From 1a5a1c30d36d80655bf5cd868934a8cbc12b0ba9 Mon Sep 17 00:00:00 2001 From: Michael Zampani Date: Fri, 29 May 2026 13:13:32 -0700 Subject: [PATCH] build: compress linux binary with UPX in builder-linux stage Adds UPX compression to the production Docker build, reducing the binary from ~110 MB to ~28.7 MB (73.8% reduction). Uses default compression level (7) rather than --best, which takes 9+ minutes on this binary size with negligible additional compression gain. UPX is installed in builder-base alongside clang and zig (all host-arch build tools), so it is cached once in the base layer and inherited by builder-linux without a per-variant network fetch. Compression runs in its own RUN step after the Go build layer so the two are cached independently. upx -t validates the packed binary integrity before the image is finalized. Operational tradeoffs (accepted): - Runtime RSS is ~110 MB regardless of the 28.7 MB on-disk size - ~300-800 ms startup decompression on cold invocations - UPX-packed binaries may trigger AV/EDR heuristics in some environments Co-Authored-By: Claude Sonnet 4.6 (1M context) --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 47b1ebc5e..c1eefee16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ FROM crazymax/osxcross:15.5-debian AS osxcross FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS builder-base COPY --from=xx / / -RUN apk add --no-cache clang zig +RUN apk add --no-cache clang zig upx WORKDIR /src RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=bind,source=go.mod,target=go.mod \ @@ -37,6 +37,8 @@ RUN --mount=type=cache,target=/root/.cache/go-build,id=go-build-$TARGETPLATFORM xx-go build -trimpath -tags no_audio -ldflags "-s -w -linkmode=external -X 'github.com/docker/docker-agent/pkg/version.Version=$GIT_TAG' -X 'github.com/docker/docker-agent/pkg/version.Commit=$GIT_COMMIT'" -o /binaries/docker-agent-$TARGETOS-$TARGETARCH . xx-verify --static /binaries/docker-agent-$TARGETOS-$TARGETARCH EOT +RUN upx /binaries/docker-agent-$TARGETOS-$TARGETARCH && \ + upx -t /binaries/docker-agent-$TARGETOS-$TARGETARCH FROM builder-base AS builder-cross ARG TARGETPLATFORM