Multi-arch docker image with ffmpeg/ffprobe binaries built as hardened static PIE binaries
1M+
Docker image with ffmpeg and ffprobe built as hardened static PIE binaries with no external dependencies that can be used with any base image.
See Dockerfile for versions used. In general, master should have the latest stable version of ffmpeg and below libraries. Versions are kept up to date automatically using bump.
Use mwader/static-ffmpeg from Docker Hub or build the image yourself.
In Dockerfile
COPY --from=mwader/static-ffmpeg:8.1 /ffmpeg /usr/local/bin/
COPY --from=mwader/static-ffmpeg:8.1 /ffprobe /usr/local/bin/
Run directly
docker run -i --rm -u $UID:$GROUPS -v "$PWD:$PWD" -w "$PWD" mwader/static-ffmpeg:8.1 -i file.wav file.mp3
docker run -i --rm -u $UID:$GROUPS -v "$PWD:$PWD" -w "$PWD" --entrypoint=/ffprobe mwader/static-ffmpeg:8.1 -i file.wav
As shell alias
alias ffmpeg='docker run -i --rm -u $UID:$GROUPS -v "$PWD:$PWD" -w "$PWD" mwader/static-ffmpeg:8.1'
alias ffprobe='docker run -i --rm -u $UID:$GROUPS -v "$PWD:$PWD" -w "$PWD" --entrypoint=/ffprobe mwader/static-ffmpeg:8.1'
/ffmpeg ffmpeg binary/ffprobe ffprobe binary/doc Documentation/versions.json JSON file with build versions of ffmpeg and libraries./etc/ssl/cert.pem CA certs to make -tls_verify 1 -ca_file /etc/ssl/cert.pem work if running image directly/etc/fonts/usr/share/fonts/usr/share/consolefonts/var/cache/fontconfiglatest Latest master build.
MAJOR.MINOR.PATCH[-BUILD] Specific version of FFmpeg with the features that was in master at the time of tagging.
-BUILD means that was an additional build with that version to add of fix something.
Binaries are built with various hardening features but it's still a good idea to run them as non-root even when used inside a container, especially so if running on input files that you don't control.
Due to license issues the docker image does not include libfdk-aac by default. A docker image including libfdk-aac can be built by passing a non empty value to the build-arg ENABLE_FDKAAC, example below.
docker build --build-arg ENABLE_FDKAAC=1 . -t my-ffmpeg-static:latest
The image ships with some basic fonts (font-terminus font-inconsolata font-dejavu font-awesome) that can be used when running the image directly. If your copying the binaries into some image you have to install fonts somehow. How to do this depends a bit on distributions but in general look for font packages and how to make fontconfig know about them.
Let's say you're building a docker image for your application that requires the ffmpeg and ffprobe binaries, and want to have a dedicated directory for storing fonts, e.g. /app/fonts. In order to achieve this, let's take a look at the following steps.
50-custom.conf will be added to the /etc/fonts/conf.d directory, containing an additional /app/fonts directory for Fontconfig to use.COPY <<EOF /etc/fonts/conf.d/50-custom.conf
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd">
<fontconfig>
<dir>/app/fonts</dir>
</fontconfig>
EOF
Tip
Check the [Fontconfig User Documentation](https://fontconfig.pages.freedesktop.org/fontconfig/fontconfig-user.html) for examples and available options for your custom fontconfig file.
ffmpeg (and ffprobe) binaries.COPY --from=mwader/static-ffmpeg:8.1 /ffmpeg /usr/bin/
COPY --from=mwader/static-ffmpeg:8.1 /ffprobe /usr/bin/
/app/fonts directory exist in your image.WORKDIR /app
RUN <<EOT bash
set -ex
mkdir -p ./fonts
EOT
If you followed the steps above, your image should look something like this.
FROM python:3.11-slim-bookworm AS base
COPY <<EOF /etc/fonts/conf.d/50-custom.conf
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd">
<fontconfig>
<dir>/app/fonts</dir>
</fontconfig>
EOF
FROM base as ffmpeg
COPY --from=mwader/static-ffmpeg:8.1 /ffmpeg /usr/bin/
COPY --from=mwader/static-ffmpeg:8.1 /ffprobe /usr/bin/
FROM ffmpeg AS app
WORKDIR /app
RUN <<EOT bash
set -ex
mkdir -p ./fonts
EOT
You can now build the image and run a container that has volume mounted to /app/fonts.
docker build -t ffmpeg-fonts-image .
docker run -i --rm \
-u "$UID:$GROUPS" \
-v "$PWD:$PWD" \
-v "$PWD/fonts:/app/fonts" \
-v "$PWD/cache:/var/cache/fontconfig" \
-w "$PWD" \
ffmpeg-fonts-image \
ffmpeg -v debug -y -f lavfi -i 'color=white,drawtext=text=Test:fontfile=Arial' -t 1s /app/output.mp4
Inspecting the log, you will find that the font is located in /app/fonts.
Opening an input file: color=white,drawtext=text=Test:fontfile=Arial.
[AVFilterGraph @ 0x7fb481827800] Setting 'color' to value 'white'
[AVFilterGraph @ 0x7fb481827800] Setting 'text' to value 'Test'
[AVFilterGraph @ 0x7fb481827800] Setting 'fontfile' to value 'Arial'
[Parsed_drawtext_1 @ 0x7fb481827cc0] Using "/app/fonts/arial.ttf"
Note
The volume mount for `/var/cache/fontconfig` is optional. If you run the container as a non-root user, just make sure the cache directory exists on host before mounting, else it will still show the debug message `Fontconfig error: No writable cache directories`. This error does *not* further impact Fontconfig in locating the appropriate fonts.
Binaries are built with TLS support but, by default, ffmpeg currently do
not do certificate verification. To enable verification you need to run
ffmpeg with -tls_verify 1 and -ca_file /path/to/cert.pem.
/etc/ssl/cert.pemca-certificates package at it will be available at /etc/ssl/certs/ca-certificates.crt.Since version 5.0.1-3 dockerhub images are multi-arch amd64 and arm64 images.
This will copy ffmpeg and ffprobe to the current directory:
docker run --rm -v "$PWD:/out" $(echo -e 'FROM alpine\nCOPY --from=mwader/static-ffmpeg:7.1 /ff* /\nENTRYPOINT cp /ff* /out' | docker build -q -)
docker run --rm mwader/static-ffmpeg -v quiet -f data -i versions.json -map 0 -c copy -f data -
Name does not resolve errors for hosts that should resolveThis could happen if the hostname resolve to more IP-addresses than can fit in DNS UDP packet (probably 512 bytes) causing the response to be truncated. Usually clients should then switch to TCP and redo the query. This should only be a problem with version 6.0-1 or earlier of this image that uses musl libc 1.2.3 or older.
[tls @ 0x7f80c8ec3800] error:030000A9:digital envelope routines::unknown option errorsThis could be because the statically linked openssl version in the static-ffmpeg binaries are not compatible with the (possibly distro modified openssl) configuration files found in the filesystem. The error is about openssl encountering an option that it does not know about.
Possible workarounds:
config_diagnostics = 0 to the openssl config to ignore unknown options with the risk of ignoring real problems.-reconnect_on_network_error true to ignore the error but will still warn.See these references for further discussion and workarounds:
Feel free to create issues or PRs if you have any improvements or encounter any problems. Please also consider making a donation to the FFmpeg project or to other projects used by this image if you find it useful.
Please also be mindful of the license limitations used by libraries this project uses and your own usage and potential distribution of such.
Content type
Image
Digest
sha256:0095c673b…
Size
117.5 MB
Last updated
13 days ago
Requires Docker Desktop 4.37.1 or later.