Which packages are required to run a static binary in a Docker Image
Recently I discovered that an Ubuntu Docker image that I was dependent on to run my Haskell services has some insecure libraries: https://snyk.io/test/docker/ubuntu:20.04
The easiest way to resolve some of these issues is to simply uninstall those packages from my docker images before using them in my running service. Therefore I want a quick way to see which packages are actually required by my binary, and which packages are not.
Step 1: Work out which packages the binary depends on
To work this out you essentially use ldd to see the libraries that your package depends on and then dpkg -S to work out which installed packages those libraries came from. My executable is called hackathonso to combine them all into one command would look something like:
$ ldd hackathon | tr -d '\t ' | grep '=' | cut -d '=' -f1 | xargs dpkg -S | cut -d ':' -f1 | sort | uniq | tee all-required.txt
libasn1-8-heimdal
libc6
libcom-err2
libcrypt1
libffi7
libgmp10
libgnutls30
libgssapi-krb5-2
libgssapi3-heimdal
libhcrypto4-heimdal
libheimbase1-heimdal
libheimntlm0-heimdal
libhogweed5
libhx509-5-heimdal
libidn2-0
libk5crypto3
libkeyutils1
libkrb5-26-heimdal
libkrb5-3
libkrb5support0
libldap-2.4-2
libnettle7
libp11-kit0
libpq5
libroken18-heimdal
libsasl2-2
libsqlite3-0
libssl1.1
libtasn1-6
libunistring2
libwind0-heimdal
zlib1g
$I run that from inside my build docker image with the executable.
Step 2: List all installed packages
This step is simple:
apt list --installed | grep '/' | cut -d'/' -f1 | sort | uniq | tee all-installed.txtStep 3: Find all of the installed packages that are not required
$ comm -13 all-required.txt all-installed.txtAnd that is all that there is to it, now you know the packages that your executable does not strictly require and you can probably apt-get remove them in your docker build command.
Hopefully this helps!
