Docker: Be careful about the scratch image

After I wrote my previous post, some suggested that I can cut down the image size further by using a “scratch” image. And that’s true, “scratch i”s a reserved 0-sized image with nothing in it. And utilizing a scratch binary image did cut down the size of the final Docker image from 13MB to 7.5MB. Pretty good, right? Except the image cannot do an SSL cert verification because of the missing SSL certs!!!

Failed to reach google.com: Get https://google.com: x509: certificate signed by unknown authority

The fix was relatively easy.  Build ca-certificates in the builder phase

RUN apk add --no-cache ca-certificates

And copy it over in the run phase.

COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

The final image is about 0.2 MB larger, and the problem is fixed. See the final code here.

So, what else is in the 5 MB alpine docker image?

The images are from https://github.com/alpinelinux/docker-alpine and check its content. There are tons of standard shell utilities like “ls” symlinked to “busybox”, alpine package database (/apk), other standard libraries for C,  SSL. Here are the biggest contributors to size.

-rwxr-xr-x  0 0      0      100144 Aug 26  2019 ./lib/libz.so.1.2.11
-rw-r--r--  0 0      0      215579 Mar  5 08:00 ./etc/ssl/certs/ca-certificates.crt
-rwxr-xr-x  0 0      0      523728 Apr 21 08:35 ./lib/libssl.so.1.1
-rwxr-xr-x  0 0      0      596528 Apr 12 04:06 ./lib/ld-musl-x86_64.so.1
-rwxr-xr-x  0 0      0      841288 Mar 29 12:43 ./bin/busybox
-rwxr-xr-x  0 0      0     2597536 Apr 21 08:35 ./lib/libcrypto.so.1.1

I think it is OK to use scratch as long as you are building a static binary and copying root certificates. I, personally, feel that it’s better to use a 5MB larger alpine Linux image with no surprises.

Leave a Reply

Your email address will not be published. Required fields are marked *