From b9293ee542fd3d7c655c4d73d299d2dffba827d1 Mon Sep 17 00:00:00 2001 From: Matthieu Napoli Date: Mon, 26 May 2025 14:51:17 +0200 Subject: [PATCH 1/2] Optimize layer sizes The goal is to reduce layer sizes to optimize cold starts (that's the theory at least). - `strip` debug symbols for all libraries and PHP extensions (saves 11.7%) - compile PHP with the `-Os` C/CPP flag to optimize the binary for size (saves 8%) - compile libraries with the `-Os` flag (saves 6.3%) - disable the `soap` extension by default to avoid loading it on PHP startup (the only big unpopular extension I could find) - bundle the `pdo-mysql` extension in the PHP binary: it is extra small and will avoid loading it through an external file (small optimization) In total that's a 24% size reduction, i.e. 14.6MB. This is for Bref v3, I will run some benchmarks as just measuring the layer size doesn't tell us the full story about cold starts. --- php-82/Dockerfile | 59 ++++++++++++++++++++++++++--------------------- php-83/Dockerfile | 59 ++++++++++++++++++++++++++--------------------- php-84/Dockerfile | 59 ++++++++++++++++++++++++++--------------------- src/php.ini | 1 - 4 files changed, 99 insertions(+), 79 deletions(-) diff --git a/php-82/Dockerfile b/php-82/Dockerfile index 3709202d..e2efad14 100644 --- a/php-82/Dockerfile +++ b/php-82/Dockerfile @@ -85,8 +85,8 @@ RUN set -xe; \ WORKDIR ${ZLIB_BUILD_DIR}/ RUN set -xe; \ make distclean \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -113,8 +113,8 @@ RUN set -xe; \ curl -Ls https://github.com/openssl/openssl/releases/download/openssl-${VERSION_OPENSSL}/openssl-${VERSION_OPENSSL}.tar.gz \ | tar xzC ${OPENSSL_BUILD_DIR} --strip-components=1 WORKDIR ${OPENSSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./config \ --prefix=${INSTALL_DIR} \ @@ -148,8 +148,8 @@ RUN set -xe; \ curl -Ls https://download.gnome.org/sources/libxml2/${VERSION_XML2%.*}/libxml2-${VERSION_XML2}.tar.xz \ | tar xJC ${XML2_BUILD_DIR} --strip-components=1 WORKDIR ${XML2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -181,8 +181,8 @@ RUN set -xe; \ curl -Ls https://github.com/libssh2/libssh2/releases/download/libssh2-${VERSION_LIBSSH2}/libssh2-${VERSION_LIBSSH2}.tar.gz \ | tar xzC ${LIBSSH2_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSSH2_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ # Build as a shared library (.so) instead of a static one @@ -214,8 +214,8 @@ RUN set -xe; \ curl -Ls https://github.com/nghttp2/nghttp2/releases/download/v${VERSION_NGHTTP2}/nghttp2-${VERSION_NGHTTP2}.tar.gz \ | tar xzC ${NGHTTP2_BUILD_DIR} --strip-components=1 WORKDIR ${NGHTTP2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --enable-lib-only \ @@ -236,8 +236,8 @@ RUN set -xe; \ curl -Ls https://github.com/rockdaboot/libpsl/releases/download/${VERSION_LIBPSL}/libpsl-${VERSION_LIBPSL}.tar.gz \ | tar xzC ${LIBPSL_BUILD_DIR} --strip-components=1 WORKDIR ${LIBPSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -262,8 +262,8 @@ RUN set -xe; \ | tar xzC ${CURL_BUILD_DIR} --strip-components=1 WORKDIR ${CURL_BUILD_DIR}/ RUN ./buildconf \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -301,8 +301,8 @@ RUN set -xe; \ curl -Ls https://github.com/nih-at/libzip/releases/download/v${VERSION_ZIP}/libzip-${VERSION_ZIP}.tar.gz \ | tar xzC ${ZIP_BUILD_DIR} --strip-components=1 WORKDIR ${ZIP_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ @@ -322,8 +322,8 @@ RUN set -xe; \ curl -Ls https://github.com/jedisct1/libsodium/archive/${VERSION_LIBSODIUM}-RELEASE.tar.gz \ | tar xzC ${LIBSODIUM_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSODIUM_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./autogen.sh \ && ./configure --prefix=${INSTALL_DIR} @@ -344,8 +344,8 @@ RUN set -xe; \ curl -Ls https://github.com/postgres/postgres/archive/REL_${VERSION_POSTGRES//./_}.tar.gz \ | tar xzC ${POSTGRES_BUILD_DIR} --strip-components=1 WORKDIR ${POSTGRES_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure --prefix=${INSTALL_DIR} --with-openssl --without-icu --without-readline RUN cd ${POSTGRES_BUILD_DIR}/src/interfaces/libpq && make && make install @@ -370,7 +370,7 @@ RUN set -xe; \ curl -Ls https://github.com/kkos/oniguruma/releases/download/v${VERSION_ONIG}/onig-${VERSION_ONIG}.tar.gz \ | tar xzC ${ONIG_BUILD_DIR} --strip-components=1 WORKDIR ${ONIG_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -391,7 +391,7 @@ RUN set -xe; \ curl -Ls https://github.com/sqlite/sqlite/archive/refs/tags/version-${VERSION_SQLITE}.tar.gz \ | tar xzC ${SQLITE_BUILD_DIR} --strip-components=1 WORKDIR ${SQLITE_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -439,8 +439,8 @@ RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${V # --with-zlib and --with-zlib-dir: See https://stackoverflow.com/a/42978649/245552 ARG PHP_COMPILATION_FLAGS RUN ./buildconf --force -RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ - CPPFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ +RUN CFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ + CPPFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib -Wl,-O1 -Wl,--strip-all -Wl,--hash-style=both -pie" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -462,14 +462,17 @@ RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I --enable-ftp \ --with-gettext \ --enable-mbstring \ - --with-pdo-mysql=shared,mysqlnd \ + --with-pdo-mysql=mysqlnd \ --with-mysqli \ --enable-pcntl \ --with-zip \ --enable-bcmath \ --with-pdo-pgsql=shared,${INSTALL_DIR} \ + # Separate .so extension so that it is not loaded by default --enable-intl=shared \ - --enable-soap \ + # Separate .so extension so that it is not loaded by default + --enable-soap=shared \ + # Separate .so extension so that it is not loaded by default --with-xsl=${INSTALL_DIR} \ --with-ffi \ # necessary for `pecl` to work (to install PHP extensions) @@ -526,6 +529,10 @@ RUN cp ${CA_BUNDLE} /bref-layer/bref/ssl/cert.pem # Copy the OpenSSL config RUN cp ${INSTALL_DIR}/bref/ssl/openssl.cnf /bref-layer/bref/ssl/openssl.cnf +# Run `strip` over all libraries and extensions to reduce their size +RUN find /bref-layer/bref/extensions -type f -exec strip --strip-all {} + +RUN find /bref-layer/lib -type f -exec strip --strip-all {} + + # ---------------------------------------------------------------------------- # Start from a clean image to copy only the files we need for the Lambda layer diff --git a/php-83/Dockerfile b/php-83/Dockerfile index 12e7d1eb..7f867e20 100644 --- a/php-83/Dockerfile +++ b/php-83/Dockerfile @@ -85,8 +85,8 @@ RUN set -xe; \ WORKDIR ${ZLIB_BUILD_DIR}/ RUN set -xe; \ make distclean \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -113,8 +113,8 @@ RUN set -xe; \ curl -Ls https://github.com/openssl/openssl/releases/download/openssl-${VERSION_OPENSSL}/openssl-${VERSION_OPENSSL}.tar.gz \ | tar xzC ${OPENSSL_BUILD_DIR} --strip-components=1 WORKDIR ${OPENSSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./config \ --prefix=${INSTALL_DIR} \ @@ -148,8 +148,8 @@ RUN set -xe; \ curl -Ls https://download.gnome.org/sources/libxml2/${VERSION_XML2%.*}/libxml2-${VERSION_XML2}.tar.xz \ | tar xJC ${XML2_BUILD_DIR} --strip-components=1 WORKDIR ${XML2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -181,8 +181,8 @@ RUN set -xe; \ curl -Ls https://github.com/libssh2/libssh2/releases/download/libssh2-${VERSION_LIBSSH2}/libssh2-${VERSION_LIBSSH2}.tar.gz \ | tar xzC ${LIBSSH2_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSSH2_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ # Build as a shared library (.so) instead of a static one @@ -214,8 +214,8 @@ RUN set -xe; \ curl -Ls https://github.com/nghttp2/nghttp2/releases/download/v${VERSION_NGHTTP2}/nghttp2-${VERSION_NGHTTP2}.tar.gz \ | tar xzC ${NGHTTP2_BUILD_DIR} --strip-components=1 WORKDIR ${NGHTTP2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --enable-lib-only \ @@ -236,8 +236,8 @@ RUN set -xe; \ curl -Ls https://github.com/rockdaboot/libpsl/releases/download/${VERSION_LIBPSL}/libpsl-${VERSION_LIBPSL}.tar.gz \ | tar xzC ${LIBPSL_BUILD_DIR} --strip-components=1 WORKDIR ${LIBPSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -262,8 +262,8 @@ RUN set -xe; \ | tar xzC ${CURL_BUILD_DIR} --strip-components=1 WORKDIR ${CURL_BUILD_DIR}/ RUN ./buildconf \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -301,8 +301,8 @@ RUN set -xe; \ curl -Ls https://github.com/nih-at/libzip/releases/download/v${VERSION_ZIP}/libzip-${VERSION_ZIP}.tar.gz \ | tar xzC ${ZIP_BUILD_DIR} --strip-components=1 WORKDIR ${ZIP_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ @@ -322,8 +322,8 @@ RUN set -xe; \ curl -Ls https://github.com/jedisct1/libsodium/archive/${VERSION_LIBSODIUM}-RELEASE.tar.gz \ | tar xzC ${LIBSODIUM_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSODIUM_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./autogen.sh \ && ./configure --prefix=${INSTALL_DIR} @@ -344,8 +344,8 @@ RUN set -xe; \ curl -Ls https://github.com/postgres/postgres/archive/REL_${VERSION_POSTGRES//./_}.tar.gz \ | tar xzC ${POSTGRES_BUILD_DIR} --strip-components=1 WORKDIR ${POSTGRES_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure --prefix=${INSTALL_DIR} --with-openssl --without-icu --without-readline RUN cd ${POSTGRES_BUILD_DIR}/src/interfaces/libpq && make && make install @@ -370,7 +370,7 @@ RUN set -xe; \ curl -Ls https://github.com/kkos/oniguruma/releases/download/v${VERSION_ONIG}/onig-${VERSION_ONIG}.tar.gz \ | tar xzC ${ONIG_BUILD_DIR} --strip-components=1 WORKDIR ${ONIG_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -391,7 +391,7 @@ RUN set -xe; \ curl -Ls https://github.com/sqlite/sqlite/archive/refs/tags/version-${VERSION_SQLITE}.tar.gz \ | tar xzC ${SQLITE_BUILD_DIR} --strip-components=1 WORKDIR ${SQLITE_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -439,8 +439,8 @@ RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${V # --with-zlib and --with-zlib-dir: See https://stackoverflow.com/a/42978649/245552 ARG PHP_COMPILATION_FLAGS RUN ./buildconf --force -RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ - CPPFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ +RUN CFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ + CPPFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib -Wl,-O1 -Wl,--strip-all -Wl,--hash-style=both -pie" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -462,14 +462,17 @@ RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I --enable-ftp \ --with-gettext \ --enable-mbstring \ - --with-pdo-mysql=shared,mysqlnd \ + --with-pdo-mysql=mysqlnd \ --with-mysqli \ --enable-pcntl \ --with-zip \ --enable-bcmath \ --with-pdo-pgsql=shared,${INSTALL_DIR} \ + # Separate .so extension so that it is not loaded by default --enable-intl=shared \ - --enable-soap \ + # Separate .so extension so that it is not loaded by default + --enable-soap=shared \ + # Separate .so extension so that it is not loaded by default --with-xsl=${INSTALL_DIR} \ --with-ffi \ # necessary for `pecl` to work (to install PHP extensions) @@ -526,6 +529,10 @@ RUN cp ${CA_BUNDLE} /bref-layer/bref/ssl/cert.pem # Copy the OpenSSL config RUN cp ${INSTALL_DIR}/bref/ssl/openssl.cnf /bref-layer/bref/ssl/openssl.cnf +# Run `strip` over all libraries and extensions to reduce their size +RUN find /bref-layer/bref/extensions -type f -exec strip --strip-all {} + +RUN find /bref-layer/lib -type f -exec strip --strip-all {} + + # ---------------------------------------------------------------------------- # Start from a clean image to copy only the files we need for the Lambda layer diff --git a/php-84/Dockerfile b/php-84/Dockerfile index 700384a5..eedddc44 