mirror of
https://github.com/spritsail/plex-media-server.git
synced 2025-05-05 06:22:29 +00:00
Joe Groocock
32734c3aa0
Plex now provide a first-party musl Plex build that works without any external dependencies whatsoever. It's built with LLVM with many compiler and linker optimisations enabled: https://forums.plex.tv/t/plex-media-server-forum-preview-faster-and-smaller-builds-with-new-toolchain/699575 Changes for this release include: - Drop curl, OpenSSL and zlib; they're no longer required. libcurl and libssl/libcrypto are provided by Plex anyway. - Build `FROM spritsail/alpine` instead of `FROM debian` to ensure musl compatibility with all compiled binaries. Use `FROM scratch` for the resulting image. ld-musl is provided by Plex. - Build busybox, su-exec and tini as they're no longer provided by the base image. - Build binaries/libraries with standard hardening flags, including the popular -flto. Signed-off-by: Joe Groocock <me@frebib.net>
207 lines
5.9 KiB
Docker
207 lines
5.9 KiB
Docker
ARG PLEX_VER=1.22.2.4180-2f337bbd5
|
|
ARG PLEX_SHA=23b53f67e65a4310cb12f3dd6566de5c3224104f
|
|
ARG XMLSTAR_VER=1.6.1
|
|
ARG BUSYBOX_VER=1.33.0
|
|
ARG SU_EXEC_VER=0.4
|
|
ARG TINI_VER=0.19.0
|
|
|
|
FROM spritsail/alpine:3.13 AS builder
|
|
|
|
ARG PLEX_VER
|
|
ARG PLEX_SHA
|
|
ARG LIBXML2_VER=v2.9.10
|
|
ARG LIBXSLT_VER=v1.1.34
|
|
ARG XMLSTAR_VER
|
|
ARG BUSYBOX_VER
|
|
ARG SU_EXEC_VER
|
|
ARG TINI_VER
|
|
ARG MAKEFLAGS
|
|
|
|
ARG PREFIX=/prefix
|
|
|
|
WORKDIR /plex
|
|
|
|
ENV CFLAGS="-O2 -pipe -fstack-protector-strong -D_FORTIFY_SOURCE=2 -flto" \
|
|
CXXFLAGS="${CFLAGS}" \
|
|
LDFLAGS="${CFLAGS} -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
|
|
|
|
RUN apk add --no-cache \
|
|
autoconf \
|
|
automake \
|
|
binutils \
|
|
cmake \
|
|
curl \
|
|
dpkg \
|
|
file \
|
|
gcc \
|
|
git \
|
|
libtool \
|
|
linux-headers \
|
|
make \
|
|
musl-dev \
|
|
pkgconfig \
|
|
xxd
|
|
|
|
# Fetch Plex and required libraries
|
|
RUN curl -fsSL -o plexmediaserver.deb https://artifacts.plex.tv/testing/pms/${PLEX_VER}/debian/plexmediaserver_${PLEX_VER}_amd64.deb \
|
|
&& echo "$PLEX_SHA plexmediaserver.deb" | sha1sum -c - \
|
|
&& dpkg-deb -x plexmediaserver.deb . \
|
|
\
|
|
&& rm -r \
|
|
etc/ usr/share/ \
|
|
plexmediaserver.deb \
|
|
\
|
|
&& cd usr/lib/plexmediaserver \
|
|
&& rm \
|
|
lib/libxml2.so* \
|
|
lib/libxslt.so* \
|
|
lib/libexslt.so* \
|
|
lib/plexmediaserver.* \
|
|
Resources/start.sh \
|
|
\
|
|
# Place shared libraries in usr/lib so they can be actually shared
|
|
&& mv lib/*.so* lib/dri ../ \
|
|
&& rmdir lib \
|
|
&& ln -sv ../ lib
|
|
|
|
WORKDIR /tmp/busybox
|
|
|
|
# Download and build busybox
|
|
RUN curl -fsSL https://busybox.net/downloads/busybox-${BUSYBOX_VER}.tar.bz2 \
|
|
| tar xj --strip-components=1 \
|
|
&& make defconfig \
|
|
&& make \
|
|
&& install -Dm755 busybox "${PREFIX}/bin/busybox" \
|
|
# "Install" busybox, creating symlinks to all binaries it provides
|
|
&& mkdir -p "${PREFIX}/bin" "${PREFIX}/sbin" "${PREFIX}/usr/bin" "${PREFIX}/usr/sbin" \
|
|
&& ./busybox --list-full | xargs -i ln -Tsv /bin/busybox "${PREFIX}/{}"
|
|
|
|
WORKDIR /tmp/su-exec
|
|
|
|
# Download and build su-exec
|
|
RUN curl -fL https://github.com/frebib/su-exec/archive/v${SU_EXEC_VER}.tar.gz \
|
|
| tar xz --strip-components=1 \
|
|
&& make \
|
|
&& install -Dm755 su-exec "${PREFIX}/sbin/su-exec"
|
|
|
|
WORKDIR /tmp/tini
|
|
|
|
# Download and build tini
|
|
RUN curl -fL https://github.com/krallin/tini/archive/v${TINI_VER}.tar.gz \
|
|
| tar xz --strip-components=1 \
|
|
&& cmake . \
|
|
&& make tini \
|
|
&& install -Dm755 tini "${PREFIX}/sbin/tini"
|
|
|
|
# Download and build libxml2
|
