RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
I can definitely remember having a performance difference between my container and a vm. I never bothered to research it any further and thought maybe it was related to older cgroups implementation, oc, or older distro. > > By any chance have you measured the performance difference between GNU > libc and MUSL? > > > Best Regards, > Taavi > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
By any chance have you measured the performance difference between GNU libc and MUSL? Best Regards, Taavi smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
> On 2. 9. 2024, at 15:22, Devpt Calmarsoft wrote: > > strip binaries or not Oh god, don’t ever do that if you ever want my help with debugging. Stripping the symbols is a horrible practice that should be not be done. It’s ok to have a detached symbols that can be installed later, but if you throw the symbols away, any coredump will become useless. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
Le 02/09/2024 à 15:00, Marc a écrit : I think this will copy duplicates, duplicates increase still layer size so you have 2x size of a default /usr Alpine is so small that I did not notice that ! thanks ! so you can only copy individual files You are right, extra files appear in the diff! I was thinking that the files already present would be discarded. Copying individual files in this case is not the solution: there are plenty of files (305 if counting includes) So this is a bit more complicated to achieve something cleaner. Maybe install the binaries in an alternate directory in the build step? What about compiling with prefix /usr/local/ I think this is empty in alpline. I have the impression more vendors do this. Yes, or on contrary maybe a pure temp directory: in any case we don't keep it so that name should not be important. Other details may need to be reviewed like runtime dependencies, strip binaries or not (at most a couple of MB so probably pointless). And most important, real testing (I only checked that named loads with no error). I fear side effects of the "--prefix=/install". There is probably a better way to change installation path. I made a new Dockerfile based on this idea, now the result is 66MB. Nice!!! -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
> > I think this will copy duplicates, duplicates increase still layer > size so you have 2x size of a default /usr > > so you can only copy individual files > > You are right, extra files appear in the diff! I was thinking that the > files already present would be discarded. Copying individual files in > this case is not the solution: there are plenty of files (305 if counting > includes) > > So this is a bit more complicated to achieve something cleaner. Maybe > install the binaries in an alternate directory in the build step? What about compiling with prefix /usr/local/ I think this is empty in alpline. I have the impression more vendors do this. > I made a new Dockerfile based on this idea, now the result is 66MB. Nice!!! -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
Le 02/09/2024 à 13:52, Marc a écrit : 1. Afaik you don't need to remove packages from builder, the whole builder layer will be gone. I did that to avoid copy extra files with the COPY --from=builder command 2. COPY --from=builder /usr/ /usr/ I think this will copy duplicates, duplicates increase still layer size so you have 2x size of a default /usr so you can only copy individual files You are right, extra files appear in the diff! I was thinking that the files already present would be discarded. Copying individual files in this case is not the solution: there are plenty of files (305 if counting includes) So this is a bit more complicated to achieve something cleaner. Maybe install the binaries in an alternate directory in the build step? I made a new Dockerfile based on this idea, now the result is 66MB. I tested the build, but not if it is still functional (see all expected files in the right place). "As long as there is a COPY in your Dockerfile, the size of the image increases to the stuff you copy" * don't really know if this is still accurate That could explain your big image. -Original Message- From: bind-users On Behalf Of Devpt Calmarsoft Sent: Monday, 2 September 2024 12:25 To:bind-users@lists.isc.org