busybox icon indicating copy to clipboard operation
busybox copied to clipboard

Published 20 hours ago verified publisher icon prometheus

Use busybox from alpine

Open liam-verta opened this issue 3 years ago • 7 comments

@SuperQ @discordianfish I'll admit this is a little hacky, but it is sufficient.

Fixes #50

liam-verta avatar Oct 19 '22 20:10 liam-verta

I'm wondering if we should make a new prometheus busybox:alpine, since this changes the libc.

It doesn't quite make sense to me to call it busybox:glibc if we're not actually using glibc here.

SuperQ avatar Oct 20 '22 09:10 SuperQ

Looks like this will create an image from busybox:glibc, then copy over alpine busybox and musl which seems like fragile. Why do we still need to base this on the upstream busybox image if we replace it anyway? I'd rather to FROM scratch and copy in from alpine. But then, yes a new image tag.

discordianfish avatar Nov 03 '22 11:11 discordianfish

@discordianfish @SuperQ I'm trying another pass at this PR using a statically-linked busybox.

From the perspective of consumers of these images, the key features are:

  • The busybox toolset
  • The specified libc flavor

This is why I chose to continue to base this image on the same busybox:* images as before. Those images provide a specific libc flavor and minimal folder layout. We want to keep that.

Given that a particular libc flavor is present, it is convenient for busybox to link to those libraries, but that linkage is not a significant feature. The internal structure/linking of thebusybox toolset is an implementation detail.

Using a statically-linked busybox does have some effect, but it is not significant from a downstream user perspective. For example, static linking changes memory usage but probably not to a degree worth noting for the scenarios these tools are used in. See https://busybox.net/FAQ.html#tips_memory for discussion.

The size on of the busybox files is similar, with the statically linked alpine version being slightly smaller than the dynamic official executable:

  • alpine:latest - /bin/busybox: 0.82 MB (841376 bytes)
  • alpine:latest - /bin/busybox.static: 0.98 MB (1001288 bytes)
  • busybox:glibc - /bin/busybox: 1.00 MB (1025504 bytes)
  • busybox:uclibc - /bin/busybox: 1.13 MB (1157408 bytes)

Taking this change will improve the security profile of projects based on these images with minimal change to user facing features.

liam-verta avatar Nov 17 '22 23:11 liam-verta

I don't think we should touch the existing package flavors. Rather, we should create a new image prom/busybox:alpine or something that is something we can transition to.

SuperQ avatar Nov 17 '22 23:11 SuperQ

@SuperQ @discordianfish Done. I made a new alpine-glibc and added a section to the readme.

liam-verta avatar Nov 18 '22 18:11 liam-verta

@discordianfish @SuperQ Another attempt at this, now from scratch. The final image is flat with no vestige of the non-static busybox. It also is stripped of libc-utils and apk.

I'm sure there is more that can be removed from this image, but perhaps this is good enough a first iteration?

liam-verta avatar Dec 15 '22 21:12 liam-verta

@SuperQ @discordianfish Ping?

liam-verta avatar Jan 07 '23 01:01 liam-verta