Cockroach: Cockroachdb on Alpine Linux?

Yeah, we publish the latest release at https://binaries.cockroachdb.com/cockroach-latest.linux-musl-amd64.tgz

I'm not sure why it doesn't appear to be mentioned on cockroachlabs.com. cc @tamird for that

My understanding of why we don't publish our own docker image with the musl binary is that it's largely because there hasn't been demand for it and it's more work to maintain two versions than one, but @tamird again may have better reasoning for why we haven't done so.

Thanks for triaging, @a-robinson!

Indeed, we do already publish a musl "latest-stable" at the URL @a-robinson posted, as well as a "latest-unstable" at https://edge-binaries.cockroachdb.com/cockroach.linux-musl-amd64.LATEST (via redirect, so be sure to curl -L if you use that one).

As Alex pointed out, we omit this from the docs because 1) there hasn't been demand for it and 2) our docs don't currently distinguish between "linux-gnu" and "linux-musl", and I suspect some retooling may be necessary to make that work. cc @jseldess for that.

Regarding the docker image - I have no opinion. It would be easy to support, as far as I'm concerned.

Created a docs issue to look into expanding our linux install docs: https://github.com/cockroachdb/docs/issues/1444

One reason we haven't publicized the linux-musl binaries is that we haven't done much testing of them and we've found bugs in the past (for example, our cgo memory profiling is disabled in the musl builds because it causes deadlocks). If you want something production-ready you're probably better off with our glibc-based docker image at this point, but if you're interested in testing the musl builds you're more than welcome to give them a try.

Thanks guys,
Alpine is loved by container builder, I think it is ideal for CRDB. Even Oracle started porting Java 9 to Alpine/musl (Project Portola). There are Alpine docker images for PostgreSQL, MySql, etc.

@hrstoyanov we discussed this today and came to the conclusion that we haven't tested the musl builds enough to endorse them via either documentation or a docker image.

It would be helpful if you could explain what benefit an alpine image would provide to you over our current debian image? For what it's worth, the size difference would be 15-20MB (our debian image is 67MB and our executable is ~45-50MB).

Better security. You don't bundle stuff like SSH, systemd in the docker
image.

/Hristo Stoyanov

On May 23, 2017 1:10 PM, "Tamir Duberstein" notifications@github.com
wrote:

@hrstoyanov https://github.com/hrstoyanov we discussed this today and
came to the conclusion that we haven't tested the musl builds enough to
endorse them via either documentation or a docker image.

It would be helpful if you could explain what benefit an alpine image
would provide to you over our current debian image? For what it's worth,
the size difference would be 15-20MB (our debian image is 67MB and our
executable is ~45-50MB).

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cockroachdb/cockroach/issues/16053#issuecomment-303517426,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFFIxPYcR7ynfYx7NqvV-ImDQQG1q0Sbks5r8z0vgaJpZM4Nh2J4
.

+1 for an Alpine build.

@mlanner we would be more likely to provide this if you can present concrete rationale for it. To @hrstoyanov's point above - I don't see how that's relevant, given that you'd only expose 2 ports, and if you're being RCEd through one of CockroachDB's ports, SSH and systemd are a footnote anyway.

Alpine is quickly becoming a distro of choice for tight and secure Docker
images. Just yesterday Oracle officially announced Java 9 packaging for
Alpine, other vendors feel the demand too:

https://mail-archives.apache.org/mod_mbox/commons-dev/201706.mbox/%[email protected]%3E

So, my lean Java based docker stack would very soon be Alpine bases, with
cockroach being the odd one that requires me to deal with Debian/Ubuntu and
tons of stuff they bring and I don't need....(ssh, systemd, other ...)

/Hristo Stoyanov

On Jun 1, 2017 10:26 PM, "Tamir Duberstein" notifications@github.com
wrote:

@mlanner https://github.com/mlanner we would be more likely to provide
this if you can present concrete rationale for it. To @hrstoyanov
https://github.com/hrstoyanov's point above - I don't see how that's
relevant, given that you'd only expose 2 ports, and if you're being RCEd
through one of CockroachDB's ports, SSH and systemd are a footnote anyway.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cockroachdb/cockroach/issues/16053#issuecomment-305693022,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFFIxPSXP4Q0A6tFo3fr-l_mu-11AJkvks5r_50dgaJpZM4Nh2J4
.

The CockroachDB docker image does not contain ssh. It contains the systemd binaries, but they are not run as init (cockroach is run as PID 1). The image could be slimmed down a bit, but I don't think the mere presence of systemd in the filesystem is a concern. From a security perspective, I'd be more interested in getting rid of the ten setuid binaries in the debian base image:

$ docker run -it cockroachdb/cockroach:v1.0 shell
# find / -name ssh
/usr/lib/apt/methods/ssh
# find / -name sshd
# find / -perm -4000
find: `/proc/5/task/5/fd/5': No such file or directory
find: `/proc/5/task/5/fdinfo/5': No such file or directory
find: `/proc/5/fd/5': No such file or directory
find: `/proc/5/fdinfo/5': No such file or directory
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/bin/umount
/bin/su
/bin/ping
/bin/mount
/bin/ping6

Something like busybox:glibc might be a more suitable minimal base image than Alpine since we're wary of MUSL. But it doesn't contain timezone data, which we need.

