Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

statically link the musl binary #3

Closed
rain-1 opened this issue Mar 18, 2019 · 4 comments
Closed

statically link the musl binary #3

rain-1 opened this issue Mar 18, 2019 · 4 comments
Assignees
@ricardbejarano

Comments

@rain-1
Copy link

rain-1 commented Mar 18, 2019

Static linking could improve the packaging further by size and attack surface a tiny bit more.

From b999b552b14adb573a8824f4866718a91e5cae50 Mon Sep 17 00:00:00 2001
From: rain1 <[email protected]>
Date: Mon, 18 Mar 2019 22:36:52 +0000
Subject: [PATCH] statically link the musl nginx binary


diff --git a/musl/Dockerfile b/musl/Dockerfile
index 9d7baa2..da43404 100644
--- a/musl/Dockerfile
+++ b/musl/Dockerfile
@@ -31,7 +31,9 @@ ARG NGINX_CONFIG="\
     --with-http_stub_status_module \
     --with-stream \
     --with-stream_ssl_module \
-    --with-threads"
+    --with-threads\
+    --with-cc-opt=-static\
+    --with-ld-opt=-static"
 
 ADD https://ftp.pcre.org/pub/pcre/pcre-$PCRE_VERSION.tar.gz /tmp/pcre.tar.gz
 ADD https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz /tmp/openssl.tar.gz
-- 
2.21.0

ldd nginx shows that the nginx binary is statically linked now. It may even be possible to delete /lib with the statically linked version. Needs tested though.
@ricardbejarano
Copy link
Owner

See this comment on my PR trying to push a statically linked, glibc-based image to the official NGINX Docker image.

Also, haven't tried statically linking the musl image, but the glibc image still required libc to be on /lib (see this commit, switching back the glibc-based image to dynamic compilation).

@rain-1
Copy link
Author

rain-1 commented Mar 19, 2019
edited
Loading

i'm not sure static linking with glibc is a good idea - musl was designed with static linking in mind, I looked into it and perhaps the problem was related to this: http://sourceware.org/glibc/wiki/FAQ#Even_statically_linked_programs_need_some_shared_libraries_which_is_not_acceptable_for_me.__What_can_I_do.3F

@ricardbejarano
Copy link
Owner

I'll consider statically building NGINX in the musl-based image.

@ricardbejarano ricardbejarano self-assigned this Mar 19, 2019
@ricardbejarano
Copy link
Owner

After considering whether or not to use static compilation with the musl-based image, I've finally decided to add it.

The difference in image size is negligible (~200KB) and it let's simplify the image's filesystem by removing /lib altogether.

This is the commit with those changes. I've retagged 1.15.9 too, so the latest musl-based image (ricardbejarano/nginx:musl) is statically built already.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ricardbejarano ricardbejarano

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rain-1 @ricardbejarano