc/services \ + /lib/"$(gcc -print-multiarch)"/libpthread.so.* \ + && while [ "$#" -gt 0 ]; do \ + f="$1"; shift; \ + fn="$(basename "$f")"; \ + if [ -e "rootfs/lib/$fn" ]; then continue; fi; \ + if [ "${f#/lib/}" != "$f" ]; then \ + ln -vL "$f" "rootfs/lib/$fn"; \ + else \ + d="$(dirname $f)" \ + && mkdir -p "rootfs/${d#/}" \ + && cp -av "$f" "rootfs/${f#/}"; \ + fi; \ + done + +FROM ${ARCH}alpine:latest as alpine +RUN apk add busybox-static && \ + rm /bin/* && \ + /tmp/busybox --install /bin && \ + mv /tmp/busybox /bin/ + +FROM ${ARCH}busybox:glibc +MAINTAINER The Prometheus Authors + +# Use the busybox executable from alpine which is generally patched more quickly for vulnerabilities +# Use the busybox.static to avoid dynamic library dependencies. +COPY --from=alpine /bin/busybox.static /tmp/busybox + +RUN rm /bin/* && \ + /tmp/busybox --install /bin && \ + mv /tmp/busybox /bin/ + +COPY --from=0 /rootfs / diff --git a/glibc/Dockerfile b/glibc/Dockerfile index 0be7940..0443145 100644 --- a/glibc/Dockerfile +++ b/glibc/Dockerfile @@ -29,18 +29,7 @@ RUN set -x \ fi; \ done -FROM ${ARCH}alpine:latest as alpine -RUN apk add busybox-static - FROM ${ARCH}busybox:glibc MAINTAINER The Prometheus Authors -# Use the busybox executable from alpine which is generally patched more quickly for vulnerabilities -# Use the busybox.static to avoid dynamic library dependencies. -COPY --from=alpine /bin/busybox.static /tmp/busybox - -RUN rm /bin/* && \ - /tmp/busybox --install /bin && \ - mv /tmp/busybox /bin/ - COPY --from=0 /rootfs / diff --git a/uclibc/Dockerfile b/uclibc/Dockerfile index be5849c..0d9b385 100644 --- a/uclibc/Dockerfile +++ b/uclibc/Dockerfile @@ -28,18 +28,7 @@ RUN set -x \ fi; \ done -FROM ${ARCH}alpine:latest as alpine -RUN apk add busybox-static - FROM ${ARCH}busybox:uclibc MAINTAINER The Prometheus Authors -# Use the busybox executable from alpine which is generally patched more quickly for vulnerabilities -# Use the busybox.static to avoid dynamic library dependencies. -COPY --from=alpine /bin/busybox.static /tmp/busybox - -RUN rm /bin/* && \ - /tmp/busybox --install /bin && \ - mv /tmp/busybox /bin/ - COPY --from=0 /rootfs /