100644 --- a/php-84/Dockerfile +++ b/php-84/Dockerfile @@ -85,8 +85,8 @@ RUN set -xe; \ WORKDIR ${ZLIB_BUILD_DIR}/ RUN set -xe; \ make distclean \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -113,8 +113,8 @@ RUN set -xe; \ curl -Ls https://github.com/openssl/openssl/releases/download/openssl-${VERSION_OPENSSL}/openssl-${VERSION_OPENSSL}.tar.gz \ | tar xzC ${OPENSSL_BUILD_DIR} --strip-components=1 WORKDIR ${OPENSSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./config \ --prefix=${INSTALL_DIR} \ @@ -148,8 +148,8 @@ RUN set -xe; \ curl -Ls https://download.gnome.org/sources/libxml2/${VERSION_XML2%.*}/libxml2-${VERSION_XML2}.tar.xz \ | tar xJC ${XML2_BUILD_DIR} --strip-components=1 WORKDIR ${XML2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -181,8 +181,8 @@ RUN set -xe; \ curl -Ls https://github.com/libssh2/libssh2/releases/download/libssh2-${VERSION_LIBSSH2}/libssh2-${VERSION_LIBSSH2}.tar.gz \ | tar xzC ${LIBSSH2_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSSH2_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ # Build as a shared library (.so) instead of a static one @@ -214,8 +214,8 @@ RUN set -xe; \ curl -Ls https://github.com/nghttp2/nghttp2/releases/download/v${VERSION_NGHTTP2}/nghttp2-${VERSION_NGHTTP2}.tar.gz \ | tar xzC ${NGHTTP2_BUILD_DIR} --strip-components=1 WORKDIR ${NGHTTP2_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --enable-lib-only \ @@ -236,8 +236,8 @@ RUN set -xe; \ curl -Ls https://github.com/rockdaboot/libpsl/releases/download/${VERSION_LIBPSL}/libpsl-${VERSION_LIBPSL}.tar.gz \ | tar xzC ${LIBPSL_BUILD_DIR} --strip-components=1 WORKDIR ${LIBPSL_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} @@ -262,8 +262,8 @@ RUN set -xe; \ | tar xzC ${CURL_BUILD_DIR} --strip-components=1 WORKDIR ${CURL_BUILD_DIR}/ RUN ./buildconf \ - && CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ + && CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -301,8 +301,8 @@ RUN set -xe; \ curl -Ls https://github.com/nih-at/libzip/releases/download/v${VERSION_ZIP}/libzip-${VERSION_ZIP}.tar.gz \ | tar xzC ${ZIP_BUILD_DIR} --strip-components=1 WORKDIR ${ZIP_BUILD_DIR}/bin/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ cmake .. \ -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ @@ -322,8 +322,8 @@ RUN set -xe; \ curl -Ls https://github.com/jedisct1/libsodium/archive/${VERSION_LIBSODIUM}-RELEASE.tar.gz \ | tar xzC ${LIBSODIUM_BUILD_DIR} --strip-components=1 WORKDIR ${LIBSODIUM_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./autogen.sh \ && ./configure --prefix=${INSTALL_DIR} @@ -344,8 +344,8 @@ RUN set -xe; \ curl -Ls https://github.com/postgres/postgres/archive/REL_${VERSION_POSTGRES//./_}.tar.gz \ | tar xzC ${POSTGRES_BUILD_DIR} --strip-components=1 WORKDIR ${POSTGRES_BUILD_DIR}/ -RUN CFLAGS="" \ - CPPFLAGS="-I${INSTALL_DIR}/include -I/usr/include" \ +RUN CFLAGS="-Os" \ + CPPFLAGS="-Os -I${INSTALL_DIR}/include -I/usr/include" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib" \ ./configure --prefix=${INSTALL_DIR} --with-openssl --without-icu --without-readline RUN cd ${POSTGRES_BUILD_DIR}/src/interfaces/libpq && make && make install @@ -370,7 +370,7 @@ RUN set -xe; \ curl -Ls https://github.com/kkos/oniguruma/releases/download/v${VERSION_ONIG}/onig-${VERSION_ONIG}.tar.gz \ | tar xzC ${ONIG_BUILD_DIR} --strip-components=1 WORKDIR ${ONIG_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -394,7 +394,7 @@ RUN set -xe; \ curl -Ls https://github.com/sqlite/sqlite/archive/refs/tags/version-${VERSION_SQLITE}.tar.gz \ | tar xzC ${SQLITE_BUILD_DIR} --strip-components=1 WORKDIR ${SQLITE_BUILD_DIR} -RUN ./configure --prefix=${INSTALL_DIR} +RUN CFLAGS="-Os" CPPFLAGS="-Os" ./configure --prefix=${INSTALL_DIR} RUN make && make install @@ -441,8 +441,8 @@ RUN curl --location --silent --show-error --fail https://www.php.net/get/php-${V # --enable-mbstring: because otherwise there's no way to get pecl to use it properly (see https://github.com/docker-library/php/issues/195) ARG PHP_COMPILATION_FLAGS RUN ./buildconf --force -RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ - CPPFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ +RUN CFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ + CPPFLAGS="-fstack-protector-strong -fpic -fpie -Os -I${INSTALL_DIR}/include -I/usr/include -ffunction-sections -fdata-sections" \ LDFLAGS="-L${INSTALL_DIR}/lib64 -L${INSTALL_DIR}/lib -Wl,-O1 -Wl,--strip-all -Wl,--hash-style=both -pie" \ ./configure \ --prefix=${INSTALL_DIR} \ @@ -463,14 +463,17 @@ RUN CFLAGS="-fstack-protector-strong -fpic -fpie -O3 -I${INSTALL_DIR}/include -I --enable-ftp \ --with-gettext \ --enable-mbstring \ - --with-pdo-mysql=shared,mysqlnd \ + --with-pdo-mysql=mysqlnd \ --with-mysqli \ --enable-pcntl \ --with-zip \ --enable-bcmath \ --with-pdo-pgsql=shared,${INSTALL_DIR} \ + # Separate .so extension so that it is not loaded by default --enable-intl=shared \ - --enable-soap \ + # Separate .so extension so that it is not loaded by default + --enable-soap=shared \ + # Separate .so extension so that it is not loaded by default --with-xsl=${INSTALL_DIR} \ --with-ffi \ # necessary for `pecl` to work (to install PHP extensions) @@ -527,6 +530,10 @@ RUN cp ${CA_BUNDLE} /bref-layer/bref/ssl/cert.pem # Copy the OpenSSL config RUN cp ${INSTALL_DIR}/bref/ssl/openssl.cnf /bref-layer/bref/ssl/openssl.cnf +# Run `strip` over all libraries and extensions to reduce their size +RUN find /bref-layer/bref/extensions -type f -exec strip --strip-all {} + +RUN find /bref-layer/lib -type f -exec strip --strip-all {} + + # ---------------------------------------------------------------------------- # Start from a clean image to copy only the files we need for the Lambda layer diff --git a/src/php.ini b/src/php.ini index 8b24ea7a..ae985507 100644 --- a/src/php.ini +++ b/src/php.ini @@ -52,5 +52,4 @@ upload_max_filesize=6M extension_dir=/opt/bref/extensions ; Extensions enabled by default -extension=pdo_mysql.so zend_extension=opcache.so From 4db493e45b2b2d4f4cd955a8b8c9bcdcd971ab61 Mon Sep 17 00:00:00 2001 From: Matthieu Napoli Date: Mon, 26 May 2025 15:06:51 +0200 Subject: [PATCH 2/2] Fix tests --- tests/test_2_extensions.php | 2 -- tests/test_3_manual_enabling_extensions.php | 1 + tests/test_3_manual_extensions.ini | 7 ++++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/test_2_extensions.php b/tests/test_2_extensions.php index 932f55ed..a3fbda12 100644 --- a/tests/test_2_extensions.php +++ b/tests/test_2_extensions.php @@ -34,7 +34,6 @@ 'session', 'SimpleXML', 'sodium', - 'soap', 'sockets', 'SPL', 'sqlite3', @@ -119,7 +118,6 @@ 'posix' => function_exists('posix_getpgid'), 'simplexml' => class_exists(\SimpleXMLElement::class), 'sodium' => defined('PASSWORD_ARGON2I'), - 'soap' => class_exists(\SoapClient::class), 'sockets' => function_exists('socket_connect'), 'spl' => class_exists(\SplQueue::class), 'sqlite3' => class_exists(\SQLite3::class), diff --git a/tests/test_3_manual_enabling_extensions.php b/tests/test_3_manual_enabling_extensions.php index 7a49d266..780f049c 100644 --- a/tests/test_3_manual_enabling_extensions.php +++ b/tests/test_3_manual_enabling_extensions.php @@ -6,6 +6,7 @@ 'intl' => class_exists(\Collator::class), 'apcu' => function_exists('apcu_add'), 'pdo_pgsql' => extension_loaded('pdo_pgsql'), + 'soap' => class_exists(\SoapClient::class), ]; $extensionDir = ini_get('extension_dir'); diff --git a/tests/test_3_manual_extensions.ini b/tests/test_3_manual_extensions.ini index 3b322d90..2c935b26 100644 --- a/tests/test_3_manual_extensions.ini +++ b/tests/test_3_manual_extensions.ini @@ -1,3 +1,4 @@ -extension=intl.so -extension=apcu.so -extension=pdo_pgsql.so +extension=intl +extension=apcu +extension=pdo_pgsql +extension=soap