RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-09-02 Thread Marc
I can definitely remember having a performance difference between my container 
and a vm. I never bothered to research it any further and thought maybe it was 
related to older cgroups implementation, oc, or older distro. 

> 
> By any chance have you measured the performance difference between GNU
> libc and MUSL?
> 
> 
> Best Regards,
> Taavi
> 

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-09-02 Thread Taavi Eomäe via bind-users
By any chance have you measured the performance difference between GNU 
libc and MUSL?



Best Regards,
Taavi




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-09-02 Thread Ondřej Surý

> On 2. 9. 2024, at 15:22, Devpt Calmarsoft  wrote:
> 
> strip binaries or not

Oh god, don’t ever do that if you ever want my help with debugging.

Stripping the symbols is a horrible practice that should be not be done. It’s 
ok to have a detached symbols that can be installed later, but if you throw the 
symbols away, any coredump will become useless.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-09-02 Thread Devpt Calmarsoft

Le 02/09/2024 à 15:00, Marc a écrit :

I think this will copy duplicates, duplicates increase still layer
size so you have 2x size of a default /usr

Alpine is so small that I did not notice that ! thanks !

so you can only copy individual files

You are right, extra files appear in the diff! I was thinking that the
files already present would be discarded. Copying individual files in
this case is not the solution: there are plenty of files (305 if counting
includes)

So this is a bit more complicated to achieve something cleaner. Maybe
install the binaries in an alternate directory in the build step?
What about compiling with prefix /usr/local/ I think this is empty in 
alpline. I have the impression more vendors do this.


Yes, or on contrary maybe a pure temp directory: in any case we don't 
keep it so that name should not be important. Other details may need to 
be reviewed like runtime dependencies, strip binaries or not (at most a 
couple of MB so probably pointless).


And most important, real testing (I only checked that named loads with 
no error).


I fear side effects of the "--prefix=/install". There is probably a 
better way to change installation path.





I made a new Dockerfile based on this idea, now the result is 66MB.

Nice!!!




--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-09-02 Thread Marc
> 
>   I think this will copy duplicates, duplicates increase still layer
> size so you have 2x size of a default /usr
> 
>   so you can only copy individual files
> 
> You are right, extra files appear in the diff! I was thinking that the
> files already present would be discarded. Copying individual files in
> this case is not the solution: there are plenty of files (305 if counting
> includes)
>
> So this is a bit more complicated to achieve something cleaner. Maybe
> install the binaries in an alternate directory in the build step?

What about compiling with prefix /usr/local/ I think this is empty in alpline. 
I have the impression more vendors do this.



> I made a new Dockerfile based on this idea, now the result is 66MB. 

Nice!!!
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-09-02 Thread Devpt Calmarsoft


Le 02/09/2024 à 13:52, Marc a écrit :

1.
Afaik you don't need to remove packages from builder, the whole builder layer 
will be gone.

I did that to avoid copy extra files with the COPY --from=builder command

2.
COPY --from=builder /usr/ /usr/

I think this will copy duplicates, duplicates increase still layer size so you 
have 2x size of a default /usr

so you can only copy individual files


You are right, extra files appear in the diff! I was thinking that the 
files already present would be discarded. Copying individual files in 
this case is not the solution: there are plenty of files (305 if 
counting includes)


So this is a bit more complicated to achieve something cleaner. Maybe 
install the binaries in an alternate directory in the build step?


I made a new Dockerfile based on this idea, now the result is 66MB. I 
tested the build, but not if it is still functional (see all expected 
files in the right place).



"As long as there is a COPY in your Dockerfile, the size of the image increases to 
the stuff you copy"
* don't really know if this is still accurate

That could explain your big image.






-Original Message-
From: bind-users  On Behalf Of Devpt
Calmarsoft
Sent: Monday, 2 September 2024 12:25
To:bind-users@lists.isc.org
Subject: Re: Updated Docker images (9.18, 9.20, 9.21) - now based on
Alpine Linux

I forgot to specify the runtime dependency packages (fixed Dockerfile
attached), I am sorry.
This is still minimal changes, and the result is now 101MB, which is
still an interesting improvement (371MB before changes). Note that when
building, the intermediate image is visible.

Le 02/09/2024 à 11:23, Devpt Calmarsoft a écrit :

Le 27/08/2024 à 19:52, Ondřej Surý a écrit :

What’s the size difference for you?