|
WORKDIR /tmp/libxml2
|
|
RUN git clone https://gitlab.gnome.org/GNOME/libxml2.git --branch $LIBXML2_VER --depth 1 . \
|
|
&& ./autogen.sh \
|
|
--prefix=/usr \
|
|
--without-catalog \
|
|
--without-docbook \
|
|
--without-ftp \
|
|
--without-http \
|
|
--without-iconv \
|
|
--without-iso8859x \
|
|
--without-legacy \
|
|
--without-modules \
|
|
--without-python \
|
|
&& make DESTDIR=$PREFIX install
|
|
|
|
# Download and build libxslt
|
|
WORKDIR /tmp/libxslt
|
|
RUN git clone https://gitlab.gnome.org/GNOME/libxslt.git --branch $LIBXSLT_VER --depth 1 . \
|
|
&& ./autogen.sh \
|
|
--prefix=/usr \
|
|
--with-libxml-src="../libxml2" \
|
|
--without-crypto \
|
|
--without-plugins \
|
|
--without-python \
|
|
&& make DESTDIR=$PREFIX install
|
|
|
|
# Download and build xmlstarlet
|
|
ADD xmlstarlet-*.patch /tmp
|
|
WORKDIR /tmp/xmlstarlet
|
|
RUN git clone git://git.code.sf.net/p/xmlstar/code --branch $XMLSTAR_VER --depth 1 . \
|
|
&& git apply /tmp/xmlstarlet*.patch \
|
|
&& autoreconf -sif \
|
|
&& ./configure \
|
|
--prefix=/usr \
|
|
--disable-build-docs \
|
|
--with-libxml-prefix=$PREFIX/usr \
|
|
--with-libxslt-prefix=$PREFIX/usr \
|
|
&& make DESTDIR=$PREFIX install
|
|
|
|
WORKDIR $PREFIX
|
|
|
|
RUN mkdir -p \
|
|
/output/usr/lib \
|
|
/output/usr/bin \
|
|
/output/usr/sbin \
|
|
/output/etc/ssl/certs \
|
|
&& install -m 1777 -o root -g root -d /output/tmp \
|
|
&& ln -s /usr/lib /usr/bin /usr/sbin /output/ \
|
|
# Link Plex ca-certificates as system store so curl and others can use them too
|
|
&& ln -sv /usr/lib/plexmediaserver/Resources/cacert.pem /output/etc/ssl/certs/ca-certificates.crt \
|
|
# Move binaries and libraries into their final locations
|
|
&& mv usr/lib/*.so* \
|
|
/plex/usr/lib/* \
|
|
/output/usr/lib \
|
|
&& mv usr/bin/xml /output/usr/bin/xmlstarlet \
|
|
&& mv bin/* usr/bin/* /output/usr/bin \
|
|
&& mv sbin/* usr/sbin/* /output/usr/sbin \
|
|
# Strip all unneeded symbols for optimum size
|
|
&& find /output -type f -exec sh -c 'file "{}" | grep -q ELF && strip --strip-debug "{}"' \;
|
|
|
|
ADD --chmod=755 \
|
|
entrypoint \
|
|
claim-server.sh \
|
|
gen-config.sh \
|
|
plex-util.sh \
|
|
/output/usr/bin/
|
|
|
|
#=========================
|
|
|
|
FROM scratch
|
|
|
|
ARG PLEX_VER
|
|
ARG XMLSTAR_VER
|
|
ARG BUSYBOX_VER
|
|
ARG SU_EXEC_VER
|
|
ARG TINI_VER
|
|
|
|
LABEL maintainer="Spritsail <plex@spritsail.io>" \
|
|
org.label-schema.vendor="Spritsail" \
|
|
org.label-schema.name="Plex Media Server" \
|
|
org.label-schema.url="https://www.plex.tv/downloads/" \
|
|
org.label-schema.description="Tiny Docker image for Plex Media Server, built on busybox" \
|
|
org.label-schema.version=${PLEX_VER} \
|
|
io.spritsail.version.plex=${PLEX_VER} \
|
|
io.spritsail.version.busybox=${BUSYBOX_VER} \
|
|
io.spritsail.version.xmlstarlet=${XMLSTAR_VER}
|
|
|
|
WORKDIR /usr/lib/plexmediaserver
|
|
|
|
COPY --from=builder /output/ /
|
|
|
|
ENV SUID=900 SGID=900 \
|
|
PLEX_MEDIA_SERVER_MAX_PLUGIN_PROCS="6" \
|
|
PLEX_MEDIA_SERVER_MAX_STACK_SIZE="3000" \
|
|
PLEX_MEDIA_SERVER_TMPDIR="/tmp" \
|
|
PLEX_MEDIA_SERVER_HOME="/usr/lib/plexmediaserver" \
|
|
PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR="/var/lib/plexmediaserver"
|
|
|
|
HEALTHCHECK --interval=10s --timeout=5s \
|
|
CMD [ "wget", "-O", "/dev/null", "-T", "10", "-q", "localhost:32400/identity" ]
|
|
|
|
EXPOSE 32400
|
|
|
|
VOLUME ["/config", "/transcode"]
|
|
|
|
RUN mkdir -p "$PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR" \
|
|
&& ln -sfv /config "$PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR/Plex Media Server"
|
|
|
|
ENTRYPOINT ["/sbin/tini", "--"]
|
|
CMD ["/usr/bin/entrypoint"]
|