From 7c752fadd041d1d13a5d8324ee7b0b60c66e8a26 Mon Sep 17 00:00:00 2001 From: Jamie Hewland Date: Tue, 10 Jul 2018 22:26:58 +0200 Subject: [PATCH] alpine: Don't install ca-certificates on Alpine 3.7+ * CA certs come bundled on Alpine 3.7+ * On Alpine 3.6, rather install libressl which also include CA certs, allows us to use wget, and doesn't increase the size over ca-certificates --- 2.7/alpine3.6/Dockerfile | 5 ++--- 2.7/alpine3.7/Dockerfile | 5 ++--- 3.4/alpine3.7/Dockerfile | 11 ++--------- 3.5/alpine3.7/Dockerfile | 11 ++--------- 3.6/alpine3.6/Dockerfile | 11 ++--------- 3.6/alpine3.7/Dockerfile | 11 ++--------- 3.7/alpine3.7/Dockerfile | 11 ++--------- Dockerfile-alpine.template | 11 ++--------- update.sh | 8 +++++++- 9 files changed, 23 insertions(+), 61 deletions(-) diff --git a/2.7/alpine3.6/Dockerfile b/2.7/alpine3.6/Dockerfile index 2d86a83d7..313109953 100644 --- a/2.7/alpine3.6/Dockerfile +++ b/2.7/alpine3.6/Dockerfile @@ -9,9 +9,8 @@ ENV LANG C.UTF-8 # https://github.com/docker-library/python/issues/147 ENV PYTHONIOENCODING UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +RUN apk add --no-cache libressl ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF ENV PYTHON_VERSION 2.7.15 diff --git a/2.7/alpine3.7/Dockerfile b/2.7/alpine3.7/Dockerfile index a8aedd2a6..c57827972 100644 --- a/2.7/alpine3.7/Dockerfile +++ b/2.7/alpine3.7/Dockerfile @@ -9,9 +9,8 @@ ENV LANG C.UTF-8 # https://github.com/docker-library/python/issues/147 ENV PYTHONIOENCODING UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF ENV PYTHON_VERSION 2.7.15 diff --git a/3.4/alpine3.7/Dockerfile b/3.4/alpine3.7/Dockerfile index eed4994f9..d4604f06c 100644 --- a/3.4/alpine3.7/Dockerfile +++ b/3.4/alpine3.7/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D ENV PYTHON_VERSION 3.4.8 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.4.8 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -46,7 +44,6 @@ RUN set -ex \ gdbm-dev \ libc-dev \ libffi-dev \ - libressl \ libressl-dev \ linux-headers \ make \ @@ -105,13 +102,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 10.0.1 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.5/alpine3.7/Dockerfile b/3.5/alpine3.7/Dockerfile index b38c4027f..a4730677b 100644 --- a/3.5/alpine3.7/Dockerfile +++ b/3.5/alpine3.7/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 97FC712E4C024BBEA48A61ED3A5CA953F73C700D ENV PYTHON_VERSION 3.5.5 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.5.5 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -46,7 +44,6 @@ RUN set -ex \ gdbm-dev \ libc-dev \ libffi-dev \ - libressl \ libressl-dev \ linux-headers \ make \ @@ -105,13 +102,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 10.0.1 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.6/alpine3.6/Dockerfile b/3.6/alpine3.6/Dockerfile index 6efbff7c2..c8e611784 100644 --- a/3.6/alpine3.6/Dockerfile +++ b/3.6/alpine3.6/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +RUN apk add --no-cache libressl ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D ENV PYTHON_VERSION 3.6.6 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.6.6 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -46,7 +44,6 @@ RUN set -ex \ gdbm-dev \ libc-dev \ libffi-dev \ - libressl \ libressl-dev \ linux-headers \ make \ @@ -105,13 +102,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 10.0.1 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.6/alpine3.7/Dockerfile b/3.6/alpine3.7/Dockerfile index e6ea57254..2fa34fcbc 100644 --- a/3.6/alpine3.7/Dockerfile +++ b/3.6/alpine3.7/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D ENV PYTHON_VERSION 3.6.6 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.6.6 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -47,7 +45,6 @@ RUN set -ex \ libc-dev \ libffi-dev \ libnsl-dev \ - libressl \ libressl-dev \ libtirpc-dev \ linux-headers \ @@ -107,13 +104,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 10.0.1 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/3.7/alpine3.7/Dockerfile b/3.7/alpine3.7/Dockerfile index e49f25221..ad78eac12 100644 --- a/3.7/alpine3.7/Dockerfile +++ b/3.7/alpine3.7/Dockerfile @@ -13,9 +13,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY 0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D ENV PYTHON_VERSION 3.7.0 @@ -23,7 +22,6 @@ ENV PYTHON_VERSION 3.7.0 RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - openssl \ tar \ xz \ \ @@ -47,7 +45,6 @@ RUN set -ex \ libc-dev \ libffi-dev \ libnsl-dev \ - openssl \ openssl-dev \ libtirpc-dev \ linux-headers \ @@ -107,13 +104,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION 10.0.1 RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps openssl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 2f7bb8691..12713a6ad 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -7,9 +7,8 @@ ENV PATH /usr/local/bin:$PATH # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. ENV LANG C.UTF-8 -# install ca-certificates so that HTTPS works consistently -# the other runtime dependencies for Python are installed later -RUN apk add --no-cache ca-certificates +# install libressl so that HTTPS works on Alpine <3.7 +# RUN apk add --no-cache libressl ENV GPG_KEY %%PLACEHOLDER%% ENV PYTHON_VERSION %%PLACEHOLDER%% @@ -17,7 +16,6 @@ ENV PYTHON_VERSION %%PLACEHOLDER%% RUN set -ex \ && apk add --no-cache --virtual .fetch-deps \ gnupg \ - libressl \ tar \ xz \ \ @@ -41,7 +39,6 @@ RUN set -ex \ libc-dev \ libffi-dev \ libnsl-dev \ - libressl \ libressl-dev \ libtirpc-dev \ linux-headers \ @@ -101,13 +98,9 @@ RUN cd /usr/local/bin \ ENV PYTHON_PIP_VERSION %%PLACEHOLDER%% RUN set -ex; \ - \ - apk add --no-cache --virtual .fetch-deps libressl; \ \ wget -O get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; \ \ - apk del .fetch-deps; \ - \ python get-pip.py \ --disable-pip-version-check \ --no-cache-dir \ diff --git a/update.sh b/update.sh index 9aac170aa..7f3f7d403 100755 --- a/update.sh +++ b/update.sh @@ -153,10 +153,16 @@ for version in "${versions[@]}"; do wheezy) sed -ri -e 's/dpkg-architecture --query /dpkg-architecture -q/g' "$dir/Dockerfile" ;; esac + # On Alpine 3.6 it's necessary to install libressl to get working HTTPS. + # Later Alpine versions have CA certificates pre-installed. + if [[ "$variant" == alpine3.6 ]]; then + sed -ri -e '/^# .* libressl$/s/^# //' "$dir/Dockerfile" + fi + # https://bugs.python.org/issue32598 (Python 3.7.0b1+) # TL;DR: Python 3.7+ uses OpenSSL functionality which LibreSSL doesn't implement (yet?) if [[ "$version" == 3.7* ]] && [[ "$variant" == alpine* ]]; then - sed -ri -e 's/libressl/openssl/g' "$dir/Dockerfile" + sed -ri -e 's/libressl-dev/openssl-dev/g' "$dir/Dockerfile" fi # Libraries to build the nis module only available in Alpine 3.7+.