Simplify Dockerfile, bump some versions and reduce final snapshot size#76
Merged
endersonmaia merged 4 commits intoprerelease/sdk-12from Oct 24, 2025
Merged
Conversation
tuler
approved these changes
Oct 24, 2025
endersonmaia
force-pushed
the
chore/simplify-dockerfile
branch
from
8934951 to
a95da54
Compare
Since the final rootfs is flat, we don't get any advantage of reducing size on container image layers, and we get a simpler code using ADD Also, we put the version and checksum for machine-guest-tools on top
endersonmaia
force-pushed
the
chore/simplify-dockerfile
branch
from
a95da54 to
27687e3
Compare
endersonmaia
changed the title
tuler
approved these changes
Oct 24, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request refactors all language Dockerfiles to improve security, reproducibility, and maintainability when installing the
machine-guest-toolspackage. The changes standardize the way the package is downloaded and verified, moving from an in-container download and manual checksum verification to using Docker'sADDcommand with a SHA256 checksum. Additionally, the base image setup is streamlined by removing unnecessary dependencies after use.Key changes:
Security and reproducibility improvements:
Replaced in-container download and manual SHA512 checksum verification of
machine-guest-tools_riscv64.debwith Docker'sADDcommand using a SHA256 checksum (MACHINE_GUEST_TOOLS_SHA256SUM). This ensures the downloaded file is verified before the build continues, reducing the risk of supply chain attacks. [1] [2] [3] [4] [5] [6] [7] [8]Standardized the installation of
machine-guest-toolsacross all Dockerfiles by removing the use ofbusybox wgetand manual checksum verification, and instead using theADDcommand with checksum and then installing the.debpackage directly. [1] [2] [3] [4] [5] [6] [7] [8]Base image cleanup and dependency management:
Improved base image hygiene by removing
ca-certificatesafter use in the base stage and runningapt-get autoremoveto clean up unnecessary packages, reducing image size and potential attack surface. [1] [2] [3] [4] [5] [6] [7] [8]Ensured required build dependencies (
ca-certificates,curl) are only installed where needed, improving clarity and minimizing the installed package set in each build stage. [1] [2]General maintainability:
MACHINE_GUEST_TOOLS_VERSIONandMACHINE_GUEST_TOOLS_SHA256SUM) at the top of each Dockerfile for easier updates in the future. [1] [2] [3] [4] [5] [6] [7] [8]Size Summary
References: