From d286df950c216bc2450e0203cdf95119b015d278 Mon Sep 17 00:00:00 2001 From: chana Date: Wed, 27 May 2026 12:30:03 -0700 Subject: [PATCH 1/3] Explain why ca-certificates is required in the Node Dockerfile template The previous comment ("enables TLS/SSL for securely fetching dependencies") implied this is generic Docker hygiene that could be skipped to shave layers. That framing is misleading: @livekit/rtc-node ships a native Rust core that reads the system trust store via rustls-tls-native-roots, not Node's bundled CA roots. node:22-slim doesn't ship /etc/ssl/certs/ca-certificates.crt, so without ca-certificates Room.connect() fails with the misleading "failed to retrieve region info" error. Rewrite the in-template comment to name the cause so a developer trimming the image knows the line is load-bearing. No functional change. --- pkg/agentfs/examples/node.Dockerfile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/pkg/agentfs/examples/node.Dockerfile b/pkg/agentfs/examples/node.Dockerfile index 652bca00..46a868ca 100644 --- a/pkg/agentfs/examples/node.Dockerfile +++ b/pkg/agentfs/examples/node.Dockerfile @@ -11,9 +11,12 @@ FROM node:${NODE_VERSION}-slim AS base ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" -# Install required system packages and pnpm, then clean up the apt cache for a smaller image -# ca-certificates: enables TLS/SSL for securely fetching dependencies and calling HTTPS services -# --no-install-recommends keeps the image minimal +# Install ca-certificates (required) and pnpm, then clean the apt cache for a smaller image. +# @livekit/rtc-node ships a native Rust core that reads the system trust store, not Node's +# bundled CA roots. Slim Debian images don't include /etc/ssl/certs/ca-certificates.crt by +# default, so without this package, calls into LiveKit Cloud fail with a misleading +# "failed to retrieve region info" error. +# --no-install-recommends keeps the image minimal. RUN apt-get update -qq && apt-get install --no-install-recommends -y ca-certificates && rm -rf /var/lib/apt/lists/* # Pin pnpm version for reproducible builds From 3a0b173d07981c405800865ac9916f4c6509249b Mon Sep 17 00:00:00 2001 From: chana Date: Thu, 28 May 2026 14:54:25 -0700 Subject: [PATCH 2/3] Tighten ca-certificates comment --- pkg/agentfs/examples/node.Dockerfile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/pkg/agentfs/examples/node.Dockerfile b/pkg/agentfs/examples/node.Dockerfile index 46a868ca..e08fc429 100644 --- a/pkg/agentfs/examples/node.Dockerfile +++ b/pkg/agentfs/examples/node.Dockerfile @@ -11,12 +11,9 @@ FROM node:${NODE_VERSION}-slim AS base ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" -# Install ca-certificates (required) and pnpm, then clean the apt cache for a smaller image. -# @livekit/rtc-node ships a native Rust core that reads the system trust store, not Node's -# bundled CA roots. Slim Debian images don't include /etc/ssl/certs/ca-certificates.crt by -# default, so without this package, calls into LiveKit Cloud fail with a misleading -# "failed to retrieve region info" error. -# --no-install-recommends keeps the image minimal. +# Install ca-certificates and pnpm, then clean the apt cache. +# ca-certificates is required: the LiveKit SDK needs the system CA bundle at +# runtime, and node:22-slim doesn't ship one. RUN apt-get update -qq && apt-get install --no-install-recommends -y ca-certificates && rm -rf /var/lib/apt/lists/* # Pin pnpm version for reproducible builds From 398a9bbd39bdd8b9eae7becde78402e6f3481724 Mon Sep 17 00:00:00 2001 From: chana Date: Thu, 28 May 2026 15:07:45 -0700 Subject: [PATCH 3/3] Restore TLS context and --no-install-recommends note; drop version-specific image name --- pkg/agentfs/examples/node.Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/agentfs/examples/node.Dockerfile b/pkg/agentfs/examples/node.Dockerfile index e08fc429..645e8851 100644 --- a/pkg/agentfs/examples/node.Dockerfile +++ b/pkg/agentfs/examples/node.Dockerfile @@ -11,9 +11,10 @@ FROM node:${NODE_VERSION}-slim AS base ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" -# Install ca-certificates and pnpm, then clean the apt cache. -# ca-certificates is required: the LiveKit SDK needs the system CA bundle at -# runtime, and node:22-slim doesn't ship one. +# Install ca-certificates (the system CA bundle used for TLS), then clean +# the apt cache. Required by the LiveKit SDK: the native Rust core reads +# the system trust store at runtime, which the slim base image doesn't ship. +# --no-install-recommends keeps the image minimal. RUN apt-get update -qq && apt-get install --no-install-recommends -y ca-certificates && rm -rf /var/lib/apt/lists/* # Pin pnpm version for reproducible builds