@bdarnell I think @hrstoyanov's comments are perhaps somewhat general in nature as it pertains to most images out there, which tend to include a bunch of stuff that is largely unnecessary to carry out whatever any given package truly requires. Hence, it tends to bloat images and it also carries with it a larger potential vulnerability footprint. Now, that might not be the case with the CRDB Docker image, which is great. However, I was actually not trying to run it in a Docker environment, but rather in an LXC container. And here's why I really wanted to run it in Alpine:

-rw-r--r-- 1 root root 2.7M Dec  7 07:37 alpine-3.4-default_20161206_amd64.tar.xz
-rw-r--r-- 1 root root  63M Dec  6 18:35 centos-7-default_20161207_amd64.tar.xz
-rw-r--r-- 1 root root 191M Dec  7 01:30 debian-8.0-standard_8.6-1_amd64.tar.gz
-rw-r--r-- 1 root root 188M Apr 20  2016 ubuntu-16.04-standard_16.04-1_amd64.tar.gz

As you can see, the Alpine image is significantly smaller than any of the other "minimal" images. I've successfully compiled other Golang apps for Alpine in the past myself. I'm honestly uncertain of the differences and potential problems brought on by building with linux-gnu vs. linux-musl, so I can't really comment on the impacts. You probably know that much better than I do. I was simply aiming for a much smaller image, which also becomes speedier because of less cruft.

@bdarnell
I hear you and I understand that there are more important things for CRDB 1.1 .

As far as the Alpine image, and looking at the amount of work the core JDK team did, porting to musl was not that hard, but your millage can vary. I can live with with some Docker image that has a bit of dead wood inside, np.

I'm also interested in the possibility to use it with an alpine image, mainly for the smaller size.

Thanks for the input, @stellanhaglund. While we still don't have an official alpine Docker image, I'll remind everyone that we do still publish musl release builds that you're very welcome to download and put into an alpine container yourself if you really want one:
https://binaries.cockroachdb.com/cockroach-latest.linux-musl-amd64.tgz

Or for specific versions, just change the URL like so:
https://binaries.cockroachdb.com/cockroach-v1.1.3.linux-musl-amd64.tgz
https://binaries.cockroachdb.com/cockroach-v1.0.6.linux-musl-amd64.tgz

Nice! Thank you!

That’s great thank you!

fre 8 dec. 2017 kl. 17:23 skrev Hristo I Stoyanov <[email protected]

:

Nice! Thank you!

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cockroachdb/cockroach/issues/16053#issuecomment-350305474,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACZ_rlhIQMEqbB6HngCwfd9Pn2nbC_ksks5s-WJ3gaJpZM4Nh2J4
.

Since cockroach runs as PID 1 I recently built a CockroachDB image FROM scratch, all you need is the ca-certs file. You can use the one Traefik uses for its image 😄

The binary size might be reduced by using upx within the alpine stage (e.g. upx --best cockroach)

FROM alpine:edge
RUN wget --quiet https://binaries.cockroachdb.com/cockroach-v1.1.6.linux-musl-amd64.tgz -O /tmp/cockroach.tgz && \
    tar xvzf /tmp/cockroach.tgz --strip 1

FROM scratch
ENV COCKROACH_CHANNEL=official-docker
COPY ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=0 /cockroach /cockroach/cockroach

# This causes the binary within the tgz file to end up with 400 permissions in the /cockroach/ folder
# It throws a permission denied error when attempting to run
# ADD https://binaries.cockroachdb.com/cockroach-v1.1.6.linux-musl-amd64.tgz /cockroach/cockroach

WORKDIR /cockroach/
EXPOSE 26257 8080
ENTRYPOINT ["/cockroach/cockroach"]

Note that including a zoneinfo database in the container (or mounting it from the host in /usr/share/zoneinfo) and keeping it up to date is recommended. This is used for any timezone computations performed in SQL. The cockroach binary embeds a snapshot of the zoneinfo database but it is better to keep it up to date with the rest of your system (this is an issue for our official docker containers too, since the container includes a copy of zoneinfo but is not updated independently of the cockroach binary).

@bdarnell roger that, thanks for the tip!

the compiled windows .exe cdb has 150MB whereas the latest docker image has a whopping 310MB, that's more than twice the size.

Are there ARM64 binaries published anywhere, e.g. https://binaries.cockroachdb.com/cockroach-latest.linux-gnu-aarch64.tgz ?