From 6eaf8fafa33658efd8d8db0871c49886d4dcba57 Mon Sep 17 00:00:00 2001 From: lwthiker Date: Fri, 29 Jul 2022 19:49:00 +0300 Subject: [PATCH] Minimize Docker image size with multi-stage build Minimize the size of the resulting Docker image size by using multi-stage build and copying the resulting binaries into a minimal Debian system. This was done with the Alpine Docker images up until now but not with the Debian images. --- Dockerfile.template | 21 +++++++++++++++++---- INSTALL.md | 6 +++--- chrome/Dockerfile | 13 ++++++++++++- chrome/Dockerfile.alpine | 2 +- firefox/Dockerfile | 17 ++++++++++++++++- firefox/Dockerfile.alpine | 2 +- tests/Dockerfile | 18 ++++++++---------- 7 files changed, 58 insertions(+), 21 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index aaabd6b..fe4344a 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -8,7 +8,7 @@ {{#debian}} # Python is needed for building libnss. # Use it as a common base. -FROM python:3.10.1-slim-buster +FROM python:3.10.1-slim-buster as builder {{/debian}} {{#alpine}} FROM alpine:3.15.0 as builder @@ -225,10 +225,10 @@ COPY curl_chrome* curl_edge* curl_safari* out/ RUN sed -i 's@/usr/bin/env bash@/usr/bin/env ash@' out/curl_* {{/alpine}} RUN chmod +x out/curl_* -{{#alpine}} -# When using alpine, create a final, minimal image with the compiled binaries +# Create a final, minimal image with the compiled binaries # only. +{{#alpine}} FROM alpine:3.15.0 {{#firefox}} # curl tries to load the CA certificates for libnss. @@ -236,9 +236,22 @@ FROM alpine:3.15.0 # which is supplied by 'nss' on alpine. RUN apk add --no-cache nss {{/firefox}} +{{/alpine}} +{{#debian}} +FROM debian:buster-slim +{{#firefox}} +# curl tries to load the CA certificates for libnss. +# It loads them from /usr/lib/libnssckbi.so and /usr/lib/libnsspem.so, +# which are supplied by 'libnss3' and 'nss-plugin-pem' on debian. +RUN apt-get update && apt-get install -y libnss3 nss-plugin-pem +{{/firefox}} +{{/debian}} # Copy curl-impersonate from the builder image COPY --from=builder /build/install /usr/local +{{#debian}} +# Copy to /build/out as well for backward compatibility with previous versions. +COPY --from=builder /build/out /build/out +{{/debian}} # Wrapper scripts COPY --from=builder /build/out/curl_* /usr/local/bin/ -{{/alpine}} diff --git a/INSTALL.md b/INSTALL.md index 569a704..adee341 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -160,9 +160,9 @@ The Docker build is a bit more reproducible and serves as the reference implemen ``` docker build -t curl-impersonate-chrome chrome/ ``` -The resulting image contains a `/build/out` directory with the following: +The resulting binaries and libraries are in the `/usr/local` directory, which contains: * `curl-impersonate-chrome`, `curl-impersonate` - The curl binary that can impersonate Chrome/Edge/Safari. It is compiled statically against libcurl, BoringSSL, and libnghttp2 so that it won't conflict with any existing libraries on your system. You can use it from the container or copy it out. Tested to work on Ubuntu 20.04. -* `curl_chrome98`, `curl_chrome99`, `...` - Wrapper scripts that launch `curl-impersonate` with all the needed flags. +* `curl_chrome99`, `curl_chrome100`, `...` - Wrapper scripts that launch `curl-impersonate` with all the needed flags. * `libcurl-impersonate-chrome.so`, `libcurl-impersonate.so` - libcurl compiled with impersonation support. See [libcurl-impersonate](#libcurl-impersonate) below for more details. You can use them inside the docker, copy them out using `docker cp` or use them in a multi-stage docker build. @@ -172,7 +172,7 @@ Build with: ``` docker build -t curl-impersonate-ff firefox/ ``` -The resulting image contains a `/build/out` directory with the following: +The resulting binaries and libraries are in the `/usr/local` directory, which contains: * `curl-impersonate-ff`, `curl-impersonate` - The curl binary that can impersonate Firefox. It is compiled statically against libcurl, nss, and libnghttp2 so that it won't conflict with any existing libraries on your system. You can use it from the container or copy it out. Tested to work on Ubuntu 20.04. * `curl_ff91esr`, `curl_ff95`, `...