Reduce image size by removing redundant OpenSSL libraries already present in the base image

[siddjellali]

Summary

This MR optimizes the container image by removing the redundant OpenSSL installation (libcrypto.so.3, libssl.so.3, and related modules) that was already included in the base image.

Before

• Image name: sha256:5b7599178d9346a9b611a32c10d4b7544ef5f94eb5ace1b1c00aea9e22949da2
• Total image size: 18 MB
• Potential wasted space: 11 MB
• Image efficiency score: 68 %

Redundant files:

/usr/lib/libcrypto.so.3           (8.3 MB)
/usr/lib/libssl.so.3              (1.7 MB)
/usr/lib/ossl-modules/legacy.so   (266 kB)
/usr/lib/engines-3/loader_attic.so (136 kB)
/usr/lib/engines-3/afalg.so        (135 kB)

After

• Image name: sha256:40d4667163f19bad31f15341b9e84a591b0b121a2a0f6f551c8a22d785231505
• Total image size: 12 MB
• Potential wasted space: 110 kB
• Image efficiency score: 99 %

Impact

✅ Reduced image size by 6 MB (~33%)
✅ Removed redundant OpenSSL binaries already included in the base image
✅ Improved build efficiency and reduced potential image duplication
✅ Maintained all functional dependencies intact

Testing

• Verified image builds successfully.
• Confirmed that dependent binaries using OpenSSL still function correctly (inherited from base image).
• No runtime regressions detected in Nginx or BusyBox commands.

Thanks dive project.

[github-actions]

✅ All required contributors have signed the F5 CLA for this PR. Thank you!
_{Posted by the CLA Assistant Lite bot.}

[Copilot]

Pull Request Overview

This PR aims to reduce container image size by removing redundant OpenSSL packages that are already present in the base image, trimming unnecessary binaries and libraries to improve efficiency.

• Remove openssl from the checksum dependency installation in multiple Alpine-based Dockerfiles.
• Preserve functionality while reducing image size and duplication.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
stable/alpine/Dockerfile	Removed openssl from .checksum-deps installation to avoid redundant libs.
stable/alpine-slim/Dockerfile	Removed openssl from .checksum-deps installation to avoid redundant libs.
stable/alpine-perl/Dockerfile	Removed openssl from .checksum-deps installation to avoid redundant libs.
stable/alpine-otel/Dockerfile	Removed openssl from .checksum-deps installation to avoid redundant libs.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

apk add is invoked without any packages, which will fail (nothing to install) and break the build. Remove the empty apk add invocation (and its trailing backslash) if no checksum dependencies are required, or add the required packages back. Example fix: delete line 27 so the RUN chain proceeds directly to the case block.

Suggested change

&& apk add --no-cache --virtual .checksum-deps \

[Copilot]

apk add is called with no packages, resulting in an error. Remove this empty installation step (and the trailing backslash) or include the needed package(s) if still required.

Suggested change

&& apk add --no-cache --virtual .checksum-deps \

[Copilot]

apk add is executed without any packages to install, which will fail. Drop the empty apk add line or restore the necessary package(s) if they are still needed for checksum verification.

[Copilot]

This empty apk add invocation will error out (no packages provided). Remove the line or supply the intended packages; otherwise the RUN step will fail.

[Copilot]

[nitpick] This comment suggests prerequisites are being installed, but after removing openssl no packages are installed in this section. Update the comment to reflect that prerequisites are satisfied by the base image or clarify why no packages are added.

Suggested change

	# install prerequisites for public key and pkg-oss checks
	# prerequisites for public key and pkg-oss checks are already satisfied by the base image

[siddjellali]

I have hereby read the F5 CLA and agree to its terms

[thresheek]

I don't really see how it changes anything with regards to an image, since this dependency is removed at the end of the same RUN?

Also, it doesnt look like libcrypto3 or libssl3 will be pulled in provided we're rebuilding the images in the consequential order with a small time delta.

So what exactly does this PR achieve, other than introducing more diffs between the dockerfile templates?

[thresheek]

Ok, I can see that installing openssl in this case might update the libraries that were present in alpine:3.22 but were updated since that image went live.

[thresheek]

So not installing openssl explicitely at this stage will lower the image size for amd64 and aarch64 variants, but for other arches it will stay the same. The problem here is that we will get inconsistent contents between the arches (libs will differ), and that might lead to hard to discover bugs? Not sure that's a valid point though.

[siddjellali]

Indeed, however — unless I’m mistaken — the command apk add --no-cache --virtual .checksum-deps openssl was applied across all arches, while the conditional logic for architectures comes right after that.

In our current context, where every bit saved and every reduction in image size or datacenter footprint contributes to lowering our environmental impact, I sincerely believe the optimization is worthwhile. That said, I fully understand there’s a balance to maintain in order to avoid introducing technical debt down the line.