Subject: Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux I forgot to specify the runtime dependency packages (fixed Dockerfile attached), I am sorry. This is still minimal changes, and the result is now 101MB, which is still an interesting improvement (371MB before changes). Note that when building, the intermediate image is visible. Le 02/09/2024 à 11:23, Devpt Calmarsoft a écrit : Le 27/08/2024 à 19:52, Ondřej Surý a écrit : What’s the size difference for you? I mean if someone wants to play with our Dockerfile and there’s a significant reduction is size, I would be convinced. But in a world, where a mobile application that does absolutely nothing has 4 GB, I feel like 130 MB is on the low side of the scale. There is a way to forget the compilation steps, using the "--from" option of COPY, see here: https://docs.docker.com/reference/dockerfile/#copy---from => I made the experiment, and the image drops to 63MB instead of 243MB (without keeping the sources). remarks: I chose to clone only the /usr because that path seem to be the only one affected during the build/install. I duplicated the LC_ALL env variable, as I don't know if it is needed for runtime or build phase. In my opinion this would be cleaner that way (with drawback that we cannot see the build steps history anymore) Benoit Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 27. 8. 2024, at 19:38, Peter DeVries wrote: For what it's worth this is how we build our dockers, with a builder and then the runner. IMO it's cleaner that way and not much more complicated. We'll continue to roll our own though so no real dog in this fight. Peter On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý wrote: On 27. 8. 2024, at 18:57, Marc wrote: Afaik apk del \ does not free up space still. Right. That was not really my intention though. I wanted to reduce the amount of cruft installed in the image. The less binary stuff around, the less possible attack surface. But apk --no-cache should work I guess. If you work with builder phase, you can probably shave of some MB's I think that's too complicated to use two phases, but I think the next update should reduce the image size a little bit. It was ~170 MB before and the reduced (compressed) size is 130 MB. But I get it - the base alpine:latest is only 3 MB, that's quite a difference. Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us athttps://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users FROM alpine:latest as builder MAINTAINER BIND 9 Developers ENV DEBIAN_FRONTEND noninteractive ENV LC_ALL C.UTF-8 ARG BIND9_VERSION=9.20.1 ARG BIND9_CHECKSUM=fe6ddff74921410d33b62b5723ac23912e8d50138ef66d7a30dc2c421129aeb0 # Build part RUN apk --no-cache update RUN apk --no-cache upgrade RUN apk --no-cache add \ autoconf \ automake \ build-base \ fstrm \ fstrm-dev \ jemalloc \ jemalloc-dev \ json-c \ json-c-dev \ krb5-dev \ krb5-libs \ libcap-dev \ libcap2 \ libidn2 \ libidn2-dev \ libmaxmind
RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
1. Afaik you don't need to remove packages from builder, the whole builder layer will be gone. 2. COPY --from=builder /usr/ /usr/ I think this will copy duplicates, duplicates increase still layer size so you have 2x size of a default /usr so you can only copy individual files "As long as there is a COPY in your Dockerfile, the size of the image increases to the stuff you copy" * don't really know if this is still accurate That could explain your big image. > -Original Message- > From: bind-users On Behalf Of Devpt > Calmarsoft > Sent: Monday, 2 September 2024 12:25 > To: bind-users@lists.isc.org > Subject: Re: Updated Docker images (9.18, 9.20, 9.21) - now based on > Alpine Linux > > I forgot to specify the runtime dependency packages (fixed Dockerfile > attached), I am sorry. > This is still minimal changes, and the result is now 101MB, which is > still an interesting improvement (371MB before changes). Note that when > building, the intermediate image is visible. > > Le 02/09/2024 à 11:23, Devpt Calmarsoft a écrit : > > Le 27/08/2024 à 19:52, Ondřej Surý a écrit : > >> What’s the size difference for you? > >> > >> I mean if someone wants to play with our Dockerfile and there’s a > >> significant reduction is size, I would be convinced. But in a world, > >> where a mobile application that does absolutely nothing has 4 GB, I > >> feel like 130 MB is on the low side of the scale. > > There is a way to forget the compilation steps, using the "--from" > > option of COPY, see here: > > https://docs.docker.com/reference/dockerfile/#copy---from > > > > => > > I made the experiment, and the image drops to 63MB instead of > > 243MB (without keeping the sources). > > remarks: > > I chose to clone only the /usr because that path seem to be > > the only one affected during the build/install. > > I duplicated the LC_ALL env variable, as I don't know if it is > > needed for runtime or build phase. > > > > In my opinion this would be cleaner that way (with drawback that we > > cannot see the build steps history anymore) > > > > > > Benoit > >> Ondrej > >> -- > >> Ondřej Surý — ISC (He/Him) > >> > >> My working hours and your working hours may be different. Please do > >> not feel obligated to reply outside your normal working hours. > >> > >>> On 27. 8. 2024, at 19:38, Peter DeVries > >>> wrote: > >>> > >>> For what it's worth this is how we build our dockers, with a builder > >>> and then the runner. IMO it's cleaner that way and not much more > >>> complicated. We'll continue to roll our own though so no real dog in > >>> this fight. > >>> > >>> Peter > >>> > >>>> On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý wrote: > >>>> > >>>>>> On 27. 8. 2024, at 18:57, Marc wrote: > >>>>> Afaik apk del \ does not free up space still. > >>>> Right. That was not really my intention though. I wanted to reduce > >>>> the amount of cruft installed in the image. The less binary stuff > >>>> around, the less possible attack surface. > >>>> > >>>> But apk --no-cache should work I guess. > >>>> > >>>>> If you work with builder phase, you can probably shave of some MB's > >>>> > >>>> I think that's too complicated to use two phases, but I think the > >>>> next update > >>>> should reduce the image size a little bit. It was ~170 MB before > >>>> and the > >>>> reduced (compressed) size is 130 MB. > >>>> > >>>> But I get it - the base alpine:latest is only 3 MB, that's quite a > >>>> difference. > >>>> > >>>> Ondrej > >>>> -- > >>>> Ondřej Surý (He/Him) > >>>> ond...@isc.org > >>>> > >>>> My working hours and your working hours may be different. Please do > >>>> not feel obligated to reply outside your normal working hours. > >>>> > >>>> > >>>> > >>>> -- > >>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to > >>>> unsubscribe from this list > >>>> > >>>> ISC funds the development of this software with paid support > >>>> subscriptions. Contact us at https://www.isc.org/contact/ for more > >>>> information. > >>>> > >>>> > >>>> bind-users mailing list > >>>> bind-users@lists.isc.org > >>>> https://lists.isc.org/mailman/listinfo/bind-users > > > > > > > > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
I forgot to specify the runtime dependency packages (fixed Dockerfile attached), I am sorry. This is still minimal changes, and the result is now 101MB, which is still an interesting improvement (371MB before changes). Note that when building, the intermediate image is visible. Le 02/09/2024 à 11:23, Devpt Calmarsoft a écrit : Le 27/08/2024 à 19:52, Ondřej Surý a écrit : What’s the size difference for you? I mean if someone wants to play with our Dockerfile and there’s a significant reduction is size, I would be convinced. But in a world, where a mobile application that does absolutely nothing has 4 GB, I feel like 130 MB is on the low side of the scale. There is a way to forget the compilation steps, using the "--from" option of COPY, see here: https://docs.docker.com/reference/dockerfile/#copy---from => I made the experiment, and the image drops to 63MB instead of 243MB (without keeping the sources). remarks: I chose to clone only the /usr because that path seem to be the only one affected during the build/install. I duplicated the LC_ALL env variable, as I don't know if it is needed for runtime or build phase. In my opinion this would be cleaner that way (with drawback that we cannot see the build steps history anymore) Benoit Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 27. 8. 