fix(docker): fix distroless build failure and upgrade to debian12

shendongming · shendongming · commit 1cd278f12f0e · 2025-11-27T11:34:06.000+08:00
## Problem Distroless Docker image build has been failing in CI/CD since v1.1.45 (4+ months ago). This prevented the distroless image from being published to Docker Hub. Error: `exec /bin/sh: no such file or directory` Root cause: Distroless base image does not contain shell, but Dockerfile used heredoc syntax which requires `/bin/sh` to execute. ## Solution 1. Create all symlinks in build stage (where shell is available) - ln -s /usr/local/bin/bun /usr/local/bin/bunx - ln -s /usr/local/bin/bun /usr/local/bun-node-fallback-bin/node 2. In distroless stage, only COPY symlinks (no RUN commands needed) - COPY --from=build /usr/local/bin/bunx - COPY --from=build /usr/local/bun-node-fallback-bin/ 3. Upgrade base image from debian11 to debian12 - Fixes security vulnerabilities (1 HIGH CVE → 0) - Uses gcr.io/distroless/base-debian12 ## Testing - Local build: ✅ Success (both amd64) - Verified symlinks: ✅ All working (bun, bunx, node) - Image size: ~20 MB (minimal as expected) ## Related Issues Closes oven-sh#20414 Closes oven-sh#16666 Related to oven-sh#22601, oven-sh#19788
diff --git a/dockerhub/distroless/Dockerfile b/dockerhub/distroless/Dockerfile
@@ -55,7 +55,12 @@ RUN apt-get update -qq \
     && which bun \
     && bun --version
 
-FROM gcr.io/distroless/base-nossl-debian11
+# Create symlinks in build stage (where shell is available)
+RUN ln -s /usr/local/bin/bun /usr/local/bin/bunx \
+    && mkdir -p /usr/local/bun-node-fallback-bin \
+    && ln -s /usr/local/bin/bun /usr/local/bun-node-fallback-bin/node
+
+FROM gcr.io/distroless/base-debian12
 
 # Disable the runtime transpiler cache by default inside Docker containers.
 # On ephemeral containers, the cache is not useful
@@ -67,18 +72,8 @@ ARG BUN_INSTALL_BIN=/usr/local/bin
 ENV BUN_INSTALL_BIN=${BUN_INSTALL_BIN}
 
 COPY --from=build /usr/local/bin/bun /usr/local/bin/
-ENV PATH "${PATH}:/usr/local/bun-node-fallback-bin"
-
-# Temporarily use the `build`-stage image binaries to create a symlink:
-RUN --mount=type=bind,from=build,source=/usr/bin,target=/usr/bin \
-    --mount=type=bind,from=build,source=/bin,target=/bin \
-    --mount=type=bind,from=build,source=/usr/lib,target=/usr/lib \
-    --mount=type=bind,from=build,source=/lib,target=/lib \
-    <<EOF
-  ln -s /usr/local/bin/bun /usr/local/bin/bunx
-  which bunx
-  mkdir -p /usr/local/bun-node-fallback-bin
-  ln -s /usr/local/bin/bun /usr/local/bun-node-fallback-bin/nodebun
-EOF
+COPY --from=build /usr/local/bin/bunx /usr/local/bin/
+COPY --from=build /usr/local/bun-node-fallback-bin /usr/local/bun-node-fallback-bin/
+ENV PATH="${PATH}:/usr/local/bun-node-fallback-bin"
 
 ENTRYPOINT ["/usr/local/bin/bun"]
