Fully static native executables

140 views
Skip to first unread message

Andrea Peruffo

unread,
May 27, 2022, 6:15:31 AM5/27/22
to Quarkus Development mailing list
Hi all,

I was looking at the guides for building native executables, and I found that there is no information about how to build "fully static" binaries.
The big advantage is that there are no system dependencies and can run on bare "scratch" images that don't need package updates for vulnerabilities.

I have prepared a little demo repository to show how this can be achieved in a couple of different ways:
https://github.com/andreaTP/quarkus_fully_static

Dockerfile.gcc image follows the GraalVM official instructions: https://www.graalvm.org/22.1/reference-manual/native-image/StaticImages/#preparation

Dockerfile.zig image uses Zig cc as a drop-in replacement for the C compiler: https://andrewkelley.me/post/zig-cc-powerful-drop-in-replacement-gcc-clang.html

The resulting `scratch` images are about 17-18 Mb with no system dependencies ( even better than distroless https://quarkus.io/guides/building-native-image#using-a-distroless-base-image ).

Since this is possible should we document it? Do you see any drawbacks?

Sanne Grinovero

unread,
May 27, 2022, 6:40:24 AM5/27/22
to aper...@redhat.com, Quarkus Development mailing list

Hi Andrea,

That's certainly interesting; we need to be cautious though with statements such as "won't need updates for vulnerabilities" as a static image just shifts the problem towards including the vulnerabilities in the binary; and there are going to be doubts about supportability and maintainability, it's a big change compared to what people are used to.

But even so I think it's a nice model as we generally expect to rebuild the container images when making any change anyway, and it's good to have options and allow people to explore this further. I think it would be very nice to improve the documentation in this regard.

Thanks,
Sanne



--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/3ce570a6-681e-4632-af1a-e95d251a7575n%40googlegroups.com.

Alexey Sharandin

unread,
May 27, 2022, 6:42:09 AM5/27/22
to Quarkus Development mailing list
What is "fully static"? Is it without any dependencies?
2 ways in graalVM/native-image level:
1. add flag  -H:+StaticExecutableWithDynamicLibC (this approach works in 20.x + with musl but as I know musl support implemented in 22+ and possible to go with option 2)
2. add flag --static to native image.

If we talking about Quarkus need to add property to application.properties
quarkus.native.additional-build-args = [value from options]

For example - this repo contains how to build lightweight container with Quarkus + Alpine Linux - https://github.com/alexeysharandin/Quarkus-Cheat-Sheet/tree/main/quarkus-native-image/quarkus-lightweight-container

But I agree what this info can be added to Quarkus docs.

Thanks

пятница, 27 мая 2022 г. в 15:45:31 UTC+5:30, aper...@redhat.com:

Andrea Peruffo

unread,
May 27, 2022, 7:11:36 AM5/27/22
to Quarkus Development mailing list
It's correct that this way, we are pushing the vulnerabilities into the binary, but, at least, there is no necessity to re-spin.

Talking about "fully static" I mean adding the `--static` flag, as "mostly static binaries" are already demonstrated using distroless in the official documentation.
Please note that fully static binaries don't come only with additional "quarkus.native.additional-build-args" properties but they require specific toolchains to be installed and configured.

Cheers!

Andrea Peruffo

unread,
Jun 8, 2022, 9:16:50 AM6/8/22
to Quarkus Development mailing list
Following up, the new documentation about how to build fully static binaries has been merged:
https://github.com/quarkusio/quarkus/pull/25890
Reply all
Reply to author
Forward
0 new messages