Provide base image for Native AOT

[richlander]

Our NativeAOT offering appears to work fine on just alpine, for example. Using FROM alpine is cool, but that means those apps lose out on our non-root offering and cannot (straightforwardly) follow the same patterns. Also, the HTTP port isn't pre-defined. That seems bad.

However, our runtime-deps images are too big.

mcr.microsoft.com/dotnet/runtime-deps   8.0-preview-alpine   1175254963e8   35 hours ago     13.5MB
alpine                                  latest               5053b247d78b   4 weeks ago      7.66MB

I don't have a concrete proposal to offer yet.

Questions (about our Alpine images):

• We're installing ca-certificates in addition to the ca-certificates-bundle package that comes with Alpine. I discovered this since Native AOT apps are able to call HTTPS end points (via HttpClient) w/plain alpine (no ca-certificates installed).
• Do we strictly need to install Kerberos?

Some size info:

• alpine: 7.66MB
• + ca-certificates-bundle, libgcc, libssl3, zlib: 7.82MB
• + libstdc++: 10.2MB
• + krb5-libs: 12.9MB
• + ca-certificates: 13.5MB

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[jkotas]

libstdc++ dependency is the only one where default and native AOT apps differ. libstdc++ can be omitted for native AOT. There rest should be the same.

I discovered this since Native AOT apps are able to call HTTPS end points (via HttpClient) w/plain alpine (no ca-certificates installed).

You should see the same behavior with regular SCD and FDD too.

Do we strictly need to install Kerberos?

A lot of microservices should work fine without Kerberos. It is very similar question to whether or not to install ICU that we are opinionated about. We may want to be opinionated in the same way about Kerberos: omit it in Alpine images, keep it in Debian images.

We do not test the experience with missing Kerberos today. If we omit Kerberos, we should make sure that people can figure out that the Kerberos is missing and how to fix it.

[eerhardt]

See also related #4129

[richlander]

Kerberos comes with Debian and Ubuntu and not Alpine. That's the diff. We don't install Kerberos in our Ubuntu Chiseled images.

$ docker run --rm -it ubuntu apt search krb5    
Sorting... Done
Full Text Search... Done
libgssapi-krb5-2/now 1.19.2-2ubuntu0.2 arm64 [installed,local]
  MIT Kerberos runtime libraries - krb5 GSS-API Mechanism

libkrb5-3/now 1.19.2-2ubuntu0.2 arm64 [installed,local]
  MIT Kerberos runtime libraries

libkrb5support0/now 1.19.2-2ubuntu0.2 arm64 [installed,local]
  MIT Kerberos runtime libraries - Support library

[richlander]

Closing this issue since it is a dupe. Will open a new issue about Alpine runtime-deps.

[richlander]

Doing some size analysis again (on x64), with ICU included.

• alpine: 7.34 MB (+ 0MB)
• apk add --no-cache --upgrade ca-certificates-bundle libssl3 zlib: 7.36MB (+0.02 MB)
• apk add --no-cache --upgrade ca-certificates-bundle libssl3 zlib libgcc: 7.48MB (+0.12MB)
• apk add --no-cache --upgrade ca-certificates-bundle libssl3 zlib libgcc libstdc++ : 9.88MB (+2.40MB)
• apk add --no-cache --upgrade ca-certificates-bundle libssl3 zlib libgcc libstdc++ icu-data-full icu-libs: 46.3MB (+36.42MB)
• apk add --no-cache --upgrade ca-certificates-bundle libssl3 zlib libgcc libstdc++ icu-data-full icu-libs tzdata: 47.5MB (+1.2MB)
• apk add --no-cache --upgrade ca-certificates-bundle libssl3 zlib libgcc libstdc++ icu-data-full icu-libs tzdata krb5-libs: 49.4MB (+2.4MB)
• apk add --no-cache --upgrade ca-certificates-bundle libssl3 zlib libgcc libstdc++ icu-data-full icu-libs tzdata krb5-libs openldap 51.8MB (2.4MB)

Note: The (+ nMB) is per the previous line.

Note: These numbers are all uncompressed. The compressed (wire/registry) cost of ICU is 14-15MB (per our observations).

Dockerfile (for ICU components):

FROM alpine
RUN apk add --no-cache --upgrade ca-certificates-bundle libssl3 zlib libgcc libstdc++  icu-data-full icu-libs

Related:

• https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/alpine3.18/amd64/Dockerfile
• https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/jammy/amd64/Dockerfile
• https://github.com/dotnet/dotnet-docker/blob/main/samples/enable-globalization.md

[richlander]

Here's something similar with Ubuntu.

$ docker images ubuntu
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
ubuntu       latest    5a81c4b8502e   6 weeks ago   77.8MB
$ cat Dockerfile.ubuntu 
FROM ubuntu
RUN apt update && apt install -y libicu70 && rm -rf /var/lib/apt/lists/*
$ docker build --pull -t ubuntu-icu -f Dockerfile.ubuntu .
$ docker images ubuntu-icu
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
ubuntu-icu   latest    24e55e9a3fb4   2 minutes ago   114MB

The diff here is 36.2MB