Build distroless image for nodejs with minimal dependencies

Hi all,

I try to offer a fedora/ubi/alma alternative to the work currently on-going to have standard distroless containers for use in the public service, but I fail to build the container without many extra dependencies I do not need.

What I want to reproduce:

openCode / Shared Container Images / nodejs · GitLab (build with nix flakes and debian rpms)

Discussion:

I try to build one for nodejs first. Nodejs depends on ca-certificates and ca-certificates depends on bash, grep, sed, coreutils, findutils. How can I install nodejs with dnf or microdnf without pulling in ca-certificates? I’d rather just copy ca files from the base container.

dnf repoquery --requires nodejs
Last metadata expiration check: 0:06:30 ago on Sat Oct 25 12:34:41 2025.
ca-certificates
libc.so.6(GLIBC_2.34)(64bit)
libnode.so.127()(64bit)
libuv >= 1:1.49.2
libuv >= 1:1.51.0
nodejs-libs(x86-64) = 1:22.15.0-1.el10_0
nodejs-libs(x86-64) = 1:22.16.0-1.el10_0
nodejs-libs(x86-64) = 1:22.19.0-2.el10_0
openssl >= 1:1.1.1
rtld(GNU_HASH)

dnf repoquery --requires ca-certificates
Last metadata expiration check: 0:06:47 ago on Sat Oct 25 12:34:41 2025.
/bin/sh
/usr/bin/sh
bash
coreutils
findutils
grep
p11-kit-trust >= 0.24
sed

With all of these dependencies, the distroless image gets quite big and I also want to avoid bash/grep/sed/findutils for security reasons.

That’s my current multi stage containerfile:

# kate: hl Containerfile;

ARG ROOTFS="/mnt/rootfs"
ARG DNF="microdnf"
FROM quay.io/almalinuxorg/10-minimal:10.0-20250909@sha256:f430e3c8e1078c519de768fa41bbccfe2b673bacc2f10d7193b11c71267bcecb as base
# ARG DNF="dnf"
# FROM quay.io/almalinuxorg/10-base:10.0-20250909 as base # comes with dnf

ARG ROOTFS
ARG DNF
ARG NODEJS_VERSION="22"
# --setopt=keepcache=1
ARG MICRODNF_OPTS="--installroot=${ROOTFS} --releasever=10 --noplugins --config=/etc/dnf/dnf.conf --setopt=install_weak_deps=0 --setopt=cachedir=/var/cache/$DNF --setopt=reposdir=/etc/yum.repos.d --setopt=varsdir=/etc/dnf"

USER root

# $DNF -y module disable nodejs && \
# $DNF -y module enable nodejs:$NODEJS_VERSION && \
# ca-certificates requires: bash coreutils findutils grep libffi
# printf "excludepkgs=ca-certificates\n" >> /etc/dnf/dnf.conf && \
# printf "install_weak_deps=False\n" >> /etc/dnf/dnf.conf && \

RUN \
  $DNF ${MICRODNF_OPTS} makecache && \
  mkdir -p ${ROOTFS}

RUN \
  $DNF ${MICRODNF_OPTS} -y --nodocs --setopt=excludepkgs=ca-certificates --install nodejs${NODEJS_VERSION} && \
  $DNF ${MICRODNF_OPTS} clean all

FROM quay.io/almalinuxorg/10-micro:10.0-20250909@sha256:6e400562cf42a7d27a29e3e4eb34a824045127206ef3d9ca0141def81935ce11

ARG ROOTFS

COPY --from=base ${ROOTFS} /

Answer from @ngompa in the matrix chat of the cloud SIG:

yeah, we intentionally do not offer that feature, it’s a bad misfeature

I know there have been many regrets for offering that capability in Zypper

it has resulted in people breaking their system upgrades from time to time because nobody knows what they’re doing when they break things like that

The the proper way forward seems to be to make some dependencies of nodejs or ca-certificates weak dependencies that can be omitted.

Another option could be to build a custom ca-certificates rpm without any dependencies.

@patches @sgallagh , do you know why ca-certificates is not a weak dependency to nodejs?

I created an issue in the RH bugzilla:

Node.js depends on the ca-certificates package because that package provides all the root certificates for Fedora. Without it, Node cannot provide any TLS functionality at all.

I moved the ticket you filed over to ca-certificates, because the real issue there is that the ca-certificates package pulls in a lot of dependencies. It’s possible that they may be able to trim some of those down.