gnosis/lighthouse
1
0
Fork 0
mirror of https://github.com/sigp/lighthouse.git synced 2026-04-21 06:48:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix reproducible image runtime deps: copy libz from builder, drop libssl COPY

Browse Source 
ldd on the built binary shows only libz.so.1 is missing from distroless/cc-debian11;
libssl/libcrypto are statically linked by this build and do not need to be copied.
libstdc++.so.6 and libgcc_s.so.1 are already present in the distroless/cc variant.

Also consolidates the mv + mkdir into a single RUN layer.

Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
This commit is contained in:
antondlr
2026-04-20 12:49:30 +02:00
parent 1c635f57a0
commit f0500a01ee
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
Dockerfile.reproducible
View File

@@ -18,20 +18,20 @@ WORKDIR /app
RUN make build-reproducible RUN make build-reproducible
# Move the binary and runtime libs to fixed paths for arch-independent copying below. # Move the binary and runtime libs to fixed paths for arch-independent copying below.
RUN mv /app/target/${RUST_TARGET}/release/lighthouse /lighthouse # ldd shows the binary dynamically requires: libz.so.1, libstdc++.so.6, libgcc_s.so.1,
# libssl and libcrypto live under an arch-specific triplet dir; normalise to /libs/. # and glibc — the latter three are already in distroless/cc; only libz needs to be copied.
RUN mkdir /libs \ # libssl/libcrypto are statically linked by this build (no dynamic dep on them).
&& find /usr/lib -maxdepth 2 \( -name "libssl.so.1.1" -o -name "libcrypto.so.1.1" \) \ # libz lives under an arch-specific triplet dir; normalise to /libs/ for a clean COPY below.
-exec cp {} /libs/ \; RUN mv /app/target/${RUST_TARGET}/release/lighthouse /lighthouse \
&& mkdir /libs \
&& find /lib -maxdepth 3 -name "libz.so.1" -exec cp {} /libs/ \;
# Final image: distroless/cc-debian11 (Bullseye) — matches builder OS for ABI compatibility. # Final image: distroless/cc-debian11 (Bullseye) — matches builder OS for ABI compatibility.
# The cc variant already includes libc + libgcc; we copy libssl/libcrypto from the builder # The cc variant already includes libc, libgcc, and libstdc++.
# so the runtime layer is fully pinned with no package manager invocations.
# gcr.io/distroless/cc-debian11:nonroot # gcr.io/distroless/cc-debian11:nonroot
FROM gcr.io/distroless/cc-debian11:nonroot@sha256:f7fa4923556853754e9ff647df410d5711fc4d99a8dafa777ec617cf4a6700f6 FROM gcr.io/distroless/cc-debian11:nonroot@sha256:f7fa4923556853754e9ff647df410d5711fc4d99a8dafa777ec617cf4a6700f6
COPY --from=builder /libs/libssl.so.1.1 /usr/lib/ COPY --from=builder /libs/libz.so.1 /usr/lib/
COPY --from=builder /libs/libcrypto.so.1.1 /usr/lib/
COPY --from=builder /lighthouse /lighthouse COPY --from=builder /lighthouse /lighthouse
ENTRYPOINT [ "/lighthouse" ] ENTRYPOINT [ "/lighthouse" ]