search

monicahq / docker

docker image of Monica
https://hub.docker.com/_/monica/
GNU General Public License v2.0
203 stars 61 forks source link

Remove some unused packages from monica:fpm image #109

Closed hydrargyrum closed 2 years ago

hydrargyrum commented 2 years ago

I see in the fpm/Dockerfile some effort is made to remove unused packages. But inspecting the resulting image, some packages seem questionable for a production image, for example autoconf, make, m4, curl (command-line tool), dpkg-dev, gcc. Those would be acceptable for an build-stage image where only required stuff would be installed/copied in the production-stage image. Furthermore, cleaning unused packages from a build-stage image would be pointless, so the apt-mark part would not be needed.

For reference:

% docker run --rm --entrypoint /bin/sh -it monica:fpm -c "apt-mark showmanual"
autoconf
bash
busybox-static
ca-certificates
curl
dpkg-dev
file
g++
gcc
libargon2-1
libbrotli1
libbz2-1.0
libc6
libc6-dev
libcom-err2
libcurl4
libffi7
libfreetype6
libgcc-s1
libgcrypt20
libgmp10
libgnutls30
libgpg-error0
libgssapi-krb5-2
libhogweed6
libicu67
libidn2-0
libjpeg62-turbo  
libk5crypto3
libkeyutils1
libkrb5-3
libkrb5support0  
libldap-2.4-2
liblzma5
libmemcached11   
libnettle8
libnghttp2-14
libonig5
libp11-kit0
libpng16-16
libpsl5
libreadline8
librtmp1
libsasl2-2
libsodium23
libsqlite3-0
libssh2-1
libssl1.1
libstdc++6
libtasn1-6
libtinfo6
libunistring2
libwebp6
libxml2
libzip4
make
pkg-config
re2c
xz-utils
zlib1g
asbiin commented 2 years ago

We base our image on (here) php:8.1-fpm. We don't want to remove more package than the ones already included in the base image. Maybe someone will create a new image based on Monica's image. They should be able to assume all packages from the base image are present, no less.

If you'd like to clean up the php:8.1-fpm image, then you can create an issue here: https://github.com/docker-library/php

Thanks

hydrargyrum commented 2 years ago

@asbiin

Maybe someone will create a new image based on Monica's image. They should be able to assume all packages from the base image are present, no less.

I don't agree. Monica docker image is not a "library", it's supposed to be production-ready image, it's designed to be used "as is", so it should only contain what should be present in production. Else your production-ready image is open to more vulnerabilities, etc.

We don't want to remove more package than the ones already included in the base image.

If someone wants to build something on monica image, they should install themselves what's required. It's not your responsibility, it's theirs. On the contrary, php:8.1-fpm is a library image, it's not designed to be used "as is", so it's normal for it to have more stuff. This is confirmed by their reply: https://github.com/docker-library/php/issues/1324#issuecomment-1218265532