I mean if someone wants to play with our Dockerfile and there’s a
significant reduction is size, I would be convinced. But in a world,
where a mobile application that does absolutely nothing has 4 GB, I
feel like 130 MB is on the low side of the scale.

There is a way to forget the compilation steps, using the "--from"
option of COPY, see here:
https://docs.docker.com/reference/dockerfile/#copy---from

=>
     I made the experiment, and the image drops to 63MB instead of
243MB (without keeping the sources).
     remarks:
         I chose to clone only the /usr because that path seem to be
the only one affected during the build/install.
     I duplicated the LC_ALL env variable, as I don't know if it is
needed for runtime or build phase.

In my opinion this would be cleaner that way (with drawback that we
cannot see the build steps history anymore)


Benoit

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do
not feel obligated to reply outside your normal working hours.


On 27. 8. 2024, at 19:38, Peter DeVries
wrote:

For what it's worth this is how we build our dockers, with a builder
and then the runner. IMO it's cleaner that way and not much more
complicated. We'll continue to roll our own though so no real dog in
this fight.

Peter


On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý  wrote:


On 27. 8. 2024, at 18:57, Marc  wrote:

Afaik apk del \ does not free up space still.

Right. That was not really my intention though. I wanted to reduce
the amount of cruft installed in the image. The less binary stuff
around, the less possible attack surface.

But apk --no-cache should work I guess.


If you work with builder phase, you can probably shave of some MB's

I think that's too complicated to use two phases, but I think the
next update
should reduce the image size a little bit. It was ~170 MB before
and the
reduced (compressed) size is 130 MB.

But I get it - the base alpine:latest is only 3 MB, that's quite a
difference.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do
not feel obligated to reply outside your normal working hours.



--
Visithttps://lists.isc.org/mailman/listinfo/bind-users  to
unsubscribe from this list

ISC funds the development of this software with paid support
subscriptions. Contact us athttps://www.isc.org/contact/  for more
information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




FROM alpine:latest as builder
MAINTAINER BIND 9 Developers 

ENV DEBIAN_FRONTEND noninteractive
ENV LC_ALL C.UTF-8

ARG BIND9_VERSION=9.20.1
ARG 
BIND9_CHECKSUM=fe6ddff74921410d33b62b5723ac23912e8d50138ef66d7a30dc2c421129aeb0

# Build part

RUN apk --no-cache update
RUN apk --no-cache upgrade

RUN apk --no-cache add \
autoconf \
automake \
build-base \
fstrm \
fstrm-dev \
jemalloc \
jemalloc-dev \
json-c \
json-c-dev \
krb5-dev \
krb5-libs \
libcap-dev \
libcap2 \
libidn2 \
libidn2-dev \
libmaxmind

RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-09-02 Thread Marc
1.
Afaik you don't need to remove packages from builder, the whole builder layer 
will be gone.

2.
COPY --from=builder /usr/ /usr/

I think this will copy duplicates, duplicates increase still layer size so you 
have 2x size of a default /usr

so you can only copy individual files

"As long as there is a COPY in your Dockerfile, the size of the image increases 
to the stuff you copy"
* don't really know if this is still accurate

That could explain your big image.





> -Original Message-
> From: bind-users  On Behalf Of Devpt
> Calmarsoft
> Sent: Monday, 2 September 2024 12:25
> To: bind-users@lists.isc.org
> Subject: Re: Updated Docker images (9.18, 9.20, 9.21) - now based on
> Alpine Linux
> 
> I forgot to specify the runtime dependency packages (fixed Dockerfile
> attached), I am sorry.
> This is still minimal changes, and the result is now 101MB, which is
> still an interesting improvement (371MB before changes). Note that when
> building, the intermediate image is visible.
> 
> Le 02/09/2024 à 11:23, Devpt Calmarsoft a écrit :
> > Le 27/08/2024 à 19:52, Ondřej Surý a écrit :
> >> What’s the size difference for you?
> >>
> >> I mean if someone wants to play with our Dockerfile and there’s a
> >> significant reduction is size, I would be convinced. But in a world,
> >> where a mobile application that does absolutely nothing has 4 GB, I
> >> feel like 130 MB is on the low side of the scale.
> > There is a way to forget the compilation steps, using the "--from"
> > option of COPY, see here:
> > https://docs.docker.com/reference/dockerfile/#copy---from
> >
> > =>
> >     I made the experiment, and the image drops to 63MB instead of
> > 243MB (without keeping the sources).
> >     remarks:
> >         I chose to clone only the /usr because that path seem to be
> > the only one affected during the build/install.
> >     I duplicated the LC_ALL env variable, as I don't know if it is
> > needed for runtime or build phase.
> >
> > In my opinion this would be cleaner that way (with drawback that we
> > cannot see the build steps history anymore)
> >
> >
> > Benoit
> >> Ondrej
> >> --
> >> Ondřej Surý — ISC (He/Him)
> >>
> >> My working hours and your working hours may be different. Please do
> >> not feel obligated to reply outside your normal working hours.
> >>
> >>> On 27. 8. 2024, at 19:38, Peter DeVries 
> >>> wrote:
> >>>
> >>> For what it's worth this is how we build our dockers, with a builder
> >>> and then the runner. IMO it's cleaner that way and not much more
> >>> complicated. We'll continue to roll our own though so no real dog in
> >>> this fight.
> >>>
> >>> Peter
> >>>
> >>>> On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý  wrote:
> >>>>
> >>>>>> On 27. 8. 2024, at 18:57, Marc  wrote:
> >>>>> Afaik apk del \ does not free up space still.
> >>>> Right. That was not really my intention though. I wanted to reduce
> >>>> the amount of cruft installed in the image. The less binary stuff
> >>>> around, the less possible attack surface.
> >>>>
> >>>> But apk --no-cache should work I guess.
> >>>>
> >>>>> If you work with builder phase, you can probably shave of some MB's
> >>>>
> >>>> I think that's too complicated to use two phases, but I think the
> >>>> next update
> >>>> should reduce the image size a little bit. It was ~170 MB before
> >>>> and the
> >>>> reduced (compressed) size is 130 MB.
> >>>>
> >>>> But I get it - the base alpine:latest is only 3 MB, that's quite a
> >>>> difference.
> >>>>
> >>>> Ondrej
> >>>> --
> >>>> Ondřej Surý (He/Him)
> >>>> ond...@isc.org
> >>>>
> >>>> My working hours and your working hours may be different. Please do
> >>>> not feel obligated to reply outside your normal working hours.
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to
> >>>> unsubscribe from this list
> >>>>
> >>>> ISC funds the development of this software with paid support
> >>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
> >>>> information.
> >>>>
> >>>>
> >>>> bind-users mailing list
> >>>> bind-users@lists.isc.org
> >>>> https://lists.isc.org/mailman/listinfo/bind-users
> >
> >
> >
> >
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-09-02 Thread Devpt Calmarsoft
I forgot to specify the runtime dependency packages (fixed Dockerfile 
attached), I am sorry.
This is still minimal changes, and the result is now 101MB, which is 
still an interesting improvement (371MB before changes). Note that when 
building, the intermediate image is visible.


Le 02/09/2024 à 11:23, Devpt Calmarsoft a écrit :

Le 27/08/2024 à 19:52, Ondřej Surý a écrit :

What’s the size difference for you?

I mean if someone wants to play with our Dockerfile and there’s a 
significant reduction is size, I would be convinced. But in a world, 
where a mobile application that does absolutely nothing has 4 GB, I 
feel like 130 MB is on the low side of the scale.
There is a way to forget the compilation steps, using the "--from" 
option of COPY, see here: 
https://docs.docker.com/reference/dockerfile/#copy---from


=>
    I made the experiment, and the image drops to 63MB instead of 
243MB (without keeping the sources).

    remarks:
        I chose to clone only the /usr because that path seem to be 
the only one affected during the build/install.
    I duplicated the LC_ALL env variable, as I don't know if it is 
needed for runtime or build phase.


In my opinion this would be cleaner that way (with drawback that we 
cannot see the build steps history anymore)



Benoit

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do 
not feel obligated to reply outside your normal working hours.


On 27. 8. 2024, at 19:38, Peter DeVries  
wrote:


For what it's worth this is how we build our dockers, with a builder
and then the runner. IMO it's cleaner that way and not much more
complicated. We'll continue to roll our own though so no real dog in
this fight.

Peter


On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý  wrote:


On 27. 8. 2024, at 18:57, Marc  wrote:

Afaik apk del \ does not free up space still.

Right. That was not really my intention though. I wanted to reduce
the amount of cruft installed in the image. The less binary stuff
around, the less possible attack surface.

But apk --no-cache should work I guess.


