2

I'm trying to reduce the docker image size, but Dockerfile is being weird.

I concatenate the RUN command to reduce the size of the image. When I build the below Dockerfile it creates only 235MB. 

FROM nginx:alpine

RUN apk add --no-cache --virtual .build-deps \
        gcc \
        libc-dev \
        make \
        openssl \
        pcre-dev \
        zlib-dev \
        linux-headers \
        curl \
        gnupg \
        libxslt-dev \
        gd-dev \
        perl-dev \
    && apk add --no-cache --virtual .libmodsecurity-deps \
        pcre-dev \
        libxml2-dev \
        git \
        libtool \
        automake \
        autoconf \
        g++ \
        flex \
        bison \
        yajl-dev \
        git \
    # Add runtime dependencies that should not be removed
    && apk add --no-cache \
        doxygen \
        geoip \
        geoip-dev \
        yajl \
        libstdc++ \
        sed \
    # Installing ModSec Library version 3
    && echo "Installing ModSec Library" \
    && git clone -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /opt/ModSecurity \
    && cd /opt/ModSecurity \
    && git submodule init \
    && git submodule update \
    && ./build.sh \
    && ./configure && make && make install \
    && echo "Finished Installing ModSec Library" \
    # Installing ModSec - Nginx connector
    && cd /opt \
    && echo 'Installing ModSec - Nginx connector' \
    && git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git \
    && wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz \
    && tar zxvf nginx-$NGINX_VERSION.tar.gz \
    # Adding Nginx Connector Module
    && cd /opt/nginx-$NGINX_VERSION \ 
    && ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx \
    && make modules \
    && cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules \
    && echo "Finished Installing ModSec - Nginx connector" \
    # Begin installing ModSec OWASP Rules
    && echo "Begin installing ModSec OWASP Rules" \
    && mkdir /etc/nginx/modsec \
    && wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended \
    && mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf \
    && sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf \
    # Fetching owasp-modsecurity-crs
    && cd /opt \
    && git clone -b v3.0/master https://github.com/SpiderLabs/owasp-modsecurity-crs \
    && mv owasp-modsecurity-crs/ /usr/local/ \
    && cp /usr/local/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/owasp-modsecurity-crs/crs-setup.conf \
    # Creating modsec file
    && echo 'Creating modsec file' \
    && echo -e '# From https://github.com/SpiderLabs/ModSecurity/blob/master/\n \
      # modsecurity.conf-recommended\n \
      # Edit to set SecRuleEngine On\n \
      Include "/etc/nginx/modsec/modsecurity.conf"\n \
      # OWASP CRS v3 rules\n \
      Include "/usr/local/owasp-modsecurity-crs/crs-setup.conf"\n \
      Include "/usr/local/owasp-modsecurity-crs/rules/*.conf"'\
      >>/etc/nginx/modsec/main.conf \
    && chown nginx:nginx /etc/nginx/modsec/main.conf \
    # Removing old Nginx conf files
    && rm -fr /etc/nginx/conf.d/ \
    && rm -fr /etc/nginx/nginx.conf \
    && chown -R nginx:nginx /usr/share/nginx \
    # delete uneeded and clean up
    && apk del .build-deps \
    && apk del .libmodsecurity-deps \
    && rm -fr ModSecurity \
    && rm -fr ModSecurity-nginx \
    && rm -fr nginx-$NGINX_VERSION.tar.gz \
    && rm -fr nginx-$NGINX_VERSION

COPY conf/nginx.conf /etc/nginx
COPY conf/conf.d /etc/nginx/conf.d
COPY errors /usr/share/nginx/errors

WORKDIR /usr/share/nginx/html

CMD nginx -g 'daemon off;'

EXPOSE 80

I have seen the docker history imagedId it shows that this RUN command has an increased size around 855MB. Anybody Understand why it is behaving weird?

Any thoughts would be much helpful, its is hard to debug building the image everytime.

Improve this question
3
  • Have you run du / inside the container to check what is using space? If it is still there.
    – Gonzalo Matheu
    Commented Apr 17, 2018 at 2:40
  • 1
    Besides that, multi stage builds (docs.docker.com/develop/develop-images/multistage-build) will allow you to decouple build and runtime dependencies. The result will be cleaner images and you might find easier what is causing the space usage leak.
    – Gonzalo Matheu
    Commented Apr 17, 2018 at 2:44
  • @GonzaloMatheu I do heard about multistage build but in my case this is recompiling nginx I need the dependencies along with the image. I think this is the best way i could have implement.
    – devansvd
    Commented Apr 17, 2018 at 4:49

1 Answer 1

Reset to default
1

I tried building in both ways and found not much difference.
Most of the disk space is consumed by /opt/ModSecurity
Initially it was 74MB after git clone.

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
oldimage            latest              924a8d4f941e        11 minutes ago      867MB
newimage            latest              d1ca029927c2        About an hour ago   867MB
nginx               alpine              ebe2c7c61055        6 days ago          18MB

However after building the complete build - it has grown to ~650MB.

$ du -sh *
639.7M  ModSecurity
408.0K  ModSecurity-nginx
7.5M    nginx-1.13.12
996.0K  nginx-1.13.12.tar.gz
Improve this answer
3
  • Can you please try the first image now ? I forgot to add few lines, updated the first dockerfile now
    – devansvd
    Commented Apr 17, 2018 at 14:45
  • As per current docker file you have an instruction to remove && rm -fr ModSecurity \ and this is the directory that consumes : 639.7 MB. This directory contains source code and build-output-binaries as well.
    – fly2matrix
    Commented Apr 18, 2018 at 4:37
  • wow @fly2matrix You made me realize It should be rm -rf /opt/ModSecurity not just rm -rf Modsecurity . Thanks man. Silly mistake caused two days of debugging.
    – devansvd
    Commented Apr 18, 2018 at 5:45

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.