2024, at 19:38, Peter DeVries wrote: For what it's worth this is how we build our dockers, with a builder and then the runner. IMO it's cleaner that way and not much more complicated. We'll continue to roll our own though so no real dog in this fight. Peter On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý wrote: On 27. 8. 2024, at 18:57, Marc wrote: Afaik apk del \ does not free up space still. Right. That was not really my intention though. I wanted to reduce the amount of cruft installed in the image. The less binary stuff around, the less possible attack surface. But apk --no-cache should work I guess. If you work with builder phase, you can probably shave of some MB's I think that's too complicated to use two phases, but I think the next update should reduce the image size a little bit. It was ~170 MB before and the reduced (compressed) size is 130 MB. But I get it - the base alpine:latest is only 3 MB, that's quite a difference. Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users FROM alpine:latest as builder MAINTAINER BIND 9 Developers ENV DEBIAN_FRONTEND noninteractive ENV LC_ALL C.UTF-8 ARG BIND9_VERSION=9.20.1 ARG BIND9_CHECKSUM=fe6ddff74921410d33b62b5723ac23912e8d50138ef66d7a30dc2c421129aeb0 # Build part RUN apk --no-cache update RUN apk --no-cache upgrade RUN apk --no-cache add \ autoconf \ automake \ build-base \ fstrm \ fstrm-dev \ jemalloc \ jemalloc-dev \ json-c \ json-c-dev \ krb5-dev \ krb5-libs \ libcap-dev \ libcap2 \ libidn2 \ libidn2-dev \ libmaxminddb-dev \ libmaxminddb-libs \ libtool \ libuv \ libuv-dbg \ libuv-dev \ libxml2 \ libxml2-dbg \ libxml2-dev \ libxslt \ lmdb \ lmdb-dev \ make \ musl-dbg \ nghttp2-dev \ nghttp2-libs \ openssl-dbg \ openssl-dev \ procps \ protobuf-c \ protobuf-c-dev \ tzdata \ userspace-rcu \ userspace-rcu-dev RUN mkdir -p /usr/src ADD https://downloads.isc.org/isc/bind9/${BIND9_VERSION}/bind-${BIND9_VERSION}.tar.xz /usr/src RUN cd /usr/src && \ ( echo "${BIND9_CHECKSUM} bind-${BIND9_VERSION}.tar.xz" | sha256sum -c - ) && \ tar -xJf bind-${BIND9_VERSION}.tar.xz && \ cd /usr/src/bind-${BIND9_VERSION} && \ ./configure --prefix /usr \ --sysconfdir=/etc/bind \ --localstatedir=/ \ --enable-shared \ --disable-static \ --with-gssapi \ --with-libidn2 \ --with-json-c \ --with-lmdb=/usr \ --with-gnu-ld \ --with-maxminddb \ --enable-dnstap && \ make -j && \ make install && \ rm -rf /usr/src # Remove development packages RUN apk --no-cache del \ autoconf \ automake \ build-base \ fstrm
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
Le 27/08/2024 à 19:52, Ondřej Surý a écrit : What’s the size difference for you? I mean if someone wants to play with our Dockerfile and there’s a significant reduction is size, I would be convinced. But in a world, where a mobile application that does absolutely nothing has 4 GB, I feel like 130 MB is on the low side of the scale. There is a way to forget the compilation steps, using the "--from" option of COPY, see here: https://docs.docker.com/reference/dockerfile/#copy---from => I made the experiment, and the image drops to 63MB instead of 243MB (without keeping the sources). remarks: I chose to clone only the /usr because that path seem to be the only one affected during the build/install. I duplicated the LC_ALL env variable, as I don't know if it is needed for runtime or build phase. In my opinion this would be cleaner that way (with drawback that we cannot see the build steps history anymore) Benoit Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 27. 8. 2024, at 19:38, Peter DeVries wrote: For what it's worth this is how we build our dockers, with a builder and then the runner. IMO it's cleaner that way and not much more complicated. We'll continue to roll our own though so no real dog in this fight. Peter On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý wrote: On 27. 8. 2024, at 18:57, Marc wrote: Afaik apk del \ does not free up space still. Right. That was not really my intention though. I wanted to reduce the amount of cruft installed in the image. The less binary stuff around, the less possible attack surface. But apk --no-cache should work I guess. If you work with builder phase, you can probably shave of some MB's I think that's too complicated to use two phases, but I think the next update should reduce the image size a little bit. It was ~170 MB before and the reduced (compressed) size is 130 MB. But I get it - the base alpine:latest is only 3 MB, that's quite a difference. Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users FROM alpine:latest as builder MAINTAINER BIND 9 Developers ENV DEBIAN_FRONTEND noninteractive ENV LC_ALL C.UTF-8 ARG BIND9_VERSION=9.20.1 ARG BIND9_CHECKSUM=fe6ddff74921410d33b62b5723ac23912e8d50138ef66d7a30dc2c421129aeb0 # Build part RUN apk --no-cache update RUN apk --no-cache upgrade RUN apk --no-cache add \ autoconf \ automake \ build-base \ fstrm \ fstrm-dev \ jemalloc \ jemalloc-dev \ json-c \ json-c-dev \ krb5-dev \ krb5-libs \ libcap-dev \ libcap2 \ libidn2 \ libidn2-dev \ libmaxminddb-dev \ libmaxminddb-libs \ libtool \ libuv \ libuv-dbg \ libuv-dev \ libxml2 \ libxml2-dbg \ libxml2-dev \ libxslt \ lmdb \ lmdb-dev \ make \ musl-dbg \ nghttp2-dev \ nghttp2-libs \ openssl-dbg \ openssl-dev \ procps \ protobuf-c \ protobuf-c-dev \ tzdata \ userspace-rcu \ userspace-rcu-dev RUN mkdir -p /usr/src ADD https://downloads.isc.org/isc/bind9/${BIND9_VERSION}/bind-${BIND9_VERSION}.tar.xz /usr/src RUN cd /usr/src && \ ( echo "${BIND9_CHECKSUM} bind-${BIND9_VERSION}.tar.xz" | sha256sum -c - ) && \ tar -xJf bind-${BIND9_VERSION}.tar.xz && \ cd /usr/src/bind-${BIND9_VERSION} && \ ./configure --prefix /usr \ --sysconfdir=/etc/bind \ --localstatedir=/ \ --enable-shared \ --disable-static \ --with-gssapi \ --with-libidn2 \ --with-json-c \ --with-lmdb=/usr \ --with-gnu-ld \ --with-maxminddb \ --enable-dnstap && \ make -j && \ make install && \ rm -rf /usr/src # Remove development packages RUN apk --no-cache del \ autoconf \ automake \ build-base \ fstrm-dev \ gnutls-utils \ jemalloc-dev \ json-c-dev \ krb5-dev \ libcap-dev \ libidn2-dev \ libmaxminddb-dev \ libtool \ libuv-dev \ libxml2-dev \ libxslt \ lmdb-dev \ make \ nghttp2-dev \ openssl-dev \ proto
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
> Having said that, I wonder if people have some preference or even policy > which mandates specific base image? Yes. We're using a certified ubi8-minimal image for the finalized docker by mandate and a bit of preference. Base image is 90M deployed with BIND 9.18.29 is 258M (uncompressed). In this case we use Rockylinux as the builder and copy it over to ubi8 for the final image. To me this is less about the size and more about cleanliness. Rather than making sure everything is removed we just start fresh and only install / copy what we need. I don't think it's a significant effort to do what we are doing and happy to contribute but just to note we have no objections to how ISC is doing it and appreciate that these are being produced. I use them anytime my custom ones are not available. Peter > > Alpine is popular for small images, but is it good enough in "one size > fits all" sense? > > -- > Petr Špaček > Internet Systems Consortium > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
On 27. 08. 24 20:18, Ondřej Surý wrote: There’s also human wear. I would like to see a proof that it helps to halve the size of the image before someone spends time on this. As usual, contributions are welcome. We are probably going to integrate the Docker with the main repository to build each future tag and so on, so we might look into this in the future, but I feel this is good enough for *now*. The repository with Dockerfile is publich here: https://github.com/isc-projects/bind9-docker/blob/v9.20/Dockerfile We are happy to review and incorporate improvements - it's open-source! Having said that, I wonder if people have some preference or even policy which mandates specific base image? Alpine is popular for small images, but is it good enough in "one size fits all" sense? -- Petr Špaček Internet Systems Consortium -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
Ok, thanks. I see the logging now and I got this: 27-Aug-2024 19:53:19.449 general: error: could not configure root hints from '/usr/share/dns/root.hints': file not found Then I checked the container: bind9-1:/var/log/bind# docker exec -it bind9 /bin/sh / # ls -lha /usr/share/dns/ ls: /usr/share/dns/: No such file or directory So my /etc/bind/named.conf.default-zones (itself included from my named.conf) referenced this location. In short, a bit of an unexpected change for /my/ config. I commented out the include that called the named.conf.default-zones. In short, it was my config not being close-enough to stock for the new container to load successfully. An easy issue to understand and fix with the logging change you made. Thanks! --dan -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