If you work with builder phase, you can probably shave of some MB's


I think that's too complicated to use two phases, but I think the 
next update
should reduce the image size a little bit. It was ~170 MB before 
and the

reduced (compressed) size is 130 MB.

But I get it - the base alpine:latest is only 3 MB, that's quite a 
difference.


Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do 
not feel obligated to reply outside your normal working hours.




--
Visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





FROM alpine:latest as builder
MAINTAINER BIND 9 Developers 

ENV DEBIAN_FRONTEND noninteractive
ENV LC_ALL C.UTF-8

ARG BIND9_VERSION=9.20.1
ARG 
BIND9_CHECKSUM=fe6ddff74921410d33b62b5723ac23912e8d50138ef66d7a30dc2c421129aeb0

# Build part

RUN apk --no-cache update
RUN apk --no-cache upgrade

RUN apk --no-cache add \
autoconf \
automake \
build-base \
fstrm \
fstrm-dev \
jemalloc \
jemalloc-dev \
json-c \
json-c-dev \
krb5-dev \
krb5-libs \
libcap-dev \
libcap2 \
libidn2 \
libidn2-dev \
libmaxminddb-dev \
libmaxminddb-libs \
libtool \
libuv \
libuv-dbg \
libuv-dev \
libxml2 \
libxml2-dbg \
libxml2-dev \
libxslt \
lmdb \
lmdb-dev \
make \
musl-dbg \
nghttp2-dev \
nghttp2-libs \
openssl-dbg \
openssl-dev \
procps \
protobuf-c \
protobuf-c-dev \
tzdata \
userspace-rcu \
userspace-rcu-dev

RUN mkdir -p /usr/src
ADD 
https://downloads.isc.org/isc/bind9/${BIND9_VERSION}/bind-${BIND9_VERSION}.tar.xz
 /usr/src
RUN cd /usr/src && \
( echo "${BIND9_CHECKSUM}  bind-${BIND9_VERSION}.tar.xz" | sha256sum -c - ) 
&& \
tar -xJf bind-${BIND9_VERSION}.tar.xz && \
cd /usr/src/bind-${BIND9_VERSION} && \
./configure --prefix /usr \
--sysconfdir=/etc/bind \
--localstatedir=/ \
--enable-shared \
--disable-static \
--with-gssapi \
--with-libidn2 \
--with-json-c \
--with-lmdb=/usr \
--with-gnu-ld \
--with-maxminddb \
--enable-dnstap && \
make -j && \
make install && \
rm -rf /usr/src

# Remove development packages
RUN apk --no-cache del \
autoconf \
automake \
build-base \
fstrm

Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-09-02 Thread Devpt Calmarsoft

Le 27/08/2024 à 19:52, Ondřej Surý a écrit :

What’s the size difference for you?

I mean if someone wants to play with our Dockerfile and there’s a 
significant reduction is size, I would be convinced. But in a world, 
where a mobile application that does absolutely nothing has 4 GB, I 
feel like 130 MB is on the low side of the scale.
There is a way to forget the compilation steps, using the "--from" 
option of COPY, see here: 
https://docs.docker.com/reference/dockerfile/#copy---from


=>
    I made the experiment, and the image drops to 63MB instead of 243MB 
(without keeping the sources).

    remarks:
        I chose to clone only the /usr because that path seem to be the 
only one affected during the build/install.
        I duplicated the LC_ALL env variable, as I don't know if it is 
needed for runtime or build phase.


In my opinion this would be cleaner that way (with drawback that we 
cannot see the build steps history anymore)



Benoit

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do 
not feel obligated to reply outside your normal working hours.


On 27. 8. 2024, at 19:38, Peter DeVries  
wrote:


For what it's worth this is how we build our dockers, with a builder
and then the runner. IMO it's cleaner that way and not much more
complicated. We'll continue to roll our own though so no real dog in
this fight.

Peter


On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý  wrote:


On 27. 8. 2024, at 18:57, Marc  wrote:

Afaik apk del \ does not free up space still.

Right. That was not really my intention though. I wanted to reduce
the amount of cruft installed in the image. The less binary stuff
around, the less possible attack surface.

But apk --no-cache should work I guess.


If you work with builder phase, you can probably shave of some MB's


I think that's too complicated to use two phases, but I think the 
next update

should reduce the image size a little bit. It was ~170 MB before and the
reduced (compressed) size is 130 MB.

But I get it - the base alpine:latest is only 3 MB, that's quite a 
difference.


Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do 
not feel obligated to reply outside your normal working hours.




--
Visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




FROM alpine:latest as builder
MAINTAINER BIND 9 Developers 

ENV DEBIAN_FRONTEND noninteractive
ENV LC_ALL C.UTF-8

ARG BIND9_VERSION=9.20.1
ARG 
BIND9_CHECKSUM=fe6ddff74921410d33b62b5723ac23912e8d50138ef66d7a30dc2c421129aeb0

# Build part

RUN apk --no-cache update
RUN apk --no-cache upgrade

RUN apk --no-cache add \
autoconf \
automake \
build-base \
fstrm \
fstrm-dev \
jemalloc \
jemalloc-dev \
json-c \
json-c-dev \
krb5-dev \
krb5-libs \
libcap-dev \
libcap2 \
libidn2 \
libidn2-dev \
libmaxminddb-dev \
libmaxminddb-libs \
libtool \
libuv \
libuv-dbg \
libuv-dev \
libxml2 \
libxml2-dbg \
libxml2-dev \
libxslt \
lmdb \
lmdb-dev \
make \
musl-dbg \
nghttp2-dev \
nghttp2-libs \
openssl-dbg \
openssl-dev \
procps \
protobuf-c \
protobuf-c-dev \
tzdata \
userspace-rcu \
userspace-rcu-dev

RUN mkdir -p /usr/src
ADD 
https://downloads.isc.org/isc/bind9/${BIND9_VERSION}/bind-${BIND9_VERSION}.tar.xz
 /usr/src
RUN cd /usr/src && \
( echo "${BIND9_CHECKSUM}  bind-${BIND9_VERSION}.tar.xz" | sha256sum -c - ) 
&& \
tar -xJf bind-${BIND9_VERSION}.tar.xz && \
cd /usr/src/bind-${BIND9_VERSION} && \
./configure --prefix /usr \
--sysconfdir=/etc/bind \
--localstatedir=/ \
--enable-shared \
--disable-static \
--with-gssapi \
--with-libidn2 \
--with-json-c \
--with-lmdb=/usr \
--with-gnu-ld \
--with-maxminddb \
--enable-dnstap && \
make -j && \
make install && \
rm -rf /usr/src

# Remove development packages
RUN apk --no-cache del \
autoconf \
automake \
build-base \
fstrm-dev \
gnutls-utils \
jemalloc-dev \
json-c-dev \
krb5-dev \
libcap-dev \
libidn2-dev \
libmaxminddb-dev \
libtool \
libuv-dev \
libxml2-dev \
libxslt \
lmdb-dev \
make \
nghttp2-dev \
openssl-dev \
proto

Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-28 Thread Peter DeVries via bind-users
> Having said that, I wonder if people have some preference or even policy
> which mandates specific base image?

Yes.  We're using a certified ubi8-minimal image for the finalized
docker by mandate and a bit of preference.  Base image is 90M deployed
with BIND 9.18.29 is 258M (uncompressed).  In this case we use
Rockylinux as the builder and copy it over to ubi8 for the final
image.

To me this is less about the size and more about cleanliness.   Rather
than making sure everything is removed we just start fresh and only
install / copy what we need.

I don't think it's a significant effort to do what we are doing and
happy to contribute but just to note we have no objections to how ISC
is doing it and appreciate that these are being produced.  I use them
anytime my custom ones are not available.

Peter

>
> Alpine is popular for small images, but is it good enough in "one size
> fits all" sense?
>
> --
> Petr Špaček
> Internet Systems Consortium
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-28 Thread Petr Špaček

On 27. 08. 24 20:18, Ondřej Surý wrote:

There’s also human wear. I would like to see a proof that it helps to halve the 
size of the image before someone spends time on this. As usual, contributions 
are welcome.

We are probably going to integrate the Docker with the main repository to build 
each future tag and so on, so we might look into this in the future, but I feel 
this is good enough for *now*.


The repository with Dockerfile is publich here:

https://github.com/isc-projects/bind9-docker/blob/v9.20/Dockerfile

We are happy to review and incorporate improvements - it's open-source!

Having said that, I wonder if people have some preference or even policy 
which mandates specific base image?


Alpine is popular for small images, but is it good enough in "one size 
fits all" sense?


--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Dan Parrish via bind-users

Ok, thanks. I see the logging now and I got this:

27-Aug-2024 19:53:19.449 general: error: could not configure root hints 
from '/usr/share/dns/root.hints': file not found


Then I checked the container:

bind9-1:/var/log/bind# docker exec -it bind9 /bin/sh
/ # ls -lha /usr/share/dns/
ls: /usr/share/dns/: No such file or directory

So my /etc/bind/named.conf.default-zones (itself included from my 
named.conf) referenced this location. In short, a bit of an unexpected 
change for /my/ config. I commented out the include that called the 
named.conf.default-zones.


In short, it was my config not being close-enough to stock for the new 
container to load successfully. An easy issue to understand and fix with 
the logging change you made. Thanks!


--dan
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Ondřej Surý
There’s also human wear. I would like to see a proof that it helps to halve the 
size of the image before someone spends time on this. As usual, contributions 
are welcome.

We are probably going to integrate the Docker with the main repository to build 
each future tag and so on, so we might look into this in the future, but I feel 
this is good enough for *now*.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 27. 8. 2024, at 20:12, Marc  wrote:
> 
> I don't look at it like that. I see half back up space required, half of the 
> wear level on ssds, half of the power consumption, twice as fast to deploy. 
> And if you have a lot of downloads this starts counting.
> 
> I have been telling Microsoft and Bill Gates to reduce updates and 
> footprints, but I don't think they care to much about the environment ;)

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Marc
> 
> What’s the size difference for you?
> 
> I mean if someone wants to play with our Dockerfile and there’s a
> significant reduction is size, I would be convinced. But in a world,
> where a mobile application that does absolutely nothing has 4 GB, I feel
> like 130 MB is on the low side of the scale.
> 

I don't look at it like that. I see half back up space required, half of the 
wear level on ssds, half of the power consumption, twice as fast to deploy. And 
if you have a lot of downloads this starts counting.

I have been telling Microsoft and Bill Gates to reduce updates and footprints, 
but I don't think they care to much about the environment ;)
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Ondřej Surý
What’s the size difference for you?

I mean if someone wants to play with our Dockerfile and there’s a significant 
reduction is size, I would be convinced. But in a world, where a mobile 
application that does absolutely nothing has 4 GB, I feel like 130 MB is on the 
low side of the scale.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 27. 8. 2024, at 19:38, Peter DeVries  wrote:
> 
> For what it's worth this is how we build our dockers, with a builder
> and then the runner.  IMO it's cleaner that way and not much more
> complicated.   We'll continue to roll our own though so no real dog in
> this fight.
> 
> Peter
> 
>> On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý  wrote:
>> 
 On 27. 8. 2024, at 18:57, Marc  wrote:
>>> 
>>> Afaik  apk del \ does not free up space still.
>> 
>> Right. That was not really my intention though. I wanted to reduce
>> the amount of cruft installed in the image.  The less binary stuff
>> around, the less possible attack surface.
>> 
>> But apk --no-cache should work I guess.
>> 
>>> If you work with builder phase, you can probably shave of some MB's
>> 
>> 
>> I think that's too complicated to use two phases, but I think the next update
>> should reduce the image size a little bit.  It was ~170 MB before and the
>> reduced (compressed) size is 130 MB.
>> 
>> But I get it - the base alpine:latest is only 3 MB, that's quite a 
>> difference.
>> 
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ond...@isc.org
>> 
>> My working hours and your working hours may be different. Please do not feel 
>> obligated to reply outside your normal working hours.
>> 
>> 
>> 
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
>> this list
>> 
>> ISC funds the development of this software with paid support subscriptions. 
>> Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Marc
> 
> > On 27. 8. 2024, at 18:57, Marc  wrote:
> >
> > Afaik  apk del \ does not free up space still.
> 
> Right. That was not really my intention though. I wanted to reduce
> the amount of cruft installed in the image.  The less binary stuff
> around, the less possible attack surface.
> 
> But apk --no-cache should work I guess.
> 
> > If you work with builder phase, you can probably shave of some MB's
> 
> 
> I think that's too complicated to use two phases, but I think the next
> update
> should reduce the image size a little bit.  It was ~170 MB before and the
> reduced (compressed) size is 130 MB.
> 
> But I get it - the base alpine:latest is only 3 MB, that's quite a
> difference.
> 

yes I would not be surprised if you can get a <50MB tar
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Peter DeVries via bind-users
For what it's worth this is how we build our dockers, with a builder
and then the runner.  IMO it's cleaner that way and not much more
complicated.   We'll continue to roll our own though so no real dog in
this fight.

