From 2eaaa4afc832772fcaa389748eb01ad0b4fc640b Mon Sep 17 00:00:00 2001 From: Jamie Hewland Date: Tue, 10 Jul 2018 22:26:58 +0200 Subject: [PATCH] alpine: Don't install ca-certificates on Alpine 3.7+ * CA certs come bundled on Alpine 3.7+ * On Alpine 3.6, rather install libressl which also include CA certs, allows us to use wget, and doesn't increase the size over ca-certificates --- 2.7/alpine3.6/Dockerfile | 11 ++--------- 2.7/alpine3.7/Dockerfile | 10 ++-------- 2.7/alpine3.8/Dockerfile | 10 ++-------- 3.4/alpine3.7/Dockerfile | 11 ++--------- 3.4/alpine3.8/Dockerfile | 11 ++--------- 3.5/alpine3.7/Dockerfile | 11 ++--------- 3.5/alpine3.8/Dockerfile | 11 ++--------- 3.6/alpine3.6/Dockerfile | 11 ++--------- 3.6/alpine3.7/Dockerfile | 11 ++--------- 3.6/alpine3.8/Dockerfile | 11 ++--------- 3.7/alpine3.7/Dockerfile | 11 ++--------- 3.7/alpine3.8/Dockerfile | 11 ++--------- Dockerfile-alpine.template | 11 ++--------- update.sh | 7 ++++++- 14 files changed, 32 insertions(+), 116 deletions(-) diff --git a/2.7/alpine3.6/Dockerfile b/2.7/alpine3.6/Dockerfile index 7641a6b9a..cf11a86e1 100644 --- a/2.7/alpine3.6/Dockerfile +++ b/2.7/alpine3.6/Dockerfile @@ -9,9 +9,8 @@ ENV LANG C.UTF-8 # https://github.com/docker-library/python/issues/147 ENV PYTHONIOENCODING UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +RUN apk add --no-cache libressl ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF ENV PYTHON_VERSION 2.7.15 @@ -19,7 +18,6 @@ ENV PYTHON_VERSION 2.7.15 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -41,7 +39,6 @@ RUN set -ex \ gcc \ gdbm-dev \ libc-dev \ - libressl \ libressl-dev \ linux-headers \ make \ @@ -89,13 +86,9 @@ RUN set -ex \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/2.7/alpine3.7/Dockerfile b/2.7/alpine3.7/Dockerfile index e16b6f865..d427dba3f 100644 --- a/2.7/alpine3.7/Dockerfile +++ b/2.7/alpine3.7/Dockerfile @@ -9,9 +9,8 @@ ENV LANG C.UTF-8 # https://github.com/docker-library/python/issues/147 ENV PYTHONIOENCODING UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF ENV PYTHON_VERSION 2.7.15 @@ -19,7 +18,6 @@ ENV PYTHON_VERSION 2.7.15 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -91,13 +89,9 @@ RUN set -ex \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/2.7/alpine3.8/Dockerfile b/2.7/alpine3.8/Dockerfile index f45e316c2..8612ae66b 100644 --- a/2.7/alpine3.8/Dockerfile +++ b/2.7/alpine3.8/Dockerfile @@ -9,9 +9,8 @@ ENV LANG C.UTF-8 # https://github.com/docker-library/python/issues/147 ENV PYTHONIOENCODING UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF ENV PYTHON_VERSION 2.7.15 @@ -19,7 +18,6 @@ ENV PYTHON_VERSION 2.7.15 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -91,13 +89,9 @@ RUN set -ex \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.4/alpine3.7/Dockerfile b/3.4/alpine3.7/Dockerfile index e5fdc190e..1a21623c5 100644 --- a/3.4/alpine3.7/Dockerfile +++ b/3.4/alpine3.7/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D ENV PYTHON_VERSION 3.4.8 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.4.8 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -48,7 +46,6 @@ RUN set -ex \ gdbm-dev \ libc-dev \ libffi-dev \ - libressl \ libressl-dev \ linux-headers \ make \ @@ -107,13 +104,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.4/alpine3.8/Dockerfile b/3.4/alpine3.8/Dockerfile index 42f613c65..7bc22d33f 100644 --- a/3.4/alpine3.8/Dockerfile +++ b/3.4/alpine3.8/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D ENV PYTHON_VERSION 3.4.8 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.4.8 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -48,7 +46,6 @@ RUN set -ex \ gdbm-dev \ libc-dev \ libffi-dev \ - libressl \ libressl-dev \ linux-headers \ make \ @@ -107,13 +104,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.5/alpine3.7/Dockerfile b/3.5/alpine3.7/Dockerfile index 77879ecf0..2503d2c9b 100644 --- a/3.5/alpine3.7/Dockerfile +++ b/3.5/alpine3.7/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D ENV PYTHON_VERSION 3.5.5 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.5.5 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -48,7 +46,6 @@ RUN set -ex \ gdbm-dev \ libc-dev \ libffi-dev \ - libressl \ libressl-dev \ linux-headers \ make \ @@ -107,13 +104,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.5/alpine3.8/Dockerfile b/3.5/alpine3.8/Dockerfile index 0eeda4f1f..338f15981 100644 --- a/3.5/alpine3.8/Dockerfile +++ b/3.5/alpine3.8/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D ENV PYTHON_VERSION 3.5.5 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.5.5 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - openssl \ tar \ xz \ \ @@ -48,7 +46,6 @@ RUN set -ex \ gdbm-dev \ libc-dev \ libffi-dev \ - openssl \ openssl-dev \ linux-headers \ make \ @@ -107,13 +104,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps openssl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.6/alpine3.6/Dockerfile b/3.6/alpine3.6/Dockerfile index cf4a1cd66..9c0a3e990 100644 --- a/3.6/alpine3.6/Dockerfile +++ b/3.6/alpine3.6/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +RUN apk add --no-cache libressl ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D ENV PYTHON_VERSION 3.6.6 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.6.6 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -48,7 +46,6 @@ RUN set -ex \ gdbm-dev \ libc-dev \ libffi-dev \ - libressl \ libressl-dev \ linux-headers \ make \ @@ -107,13 +104,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.6/alpine3.7/Dockerfile b/3.6/alpine3.7/Dockerfile index 6af00750a..7b1221227 100644 --- a/3.6/alpine3.7/Dockerfile +++ b/3.6/alpine3.7/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D ENV PYTHON_VERSION 3.6.6 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.6.6 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -49,7 +47,6 @@ RUN set -ex \ libc-dev \ libffi-dev \ libnsl-dev \ - libressl \ libressl-dev \ libtirpc-dev \ linux-headers \ @@ -109,13 +106,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.6/alpine3.8/Dockerfile b/3.6/alpine3.8/Dockerfile index 89b97ccbb..073d33da8 100644 --- a/3.6/alpine3.8/Dockerfile +++ b/3.6/alpine3.8/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D ENV PYTHON_VERSION 3.6.6 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.6.6 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -49,7 +47,6 @@ RUN set -ex \ libc-dev \ libffi-dev \ libnsl-dev \ - libressl \ libressl-dev \ libtirpc-dev \ linux-headers \ @@ -109,13 +106,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.7/alpine3.7/Dockerfile b/3.7/alpine3.7/Dockerfile index 4e24dc545..6f504739c 100644 --- a/3.7/alpine3.7/Dockerfile +++ b/3.7/alpine3.7/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D ENV PYTHON_VERSION 3.7.0 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.7.0 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - openssl \ tar \ xz \ \ @@ -49,7 +47,6 @@ RUN set -ex \ libc-dev \ libffi-dev \ libnsl-dev \ - openssl \ openssl-dev \ libtirpc-dev \ linux-headers \ @@ -109,13 +106,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps openssl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.7/alpine3.8/Dockerfile b/3.7/alpine3.8/Dockerfile index 6b9fe4698..a028f27b3 100644 --- a/3.7/alpine3.8/Dockerfile +++ b/3.7/alpine3.8/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D ENV PYTHON_VERSION 3.7.0 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.7.0 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -49,7 +47,6 @@ RUN set -ex \ libc-dev \ libffi-dev \ libnsl-dev \ - libressl \ libressl-dev \ libtirpc-dev \ linux-headers \ @@ -109,13 +106,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 18.0 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 8e9400c9f..7557434ce 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -7,9 +7,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY %%PLACEHOLDER%% ENV PYTHON_VERSION %%PLACEHOLDER%% @@ -17,7 +16,6 @@ ENV PYTHON_VERSION %%PLACEHOLDER%% RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -43,7 +41,6 @@ RUN set -ex \ libc-dev \ libffi-dev \ libnsl-dev \ - libressl \ libressl-dev \ libtirpc-dev \ linux-headers \ @@ -103,13 +100,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION %%PLACEHOLDER%% RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/update.sh b/update.sh index ba985a73a..f546313a3 100755 --- a/update.sh +++ b/update.sh @@ -162,11 +162,16 @@ for version in "${versions[@]}"; do esac case "$version/$v" in + # On Alpine 3.6 it's necessary to install libressl to get working HTTPS. + # Later Alpine versions have CA certificates pre-installed. + */alpine3.6) + sed -ri -e '/^# .* libressl$/s/^# //' "$dir/Dockerfile" + ;;& # (other patches needed for Alpine 3.6 in later blocks) # https://bugs.python.org/issue32598 (Python 3.7.0b1+) # TL;DR: Python 3.7+ uses OpenSSL functionality which LibreSSL 2.6.x in Alpine 3.7 doesn't implement # Python 3.5 on Alpine 3.8 needs OpenSSL too 3.7*/alpine3.7 | 3.5*/alpine3.8) - sed -ri -e 's/libressl/openssl/g' "$dir/Dockerfile" + sed -ri -e 's/libressl-dev/openssl-dev/g' "$dir/Dockerfile" ;;& # (3.5*/alpine* needs to match the next block too) # Libraries to build the nis module only available in Alpine 3.7+. # Also require this patch https://bugs.python.org/issue32521 only available in Python 2.7, 3.6+.