There’s also human wear. I would like to see a proof that it helps to halve the size of the image before someone spends time on this. As usual, contributions are welcome. We are probably going to integrate the Docker with the main repository to build each future tag and so on, so we might look into this in the future, but I feel this is good enough for *now*. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 27. 8. 2024, at 20:12, Marc wrote: > > I don't look at it like that. I see half back up space required, half of the > wear level on ssds, half of the power consumption, twice as fast to deploy. > And if you have a lot of downloads this starts counting. > > I have been telling Microsoft and Bill Gates to reduce updates and > footprints, but I don't think they care to much about the environment ;) -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
> > What’s the size difference for you? > > I mean if someone wants to play with our Dockerfile and there’s a > significant reduction is size, I would be convinced. But in a world, > where a mobile application that does absolutely nothing has 4 GB, I feel > like 130 MB is on the low side of the scale. > I don't look at it like that. I see half back up space required, half of the wear level on ssds, half of the power consumption, twice as fast to deploy. And if you have a lot of downloads this starts counting. I have been telling Microsoft and Bill Gates to reduce updates and footprints, but I don't think they care to much about the environment ;) -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
What’s the size difference for you? I mean if someone wants to play with our Dockerfile and there’s a significant reduction is size, I would be convinced. But in a world, where a mobile application that does absolutely nothing has 4 GB, I feel like 130 MB is on the low side of the scale. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 27. 8. 2024, at 19:38, Peter DeVries wrote: > > For what it's worth this is how we build our dockers, with a builder > and then the runner. IMO it's cleaner that way and not much more > complicated. We'll continue to roll our own though so no real dog in > this fight. > > Peter > >> On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý wrote: >> On 27. 8. 2024, at 18:57, Marc wrote: >>> >>> Afaik apk del \ does not free up space still. >> >> Right. That was not really my intention though. I wanted to reduce >> the amount of cruft installed in the image. The less binary stuff >> around, the less possible attack surface. >> >> But apk --no-cache should work I guess. >> >>> If you work with builder phase, you can probably shave of some MB's >> >> >> I think that's too complicated to use two phases, but I think the next update >> should reduce the image size a little bit. It was ~170 MB before and the >> reduced (compressed) size is 130 MB. >> >> But I get it - the base alpine:latest is only 3 MB, that's quite a >> difference. >> >> Ondrej >> -- >> Ondřej Surý (He/Him) >> ond...@isc.org >> >> My working hours and your working hours may be different. Please do not feel >> obligated to reply outside your normal working hours. >> >> >> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >> this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
> > > On 27. 8. 2024, at 18:57, Marc wrote: > > > > Afaik apk del \ does not free up space still. > > Right. That was not really my intention though. I wanted to reduce > the amount of cruft installed in the image. The less binary stuff > around, the less possible attack surface. > > But apk --no-cache should work I guess. > > > If you work with builder phase, you can probably shave of some MB's > > > I think that's too complicated to use two phases, but I think the next > update > should reduce the image size a little bit. It was ~170 MB before and the > reduced (compressed) size is 130 MB. > > But I get it - the base alpine:latest is only 3 MB, that's quite a > difference. > yes I would not be surprised if you can get a <50MB tar -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