Peter

On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý  wrote:
>
> > On 27. 8. 2024, at 18:57, Marc  wrote:
> >
> > Afaik  apk del \ does not free up space still.
>
> Right. That was not really my intention though. I wanted to reduce
> the amount of cruft installed in the image.  The less binary stuff
> around, the less possible attack surface.
>
> But apk --no-cache should work I guess.
>
> > If you work with builder phase, you can probably shave of some MB's
>
>
> I think that's too complicated to use two phases, but I think the next update
> should reduce the image size a little bit.  It was ~170 MB before and the
> reduced (compressed) size is 130 MB.
>
> But I get it - the base alpine:latest is only 3 MB, that's quite a difference.
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
>
> My working hours and your working hours may be different. Please do not feel 
> obligated to reply outside your normal working hours.
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Ondřej Surý
> On 27. 8. 2024, at 18:57, Marc  wrote:
> 
> Afaik  apk del \ does not free up space still. 

Right. That was not really my intention though. I wanted to reduce
the amount of cruft installed in the image.  The less binary stuff
around, the less possible attack surface.

But apk --no-cache should work I guess.

> If you work with builder phase, you can probably shave of some MB's


I think that's too complicated to use two phases, but I think the next update
should reduce the image size a little bit.  It was ~170 MB before and the
reduced (compressed) size is 130 MB.

But I get it - the base alpine:latest is only 3 MB, that's quite a difference.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.



-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Ondřej Surý

> On 27. 8. 2024, at 18:47, Ondřej Surý  wrote:
> 
> But I think you are right. The default logging goes to the syslog and there's 
> no syslog
> in the container. I'm thinking about appending -L /var/log/bind/default.log 
> to the CMD
> part of the docker (so it can be easily overridden).

I've just added -L /var/log/bind/default.log to the CMD in the Docker file, 
this will cause the default logging to go to this file inside the container.

Something like this should get you going

mkdir -p /tmp/bind9/log/bind
chmod 777 /tmp/bind9/log/bind
docker run --volume /tmp/bind9/log:/var/log --name=bind9 --restart=always 
--publish 5353:53/udp --publish 5353:53/tcp internetsystemsconsortium/bind9:9.18

(I'm actually running `podman run`, so I hope the options are compatible.)

This is obviously not production ready and you should properly set --uidmap and 
--gidmap[*].
The bind user and group inside the container looks like this:

# grep bind /etc/passwd
bind:x:100:101:Linux User,,,:/var/cache/bind:/sbin/nologin

# grep bind /etc/group
bind:x:101:bind

Ondrej

* - or if running root-less, it requires properly setting up subuid(5) and 
subgid(5) - this is a bit esoteric even for me.
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Marc
> 
> Sure, it’s not secret:
> 
> https://gitlab.isc.org/isc-projects/bind9-docker
> 
> Branches with history…
> 

Afaik  apk del \ does not free up space still. 


If you work with builder phase, you can probably shave of some MB's

  1 # Version: 0.0.1 - 3proxy
  2
  3 #
  4 # Stage 0: builder
  5 #
  6 FROM alpine:3.17 as builder
  7
  8 # install necessary packages
  9 RUN apk add build-base git iptables-dev \
 10 --no-cache
 11
 12 RUN mkdir /tmp/3proxy/ && cd /tmp/ \
 13 && git clone --branch master https://github.com/3proxy/3proxy.git 
3proxy/ \
 14 && cd 3proxy/ \
 15 && ln -s Makefile.Linux Makefile \
 16 && make \
 17 && make install
 18
 19
 20 #
 21 # Stage 1: runtime
 22 #
 23 FROM alpine:3.17
 24
 25
 26 # environment settings for this application
 27 ENV TPROXY_USER="tinyproxy" \
 28 TPROXY_UID=10043 \
 29 TPROXY_CFG_DIR="/etc/3proxy" \
 30 TPROXY_CRT_DIR="/etc/ssl/certs" \
 31 TPROXY_KEY_DIR="/etc/ssl/private" \
 32 TPROXY_DATA_DIR="/var/3proxy"



