refactor(Dockerfile): use ghcr.io/linkerd/proxy base image
#4334
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
see linkerd/linkerd-proxy#4333 for previous context. this commit makes changes to the Dockerfile provided in this repository, for use in the proxy's development process. rather than using `debian:bookworm-slim` as the base image, this commit helps deduplicate the tricky business of setting networking capabilities on executables needed when running as an init container. this has one negative consequence, which is that we can no longer attach to a `bash` shell in a running pod when using this image. this is unfortunate, but in my experience isn't often needed by proxy developers. i believe that, should we need to revisit the need for a shell in this image, we should do instead make use of the `Dockerfile-debug` image provided in the linkerd2 repo. if we ran a command like `just docker --build-arg LINKERD2_IMAGE='ghcr.io/linkerd/debug:edge-25-11.3'` we could specify the debug image as a base image instead, providing developers not only with a shell, but also other helpful utilities like `curl`, `tcpdump`, and so on. unfortunately, this does not work today, because the image appears to no longer be published, and has drifted from our latest edge release. i have not pulled on that string further at the time of writing. one explicit _benefit_ of the changes in this commit is that we bring proxy development closer to the real world, meaning that CI in this repository runs using the same image that the proxy will run inside of in the linkerd2 repository and in typical clusters. --- * linkerd/linkerd2#14348 * linkerd/linkerd2#14577 * linkerd/linkerd-proxy#4333 Signed-off-by: katelyn martin <kate@buoyant.io>
Signed-off-by: katelyn martin <kate@buoyant.io>
cratelyn
commented
Dec 5, 2025
This reverts commit 90f9d41. Signed-off-by: katelyn martin <kate@buoyant.io>
cratelyn
force-pushed
the
kate/dockerfile.4333-follow-on-use-proxy-image
branch
from
0742042 to
d20ea38
Compare
cratelyn
commented
Dec 10, 2025
Comment on lines
-52
to
-68
| # Install the proxy binary into a base image that we can at least get a shell | ||
| # for debugging. | ||
| FROM docker.io/library/debian:bookworm-slim as runtime | ||
|
|
||
| RUN apt-get update && \ | ||
| apt-get install -y iptables libcap2-bin && \ | ||
| rm -rf /var/lib/apt/lists/* | ||
|
|
||
| WORKDIR /linkerd | ||
| COPY --from=linkerd2 /usr/lib/linkerd/* /usr/lib/linkerd/ | ||
| # Install the proxy binary into the proxy image. | ||
| FROM $LINKERD2_IMAGE as linkerd2 | ||
| COPY --from=build /out/* /usr/lib/linkerd/ | ||
|
|
||
| USER root | ||
| RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/sbin/xtables-legacy-multi"] | ||
| RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/sbin/xtables-nft-multi"] | ||
| RUN ["/usr/sbin/setcap", "cap_net_raw,cap_net_admin+eip", "/usr/lib/linkerd/linkerd2-proxy-init"] | ||
|
|
Member
Author
There was a problem hiding this comment.
@adleong, i've backed out of that debian:bookworm-slim recommendation. if you have time to take another look, we now have a very slim and focused dockerfile that uses the ghcr.io/linkerd/proxy image directly.
thanks again for this idea, i think it turned out very nicely.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
see #4333 for previous context.
this commit makes changes to the Dockerfile provided in this repository,
for use in the proxy's development process.
rather than using
debian:bookworm-slimas the base image, this commithelps deduplicate the tricky business of setting networking capabilities
on executables needed when running as an init container.
this has one negative consequence, which is that we can no longer attach
to a
bashshell in a running pod when using this image. this isunfortunate, but in my experience isn't often needed by proxy
developers.
i believe that, should we need to revisit the need for a shell in this
image, we should do instead make use of the
Dockerfile-debugimageprovided in the linkerd2 repo.
if we ran a command like
just docker --build-arg LINKERD2_IMAGE='ghcr.io/linkerd/debug:edge-25-11.3'we could specify the debug image as a base image instead, providing
developers not only with a shell, but also other helpful utilities like
curl,tcpdump, and so on.unfortunately, this does not work today, because the image appears to no
longer be published, and has drifted from our latest edge release. i
have not pulled on that string further at the time of writing.
one explicit benefit of the changes in this commit is that we bring
proxy development closer to the real world, meaning that CI in this
repository runs using the same image that the proxy will run inside of
in the linkerd2 repository and in typical clusters.
Signed-off-by: katelyn martin kate@buoyant.io