alpine: Don't install ca-certificates on Alpine 3.7+

* CA certs come bundled on Alpine 3.7+ * On Alpine 3.6, rather install libressl which also include CA certs, allows us to use wget, and doesn't increase the size over ca-certificates
docker-library · Jul 10, 2018 · 7c752fa · 7c752fa
1 parent 5899357
commit 7c752fa
Show file tree

Hide file tree

Showing 9 changed files with 23 additions and 61 deletions.
diff --git a/2.7/alpine3.6/Dockerfile b/2.7/alpine3.6/Dockerfile
@@ -9,9 +9,8 @@ ENV LANG C.UTF-8
 # https://github.com/docker-library/python/issues/147
 ENV PYTHONIOENCODING UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+RUN apk add --no-cache libressl
 
 ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF
 ENV PYTHON_VERSION 2.7.15

diff --git a/2.7/alpine3.7/Dockerfile b/2.7/alpine3.7/Dockerfile
@@ -9,9 +9,8 @@ ENV LANG C.UTF-8
 # https://github.com/docker-library/python/issues/147
 ENV PYTHONIOENCODING UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF
 ENV PYTHON_VERSION 2.7.15

diff --git a/3.4/alpine3.7/Dockerfile b/3.4/alpine3.7/Dockerfile
@@ -13,17 +13,15 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
 ENV PYTHON_VERSION 3.4.8
 
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -46,7 +44,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libffi-dev \
-		libressl \
 		libressl-dev \
 		linux-headers \
 		make \
@@ -105,13 +102,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 10.0.1
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \

diff --git a/3.5/alpine3.7/Dockerfile b/3.5/alpine3.7/Dockerfile
@@ -13,17 +13,15 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D
 ENV PYTHON_VERSION 3.5.5
 
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -46,7 +44,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libffi-dev \
-		libressl \
 		libressl-dev \
 		linux-headers \
 		make \
@@ -105,13 +102,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 10.0.1
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \

diff --git a/3.6/alpine3.6/Dockerfile b/3.6/alpine3.6/Dockerfile
@@ -13,17 +13,15 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+RUN apk add --no-cache libressl
 
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.6.6
 
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -46,7 +44,6 @@ RUN set -ex \
 		gdbm-dev \
 		libc-dev \
 		libffi-dev \
-		libressl \
 		libressl-dev \
 		linux-headers \
 		make \
@@ -105,13 +102,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 10.0.1
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \

diff --git a/3.6/alpine3.7/Dockerfile b/3.6/alpine3.7/Dockerfile
@@ -13,17 +13,15 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.6.6
 
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -47,7 +45,6 @@ RUN set -ex \
 		libc-dev \
 		libffi-dev \
 		libnsl-dev \
-		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -107,13 +104,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 10.0.1
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \

diff --git a/3.7/alpine3.7/Dockerfile b/3.7/alpine3.7/Dockerfile
@@ -13,17 +13,15 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D
 ENV PYTHON_VERSION 3.7.0
 
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		openssl \
 		tar \
 		xz \
 	\
@@ -47,7 +45,6 @@ RUN set -ex \
 		libc-dev \
 		libffi-dev \
 		libnsl-dev \
-		openssl \
 		openssl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -107,13 +104,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION 10.0.1
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps openssl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \

diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
@@ -7,17 +7,15 @@ ENV PATH /usr/local/bin:$PATH
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
 ENV LANG C.UTF-8
 
-# install ca-certificates so that HTTPS works consistently
-# the other runtime dependencies for Python are installed later
-RUN apk add --no-cache ca-certificates
+# install libressl so that HTTPS works on Alpine <3.7
+# RUN apk add --no-cache libressl
 
 ENV GPG_KEY %%PLACEHOLDER%%
 ENV PYTHON_VERSION %%PLACEHOLDER%%
 
 RUN set -ex \
 	&& apk add --no-cache --virtual .fetch-deps \
 		gnupg \
-		libressl \
 		tar \
 		xz \
 	\
@@ -41,7 +39,6 @@ RUN set -ex \
 		libc-dev \
 		libffi-dev \
 		libnsl-dev \
-		libressl \
 		libressl-dev \
 		libtirpc-dev \
 		linux-headers \
@@ -101,13 +98,9 @@ RUN cd /usr/local/bin \
 ENV PYTHON_PIP_VERSION %%PLACEHOLDER%%
 
 RUN set -ex; \
-	\
-	apk add --no-cache --virtual .fetch-deps libressl; \
 	\
 	wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \
 	\
-	apk del .fetch-deps; \
-	\
 	python get-pip.py \
 		--disable-pip-version-check \
 		--no-cache-dir \

diff --git a/update.sh b/update.sh
@@ -153,10 +153,16 @@ for version in "${versions[@]}"; do
 			wheezy) sed -ri -e 's/dpkg-architecture --query /dpkg-architecture -q/g' "$dir/Dockerfile" ;;
 		esac
 
+		# On Alpine 3.6 it's necessary to install libressl to get working HTTPS.
+		# Later Alpine versions have CA certificates pre-installed.
+		if [[ "$variant" == alpine3.6 ]]; then
+			sed -ri -e '/^# .* libressl$/s/^# //' "$dir/Dockerfile"
+		fi
+
 		# https://bugs.python.org/issue32598 (Python 3.7.0b1+)
 		# TL;DR: Python 3.7+ uses OpenSSL functionality which LibreSSL doesn't implement (yet?)
 		if [[ "$version" == 3.7* ]] && [[ "$variant" == alpine* ]]; then
-			sed -ri -e 's/libressl/openssl/g' "$dir/Dockerfile"
+			sed -ri -e 's/libressl-dev/openssl-dev/g' "$dir/Dockerfile"
 		fi
 
 		# Libraries to build the nis module only available in Alpine 3.7+.