search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
15.24k stars 4.73k forks source link

Linux: Add support for building 'distroless' apps with static libc #43113

Open timmydo opened 4 years ago

timmydo commented 4 years ago

A distroless Linux container image is essentially one that provides the minimal necessary files to start an application. These mean the typical libraries provided by a Linux distribution are not there.

From https://github.com/GoogleContainerTools/distroless/blob/446923c3756ceeaa75888f52fcbdd48bb314fbf8/base/README.md :

Statically compiled applications (Go) that do not require libc can use the gcr.io/distroless/static image, which contains:

Could .NET applications be made to publish such that they could run in a minimal container image like this?

jkotas commented 4 years ago

For reference, previous effort to try to statically link libc: https://github.com/dotnet/runtime/issues/6169#issuecomment-297864286

mjsabby commented 4 years ago

getaddrinfo is the only function I'm aware of that misbehaves when you statically link glibc. @jkotas would be opposed to supporting a config that did statically link everything? Including things like openssl and icu if desired?

Basically a recipe to create libcoreclr.a and that recipe can be used to achieve this.

jkotas commented 4 years ago

It would be fine with me as long as it is optional and does not make the build scripts too hard to maintain.

MouriNaruto commented 3 years ago

I have done some work about that recently. (Though it is a bootable Linux image with a ASP.NET Core 5.0 based web server demo under VMware.) image

Here is the package list which .NET needed I downloaded from the Alpine Linux mirror. (The size is about 40 MiB.)

busybox-1.31.1-r19.apk (For implement the ultra lightweight init script for prepare the environment for .NET runtime, such as mount /dev /proc /sys, make /tmp writable and execute dhcpcd for networking support.)
dhcpcd-8.1.6-r0.apk (For network initialization.)
icu-libs-67.1-r0.apk
keyutils-libs-1.6.1-r1.apk
krb5-conf-1.0-r2.apk
krb5-libs-1.18.2-r0.apk
libcom_err-1.45.6-r0.apk
libcrypto1.1-1.1.1g-r0.apk
libgcc-9.3.0-r2.apk
libintl-0.20.2-r0.apk
libssl1.1-1.1.1g-r0.apk
libstdc++-9.3.0-r2.apk
libverto-0.3.1-r1.apk
musl-1.1.24-r9.apk
zlib-1.2.11-r3.apk

I think icu, zlib, krb5 and openssl should be linked statically for reduce the most size and dependencies.

In today's .NET runtime, we can't make static link for libc because some implementations need to interop directly with libc instead of PAL. https://github.com/dotnet/runtime/blob/1821d9c14b970d58e0768256de138b6c0287e07d/src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs#L220

olljanat commented 3 years ago

Any progress on here?

ghost commented 2 years ago

Tagging subscribers to this area: @agocke, @vitek-karas, @vsadov See info in area-owners.md if you want to be subscribed.

Issue Details
A distroless Linux container image is essentially one that provides the minimal necessary files to start an application. These mean the typical libraries provided by a Linux distribution are not there. From https://github.com/GoogleContainerTools/distroless/blob/446923c3756ceeaa75888f52fcbdd48bb314fbf8/base/README.md : Statically compiled applications (Go) that do not require libc can use the `gcr.io/distroless/static` image, which contains: * ca-certificates * A /etc/passwd entry for a root user * A /tmp directory * tzdata Could .NET applications be made to publish such that they could run in a minimal container image like this?
Author: timmydo
Assignees: -
Labels: `area-Single-File`
Milestone: Future