-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can OpenSSL native library be lazy loaded? #46076
Comments
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq Issue DetailsI've been experimenting with Docker Slim to produce extremely slimmed down versions of .NET containers that contain only the files that are actually used by the app. After examining the results of a basic Hello World console app, I wonder whether it'd be possible to modify the runtime to further reduce its dependencies. Here's the list of files that are left in my Alpine Linux 3.12 container after applying Docker Slim (my app is published as a single file):
I'm specifically wondering about the need for runtime/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.c Line 120 in e29b839
I'm wondering if it's possible to have OpenSSL lazy loaded until the point where it's required. Presumeably, that would allow my container to not require the
|
It definitely should be done, related: #44505 (comment) |
This is already lazy-loaded for portable builds. Compare #45720 (comment) to this: When the
That still sucks in all the kerberos but direct dependency on OpenSSL is gone. While this may be interesting for HelloWorld demo, I'm wondering how many really apps in practice can live without from of secure communication e.g. without crypto and TLS. Static linking can save on the base image but it will suck all that into each app MHO once needed. |
It used to be the case that Alpine used LibreSSL instead of OpenSSL, and so we only supported "strongly dynamic" (normal DLL/SO) compilation. But since they've switched back to OpenSSL we could probably go back to using portable builds there. I'm not sure where in our universe that lives. |
I am happily using linux-musl dotnet binaries with libressl on Void Linux (musl-flavor) x64 since 04b67d3. In fact, in our current build matrix, everything is portable=true in this repo. Only place (that I know of) that has portable=false is dotnet/source-build. |
I will need to make this lazy-loaded at least on macOS. |
It's not clear that there's any work remaining here (at least for the assigned area), and there hasn't been any activity in a long while; so assuming this is no longer an area of concern. |
I've been experimenting with Docker Slim to produce extremely slimmed down versions of .NET containers that contain only the files that are actually used by the app. After examining the results of a basic Hello World console app, I wonder whether it'd be possible to modify the runtime to further reduce its dependencies.
Here's the list of files that are left in my Alpine Linux 3.12 container after applying Docker Slim (my app is published as a single file):
I'm specifically wondering about the need for
libssl.so.1.1
. Again, I have a simple .NET 5 app (System.Console.WriteLine("Hello World!");
) with, presumably, no underlying dependency on OpenSSL. Thelibssl.so.1.1
file is currently required however because it's loaded as part of the loading of thelibSystem.Security.Cryptography.Native.OpenSsl
module due to:runtime/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.c
Line 120 in e29b839
I'm wondering if it's possible to have OpenSSL lazy loaded until the point where it's required. Presumeably, that would allow my container to not require the
libssl.so.1.1
file and remove 500K from it.The text was updated successfully, but these errors were encountered: