From 1c635f57a08dab53a57f547bf2f3c74eb539aa7c Mon Sep 17 00:00:00 2001 From: antondlr Date: Mon, 20 Apr 2026 11:25:18 +0200 Subject: [PATCH] Fix reproducible image: switch to distroless/cc-debian11, copy libssl from builder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous final stage used distroless/cc-debian12 (Bookworm) which carries no libssl and uses OpenSSL 3, making the Bullseye-built binary non-functional. - Switch to distroless/cc-debian11:nonroot (pinned by index digest) — same Bullseye ABI as the builder, already includes libc and libgcc - Copy libssl.so.1.1 and libcrypto.so.1.1 from the builder stage into /usr/lib/ so no package manager is invoked in the final image (stays fully pinned) - Normalise the arch-specific triplet lib path via a `find` into /libs/ so the COPY instructions work identically for both amd64 and arm64 builds Co-Authored-By: Claude Sonnet 4 --- Dockerfile.reproducible | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/Dockerfile.reproducible b/Dockerfile.reproducible index 76eb931f49..e98442c7ad 100644 --- a/Dockerfile.reproducible +++ b/Dockerfile.reproducible @@ -17,11 +17,21 @@ WORKDIR /app # Build the project with the reproducible settings RUN make build-reproducible -# Move the binary to a standard location +# Move the binary and runtime libs to fixed paths for arch-independent copying below. RUN mv /app/target/${RUST_TARGET}/release/lighthouse /lighthouse +# libssl and libcrypto live under an arch-specific triplet dir; normalise to /libs/. +RUN mkdir /libs \ + && find /usr/lib -maxdepth 2 \( -name "libssl.so.1.1" -o -name "libcrypto.so.1.1" \) \ + -exec cp {} /libs/ \; -# Create a minimal final image with just the binary -FROM gcr.io/distroless/cc-debian12:nonroot-6755e21ccd99ddead6edc8106ba03888cbeed41a +# Final image: distroless/cc-debian11 (Bullseye) — matches builder OS for ABI compatibility. +# The cc variant already includes libc + libgcc; we copy libssl/libcrypto from the builder +# so the runtime layer is fully pinned with no package manager invocations. +# gcr.io/distroless/cc-debian11:nonroot +FROM gcr.io/distroless/cc-debian11:nonroot@sha256:f7fa4923556853754e9ff647df410d5711fc4d99a8dafa777ec617cf4a6700f6 + +COPY --from=builder /libs/libssl.so.1.1 /usr/lib/ +COPY --from=builder /libs/libcrypto.so.1.1 /usr/lib/ COPY --from=builder /lighthouse /lighthouse ENTRYPOINT [ "/lighthouse" ]