From 3e03d847df930ae5b34c0616553088d9bd8e2da6 Mon Sep 17 00:00:00 2001 From: chana Date: Wed, 27 May 2026 12:30:41 -0700 Subject: [PATCH 1/3] Explain why ca-certificates is required in the example Dockerfile The previous comment ("enables TLS/SSL for securely fetching dependencies") implied this is generic Docker hygiene. That framing is misleading: @livekit/rtc-node ships a native Rust core that reads the system trust store via rustls-tls-native-roots, not Node's bundled CA roots. node:22-slim doesn't ship /etc/ssl/certs/ca-certificates.crt, so without ca-certificates Room.connect() fails with the misleading "failed to retrieve region info" error. Rewrite the comment to name the cause so a developer trimming the image knows the line is load-bearing. No functional change. --- examples/src/Dockerfile-example | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/examples/src/Dockerfile-example b/examples/src/Dockerfile-example index de97e80a6..1c65a5edb 100644 --- a/examples/src/Dockerfile-example +++ b/examples/src/Dockerfile-example @@ -15,9 +15,12 @@ FROM node:${NODE_VERSION}-slim AS base ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" -# Install required system packages and pnpm, then clean up the apt cache for a smaller image -# ca-certificates: enables TLS/SSL for securely fetching dependencies and calling HTTPS services -# --no-install-recommends keeps the image minimal +# Install ca-certificates (required) and pnpm, then clean the apt cache for a smaller image. +# @livekit/rtc-node ships a native Rust core that reads the system trust store, not Node's +# bundled CA roots. Slim Debian images don't include /etc/ssl/certs/ca-certificates.crt by +# default, so without this package, calls into LiveKit Cloud fail with a misleading +# "failed to retrieve region info" error. +# --no-install-recommends keeps the image minimal. RUN apt-get update -qq && apt-get install --no-install-recommends -y ca-certificates && rm -rf /var/lib/apt/lists/* # Pin pnpm version for reproducible builds From 2489db2505719f8bfcdd7ff0e108cd03258a6daa Mon Sep 17 00:00:00 2001 From: chana Date: Thu, 28 May 2026 14:56:23 -0700 Subject: [PATCH 2/3] Tighten ca-certificates comment --- examples/src/Dockerfile-example | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/examples/src/Dockerfile-example b/examples/src/Dockerfile-example index 1c65a5edb..ac88bd8e1 100644 --- a/examples/src/Dockerfile-example +++ b/examples/src/Dockerfile-example @@ -15,12 +15,9 @@ FROM node:${NODE_VERSION}-slim AS base ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" -# Install ca-certificates (required) and pnpm, then clean the apt cache for a smaller image. -# @livekit/rtc-node ships a native Rust core that reads the system trust store, not Node's -# bundled CA roots. Slim Debian images don't include /etc/ssl/certs/ca-certificates.crt by -# default, so without this package, calls into LiveKit Cloud fail with a misleading -# "failed to retrieve region info" error. -# --no-install-recommends keeps the image minimal. +# Install ca-certificates and pnpm, then clean the apt cache. +# ca-certificates is required: the LiveKit SDK needs the system CA bundle at +# runtime, and node:22-slim doesn't ship one. RUN apt-get update -qq && apt-get install --no-install-recommends -y ca-certificates && rm -rf /var/lib/apt/lists/* # Pin pnpm version for reproducible builds From 89aaef6eb51becea120813f5f1873b244aa0d221 Mon Sep 17 00:00:00 2001 From: chana Date: Thu, 28 May 2026 15:07:51 -0700 Subject: [PATCH 3/3] Restore TLS context and --no-install-recommends note; drop version-specific image name --- examples/src/Dockerfile-example | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/examples/src/Dockerfile-example b/examples/src/Dockerfile-example index ac88bd8e1..747c90323 100644 --- a/examples/src/Dockerfile-example +++ b/examples/src/Dockerfile-example @@ -15,9 +15,10 @@ FROM node:${NODE_VERSION}-slim AS base ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" -# Install ca-certificates and pnpm, then clean the apt cache. -# ca-certificates is required: the LiveKit SDK needs the system CA bundle at -# runtime, and node:22-slim doesn't ship one. +# Install ca-certificates (the system CA bundle used for TLS), then clean +# the apt cache. Required by the LiveKit SDK: the native Rust core reads +# the system trust store at runtime, which the slim base image doesn't ship. +# --no-install-recommends keeps the image minimal. RUN apt-get update -qq && apt-get install --no-install-recommends -y ca-certificates && rm -rf /var/lib/apt/lists/* # Pin pnpm version for reproducible builds