For what it's worth this is how we build our dockers, with a builder and then the runner. IMO it's cleaner that way and not much more complicated. We'll continue to roll our own though so no real dog in this fight. Peter On Tue, Aug 27, 2024 at 1:28 PM Ondřej Surý wrote: > > > On 27. 8. 2024, at 18:57, Marc wrote: > > > > Afaik apk del \ does not free up space still. > > Right. That was not really my intention though. I wanted to reduce > the amount of cruft installed in the image. The less binary stuff > around, the less possible attack surface. > > But apk --no-cache should work I guess. > > > If you work with builder phase, you can probably shave of some MB's > > > I think that's too complicated to use two phases, but I think the next update > should reduce the image size a little bit. It was ~170 MB before and the > reduced (compressed) size is 130 MB. > > But I get it - the base alpine:latest is only 3 MB, that's quite a difference. > > Ondrej > -- > Ondřej Surý (He/Him) > ond...@isc.org > > My working hours and your working hours may be different. Please do not feel > obligated to reply outside your normal working hours. > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
> On 27. 8. 2024, at 18:57, Marc wrote: > > Afaik apk del \ does not free up space still. Right. That was not really my intention though. I wanted to reduce the amount of cruft installed in the image. The less binary stuff around, the less possible attack surface. But apk --no-cache should work I guess. > If you work with builder phase, you can probably shave of some MB's I think that's too complicated to use two phases, but I think the next update should reduce the image size a little bit. It was ~170 MB before and the reduced (compressed) size is 130 MB. But I get it - the base alpine:latest is only 3 MB, that's quite a difference. Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
> On 27. 8. 2024, at 18:47, Ondřej Surý wrote: > > But I think you are right. The default logging goes to the syslog and there's > no syslog > in the container. I'm thinking about appending -L /var/log/bind/default.log > to the CMD > part of the docker (so it can be easily overridden). I've just added -L /var/log/bind/default.log to the CMD in the Docker file, this will cause the default logging to go to this file inside the container. Something like this should get you going mkdir -p /tmp/bind9/log/bind chmod 777 /tmp/bind9/log/bind docker run --volume /tmp/bind9/log:/var/log --name=bind9 --restart=always --publish 5353:53/udp --publish 5353:53/tcp internetsystemsconsortium/bind9:9.18 (I'm actually running `podman run`, so I hope the options are compatible.) This is obviously not production ready and you should properly set --uidmap and --gidmap[*]. The bind user and group inside the container looks like this: # grep bind /etc/passwd bind:x:100:101:Linux User,,,:/var/cache/bind:/sbin/nologin # grep bind /etc/group bind:x:101:bind Ondrej * - or if running root-less, it requires properly setting up subuid(5) and subgid(5) - this is a bit esoteric even for me. -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
> > Sure, it’s not secret: > > https://gitlab.isc.org/isc-projects/bind9-docker > > Branches with history… > Afaik apk del \ does not free up space still. If you work with builder phase, you can probably shave of some MB's 1 # Version: 0.0.1 - 3proxy 2 3 # 4 # Stage 0: builder 5 # 6 FROM alpine:3.17 as builder 7 8 # install necessary packages 9 RUN apk add build-base git iptables-dev \ 10 --no-cache 11 12 RUN mkdir /tmp/3proxy/ && cd /tmp/ \ 13 && git clone --branch master https://github.com/3proxy/3proxy.git 3proxy/ \ 14 && cd 3proxy/ \ 15 && ln -s Makefile.Linux Makefile \ 16 && make \ 17 && make install 18 19 20 # 21 # Stage 1: runtime 22 # 23 FROM alpine:3.17 24 25 26 # environment settings for this application 27 ENV TPROXY_USER="tinyproxy" \ 28 TPROXY_UID=10043 \ 29 TPROXY_CFG_DIR="/etc/3proxy" \ 30 TPROXY_CRT_DIR="/etc/ssl/certs" \ 31 TPROXY_KEY_DIR="/etc/ssl/private" \ 32 TPROXY_DATA_DIR="/var/3proxy" 50 # copy configuration files 51 RUN mkdir /etc/3proxy/ 52 COPY --from=builder /usr/local/3proxy /usr/local/ 53 COPY --from=builder /bin/3proxy /bin/ 54 COPY --from=builder /bin/ftppr /bin/ 55 COPY --from=builder /bin/proxy /bin/ 56 COPY --from=builder /bin/mycrypt /bin/ 57 COPY --from=builder /bin/socks /bin/ 58 COPY --from=builder /bin/tcppm /bin/ 59 COPY --from=builder /bin/udppm /bin/ 60 COPY --from=builder /etc/3proxy/* /etc/3proxy/ 61 COPY 3proxy.cfg $TPROXY_CFG_DIR/ 62 COPY 3proxy.users $TPROXY_CFG_DIR/ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
