cloudflare
💡[Feature Request] Multiple Docker/Application/Build Optimizations
This is a feature request to improve Docker image and build optimizations for better production readiness, performance, security, and efficiency.
✅ 1. Final Image Optimization
-
Current: Base image is
debian:12 -
Suggestion: Switch to
scratchor, alternatively,alpine
Rationale:
- Significantly reduces image size (e.g., from ~20–30MB to <5MB)
-
scratchhas zero packages – smallest possible attack surface - More secure: no package manager, shell, or utilities
- Since
CGO_ENABLED=0is used, the Go binaries should be able to be fully static → perfect forscratch - Alpine (
musl) offers a middle ground with size and glibc compatibility
✅ 2. Architecture-Specific Build Optimization
-
Current: Only built for
linux/amd64/v1&linux/arm64/v8 -
Suggestion: Provide builds for:
-
linux/amd64/v1 -
linux/amd64/v2 -
linux/amd64/v3 -
linux/amd64/v4 -
linux/arm64/v8
-
Rationale:
- Modern CPUs support newer
GOAMD64instruction sets -
v2andv3architectures represent ~80%+ of AMD64 CPUs in use today - Improved performance for free: faster crypto, hashing, compression, etc.
Can be included in a multi-arch Docker manifest for transparent support.
✅ 3. Build Flag Optimization (-ldflags)
-
Current: Only version metadata is injected:
-ldflags="-X \"main.Version=2025.5.0\" -X \"main.BuildTime=2025-05-15-1723 UTC\" -X \"github.com/cloudflare/cloudflared/metrics.Runtime=virtual\" " -
Suggestion: Add production flags
-s -wto strip debug/symbol info:-ldflags="-s -w -X \"main.Version=2025.5.0\" -X \"main.BuildTime=2025-05-15-1723 UTC\" -X \"github.com/cloudflare/cloudflared/metrics.Runtime=virtual\" "
Rationale:
- Reduces binary size by ~30%
- Improves startup and reduces memory usage
- Best practice for production Go binaries
✅ Summary
Improving the image build process as outlined above would result in:
- ✅ Smaller Docker images
- ✅ Better runtime performance
- ✅ Increased security (smaller attack surface)
Since this application is used by millions, I was surprised to see that none of these optimizations were already supported.
edit#: removed recommenadation for -buildmode=pie as it requires CGO_ENABLED=1 for statically linked binaries.
