From 4d323a62d2664670a114041da06491bd8eccdcd5 Mon Sep 17 00:00:00 2001 From: chana Date: Wed, 27 May 2026 12:30:21 -0700 Subject: [PATCH 1/3] Explain why ca-certificates is required in the Dockerfile The previous comment ("enables TLS/SSL for securely fetching dependencies") implied this is generic Docker hygiene. That framing is misleading: @livekit/rtc-node ships a native Rust core that reads the system trust store via rustls-tls-native-roots, not Node's bundled CA roots. node:22-slim doesn't ship /etc/ssl/certs/ca-certificates.crt, so without ca-certificates Room.connect() fails with the misleading "failed to retrieve region info" error. Rewrite the comment to name the cause so a developer trimming the image knows the line is load-bearing. No functional change. --- Dockerfile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5a49514..1474f80 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,9 +10,12 @@ ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" ENV HOME="/app" -# Install required system packages and pnpm, then clean up the apt cache for a smaller image -# ca-certificates: enables TLS/SSL for securely fetching dependencies and calling HTTPS services -# --no-install-recommends keeps the image minimal +# Install ca-certificates (required) and pnpm, then clean the apt cache for a smaller image. +# @livekit/rtc-node ships a native Rust core that reads the system trust store, not Node's +# bundled CA roots. Slim Debian images don't include /etc/ssl/certs/ca-certificates.crt by +# default, so without this package, calls into LiveKit Cloud fail with a misleading +# "failed to retrieve region info" error. +# --no-install-recommends keeps the image minimal. RUN apt-get update -qq && apt-get install --no-install-recommends -y ca-certificates && rm -rf /var/lib/apt/lists/* # Pin pnpm version for reproducible builds From 3da024eef7240e6548508a4f1a30f69b1c766bb0 Mon Sep 17 00:00:00 2001 From: chana Date: Thu, 28 May 2026 14:56:18 -0700 Subject: [PATCH 2/3] Tighten ca-certificates comment --- Dockerfile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1474f80..ff37b72 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,12 +10,9 @@ ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" ENV HOME="/app" -# Install ca-certificates (required) and pnpm, then clean the apt cache for a smaller image. -# @livekit/rtc-node ships a native Rust core that reads the system trust store, not Node's -# bundled CA roots. Slim Debian images don't include /etc/ssl/certs/ca-certificates.crt by -# default, so without this package, calls into LiveKit Cloud fail with a misleading -# "failed to retrieve region info" error. -# --no-install-recommends keeps the image minimal. +# Install ca-certificates and pnpm, then clean the apt cache. +# ca-certificates is required: the LiveKit SDK needs the system CA bundle at +# runtime, and node:22-slim doesn't ship one. RUN apt-get update -qq && apt-get install --no-install-recommends -y ca-certificates && rm -rf /var/lib/apt/lists/* # Pin pnpm version for reproducible builds From 11deef10ce67534e34d8017bdca4d3ede956b79d Mon Sep 17 00:00:00 2001 From: chana Date: Thu, 28 May 2026 15:07:48 -0700 Subject: [PATCH 3/3] Restore TLS context and --no-install-recommends note; drop version-specific image name --- Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index ff37b72..b92bd2e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,9 +10,10 @@ ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" ENV HOME="/app" -# Install ca-certificates and pnpm, then clean the apt cache. -# ca-certificates is required: the LiveKit SDK needs the system CA bundle at -# runtime, and node:22-slim doesn't ship one. +# Install ca-certificates (the system CA bundle used for TLS), then clean +# the apt cache. Required by the LiveKit SDK: the native Rust core reads +# the system trust store at runtime, which the slim base image doesn't ship. +# --no-install-recommends keeps the image minimal. RUN apt-get update -qq && apt-get install --no-install-recommends -y ca-certificates && rm -rf /var/lib/apt/lists/* # Pin pnpm version for reproducible builds