Hi Dan, I'm using podman instead of docker as it allows me to run the containers unprivileged, but this works now: podman run -it docker.io/internetsystemsconsortium/bind9:9.18 -g -c /etc/bind/named.conf and the container (named in the container) prints all the logs to the stderr. But I think you are right. The default logging goes to the syslog and there's no syslog in the container. I'm thinking about appending -L /var/log/bind/default.log to the CMD part of the docker (so it can be easily overridden). Ondrej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 27. 8. 2024, at 18:10, Dan Parrish via bind-users > wrote: > > This morning, I had several internetsystemsconsortium/bind9:9.18 containers > update and none of them would launch properly, they just kept restarting. > The containers do no logging at all, and I couldn't determine any root cause. > I tried disabling mount points, adjusting permissions, etc. Nothing would > bring the containers up. Even running the simplest: > docker run \ --name=bind9 \ --restart=always \ --publish 53:53/udp \ > --publish 53:53/tcp \ --publish 127.0.0.1:953:953/tcp \ > internetsystemsconsortium/bind9:9.18 > would not produce a working container. I also tried > internetsystemsconsortium/bind9:9.20 and > internetsystemsconsortium/bind9:9.21, and these containers just kept > restarting as well. > I ultimately replaced the image pull with ubuntu/bind9:latest and things are > working for me again. > I'm typically running Docker version 25.0.3. > I feel like if I had basic logging, I could provide more information, > possibly even resolved the issue and reported the fix. Can we get logging to > work? > --dan > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
This morning, I had several internetsystemsconsortium/bind9:9.18 containers update and none of them would launch properly, they just kept restarting. The containers do no logging at all, and I couldn't determine any root cause. I tried disabling mount points, adjusting permissions, etc. Nothing would bring the containers up. Even running the simplest: |docker run \ --name=bind9 \ --restart=always \ --publish 53:53/udp \ --publish 53:53/tcp \ --publish 127.0.0.1:953:953/tcp \ internetsystemsconsortium/bind9:9.18| would not produce a working container. I also tried internetsystemsconsortium/bind9:9.20 and internetsystemsconsortium/bind9:9.21, and these containers just kept restarting as well. I ultimately replaced the image pull with ubuntu/bind9:latest and things are working for me again. I'm typically running Docker version 25.0.3. I feel like if I had basic logging, I could provide more information, possibly even resolved the issue and reported the fix. Can we get logging to work? --dan -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
Sure, it’s not secret: https://gitlab.isc.org/isc-projects/bind9-docker Branches with history… Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 27. 8. 2024, at 14:04, Michael Dahlberg wrote: > > >> On Tuesday, August 27th, 2024 at 4:21 AM, Ondřej Surý wrote: >> >> the Docker images have been updated to use Alpine Linux as the base image >> and the bind9 binaries are now compiled from the source while building the >> Docker images. This is more in-line with the expected Docker (Podman) >> workflow. > > This sounds very cool! Would it be possible to share how these container > images were created, like what sort of dockerfile was used to generate them? > > Thanks for the valuable work. > > Mike > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Updated Docker images (9.18, 9.20, 9.21) - now based on Alpine Linux
On Tuesday, August 27th, 2024 at 4:21 AM, Ondřej Surý wrote: > the Docker images have been updated to use Alpine Linux as the base image > and the bind9 binaries are now compiled from the source while building the > Docker images. This is more in-line with the expected Docker (Podman) > workflow. This sounds very cool! Would it be possible to share how these container images were created, like what sort of dockerfile was used to generate them? Thanks for the valuable work. Mike -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users