 50 # copy configuration files
 51 RUN mkdir /etc/3proxy/
 52 COPY --from=builder /usr/local/3proxy /usr/local/
 53 COPY --from=builder /bin/3proxy /bin/
 54 COPY --from=builder /bin/ftppr /bin/
 55 COPY --from=builder /bin/proxy /bin/
 56 COPY --from=builder /bin/mycrypt /bin/
 57 COPY --from=builder /bin/socks /bin/
 58 COPY --from=builder /bin/tcppm /bin/
 59 COPY --from=builder /bin/udppm /bin/
 60 COPY --from=builder /etc/3proxy/* /etc/3proxy/
 61 COPY 3proxy.cfg $TPROXY_CFG_DIR/
 62 COPY 3proxy.users $TPROXY_CFG_DIR/


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Ondřej Surý
Hi Dan,

I'm using podman instead of docker as it allows me to run the containers 
unprivileged,
but this works now:

podman run -it docker.io/internetsystemsconsortium/bind9:9.18 -g -c 
/etc/bind/named.conf

and the container (named in the container) prints all the logs to the stderr.

But I think you are right. The default logging goes to the syslog and there's 
no syslog
in the container. I'm thinking about appending -L /var/log/bind/default.log to 
the CMD
part of the docker (so it can be easily overridden).

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 27. 8. 2024, at 18:10, Dan Parrish via bind-users 
>  wrote:
> 
> This morning, I had several internetsystemsconsortium/bind9:9.18 containers 
> update and none of them would launch properly, they just kept restarting.
> The containers do no logging at all, and I couldn't determine any root cause. 
> I tried disabling mount points, adjusting permissions, etc. Nothing would 
> bring the containers up. Even running the simplest:
> docker run \ --name=bind9 \ --restart=always \ --publish 53:53/udp \ 
> --publish 53:53/tcp \ --publish 127.0.0.1:953:953/tcp \ 
> internetsystemsconsortium/bind9:9.18
> would not produce a working container. I also tried 
> internetsystemsconsortium/bind9:9.20 and 
> internetsystemsconsortium/bind9:9.21, and these containers just kept 
> restarting as well.
> I ultimately replaced the image pull with ubuntu/bind9:latest and things are 
> working for me again.
> I'm typically running Docker version 25.0.3.
> I feel like if I had basic logging, I could provide more information, 
> possibly even resolved the issue and reported the fix. Can we get logging to 
> work?
> --dan
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Dan Parrish via bind-users
This morning, I had several internetsystemsconsortium/bind9:9.18 
containers update and none of them would launch properly, they just kept 
restarting.


The containers do no logging at all, and I couldn't determine any root 
cause. I tried disabling mount points, adjusting permissions, etc. 
Nothing would bring the containers up. Even running the simplest:


|docker run \ --name=bind9 \ --restart=always \ --publish 53:53/udp \ 
--publish 53:53/tcp \ --publish 127.0.0.1:953:953/tcp \ 
internetsystemsconsortium/bind9:9.18|


would not produce a working container. I also tried 
internetsystemsconsortium/bind9:9.20 and 
internetsystemsconsortium/bind9:9.21, and these containers just kept 
restarting as well.


I ultimately replaced the image pull with ubuntu/bind9:latest and things 
are working for me again.


I'm typically running Docker version 25.0.3.

I feel like if I had basic logging, I could provide more information, 
possibly even resolved the issue and reported the fix. Can we get 
logging to work?


--dan
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Ondřej Surý
Sure, it’s not secret:

https://gitlab.isc.org/isc-projects/bind9-docker

Branches with history…

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 27. 8. 2024, at 14:04, Michael Dahlberg  wrote:
> 
> 
>> On Tuesday, August 27th, 2024 at 4:21 AM, Ondřej Surý  wrote:
>> 
>> the Docker images have been updated to use Alpine Linux as the base image
>> and the bind9 binaries are now compiled from the source while building the
>> Docker images. This is more in-line with the expected Docker (Podman) 
>> workflow.
> 
> This sounds very cool!  Would it be possible to share how these container 
> images were created, like what sort of dockerfile was used to generate them?
> 
> Thanks for the valuable work.
> 
> Mike
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux

2024-08-27 Thread Michael Dahlberg

On Tuesday, August 27th, 2024 at 4:21 AM, Ondřej Surý  wrote:
 
> the Docker images have been updated to use Alpine Linux as the base image
> and the bind9 binaries are now compiled from the source while building the
> Docker images. This is more in-line with the expected Docker (Podman) 
> workflow.

This sounds very cool!  Would it be possible to share how these container 
images were created, like what sort of dockerfile was used to generate them?

Thanks for the valuable work.

Mike
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users