` - Wrapper scripts that launch `curl-impersonate` with all the needed flags. * `libcurl-impersonate-ff.so`, `libcurl-impersonate.so` - libcurl compiled with impersonation support. See [libcurl-impersonate](#libcurl-impersonate) below for more details. diff --git a/chrome/Dockerfile b/chrome/Dockerfile index 6e37f3c..7d2af1e 100644 --- a/chrome/Dockerfile +++ b/chrome/Dockerfile @@ -7,7 +7,7 @@ # Python is needed for building libnss. # Use it as a common base. -FROM python:3.10.1-slim-buster +FROM python:3.10.1-slim-buster as builder WORKDIR /build @@ -134,3 +134,14 @@ RUN ! (ldd ./out/curl-impersonate | grep -q -e nghttp2 -e brotli -e ssl -e crypt # Wrapper scripts COPY curl_chrome* curl_edge* curl_safari* out/ RUN chmod +x out/curl_* + +# Create a final, minimal image with the compiled binaries +# only. +FROM debian:buster-slim + +# Copy curl-impersonate from the builder image +COPY --from=builder /build/install /usr/local +# Copy to /build/out as well for backward compatibility with previous versions. +COPY --from=builder /build/out /build/out +# Wrapper scripts +COPY --from=builder /build/out/curl_* /usr/local/bin/ diff --git a/chrome/Dockerfile.alpine b/chrome/Dockerfile.alpine index b370ff3..9188d28 100644 --- a/chrome/Dockerfile.alpine +++ b/chrome/Dockerfile.alpine @@ -134,7 +134,7 @@ COPY curl_chrome* curl_edge* curl_safari* out/ RUN sed -i 's@/usr/bin/env bash@/usr/bin/env ash@' out/curl_* RUN chmod +x out/curl_* -# When using alpine, create a final, minimal image with the compiled binaries +# Create a final, minimal image with the compiled binaries # only. FROM alpine:3.15.0 diff --git a/firefox/Dockerfile b/firefox/Dockerfile index d352d8b..a6c45e6 100644 --- a/firefox/Dockerfile +++ b/firefox/Dockerfile @@ -7,7 +7,7 @@ # Python is needed for building libnss. # Use it as a common base. -FROM python:3.10.1-slim-buster +FROM python:3.10.1-slim-buster as builder WORKDIR /build @@ -130,3 +130,18 @@ RUN ! (ldd ./out/curl-impersonate | grep -q -e nghttp2 -e brotli -e ssl -e crypt # Wrapper scripts COPY curl_ff* out/ RUN chmod +x out/curl_* + +# Create a final, minimal image with the compiled binaries +# only. +FROM debian:buster-slim +# curl tries to load the CA certificates for libnss. +# It loads them from /usr/lib/libnssckbi.so and /usr/lib/libnsspem.so, +# which are supplied by 'libnss3' and 'nss-plugin-pem' on debian. +RUN apt-get update && apt-get install -y libnss3 nss-plugin-pem + +# Copy curl-impersonate from the builder image +COPY --from=builder /build/install /usr/local +# Copy to /build/out as well for backward compatibility with previous versions. +COPY --from=builder /build/out /build/out +# Wrapper scripts +COPY --from=builder /build/out/curl_* /usr/local/bin/ diff --git a/firefox/Dockerfile.alpine b/firefox/Dockerfile.alpine index 423acc9..c1d00ac 100644 --- a/firefox/Dockerfile.alpine +++ b/firefox/Dockerfile.alpine @@ -126,7 +126,7 @@ COPY curl_ff* out/ RUN sed -i 's@/usr/bin/env bash@/usr/bin/env ash@' out/curl_* RUN chmod +x out/curl_* -# When using alpine, create a final, minimal image with the compiled binaries +# Create a final, minimal image with the compiled binaries # only. FROM alpine:3.15.0 # curl tries to load the CA certificates for libnss. diff --git a/tests/Dockerfile b/tests/Dockerfile index e510d19..702ed83 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -16,21 +16,19 @@ COPY requirements.txt requirements.txt RUN pip install --upgrade pip && \ pip install -r requirements.txt -RUN mkdir /tests/firefox /tests/chrome - # Copy the built binaries from both containers -COPY --from=ff /build/out/curl-impersonate-ff /tests/install/bin/ -COPY --from=ff /build/out/curl_* /tests/install/bin/ -COPY --from=ff /build/out/libcurl-impersonate* /tests/install/lib/ -COPY --from=chrome /build/out/curl-impersonate-chrome /tests/install/bin/ -COPY --from=chrome /build/out/curl_* /tests/install/bin/ -COPY --from=chrome /build/out/libcurl-impersonate* /tests/install/lib/ +COPY --from=ff /usr/local/ /usr/local/ +COPY --from=chrome /usr/local/ /usr/local/ + +# Needed to update the loader's cache +RUN ldconfig COPY . . # Compile 'minicurl' which is used for testing libcurl-impersonate. # 'minicurl' is compiled against the "regular" libcurl. # libcurl-impersonate will replace it at runtime via LD_PRELOAD. -RUN gcc -Wall -Werror -o /tests/install/bin/minicurl minicurl.c `curl-config --libs` +RUN gcc -Wall -Werror -o minicurl minicurl.c `curl-config --libs` +RUN install minicurl /usr/local/bin -ENTRYPOINT ["pytest", "--install-dir", "/tests/install"] +ENTRYPOINT ["pytest"]