Minimal download-and-execute binary for Linux.
Built by 🚜 Query.Farm
Downloads a binary via HTTPS and exec's it using memfd — no filesystem writes needed. Designed for FROM scratch containers with zero runtime dependencies.
The goal is the smallest possible self-contained binary with HTTPS support. Go and Rust were both evaluated:
- Go — ~4.5 MB stripped. The Go 1.24+ runtime includes a mandatory FIPS 140-3 module (~1.5 MB) that cannot be removed, and the HTTP/TLS stdlib sets a high floor.
- Rust — ~1.2 MB stripped with
rustls+ LTO +opt-level = "z". Better, but still large. - Zig — ~460 KB stripped, ~220 KB with UPX. Zig's stdlib includes TLS and HTTP without external dependencies, and the binary targets
linux-none(freestanding, no libc).
Key features:
- Zero dependencies — statically linked, no libc, runs in
FROM scratchcontainers - Built-in DNS resolver — raw UDP queries with retry and exponential backoff, supports IPv4 and IPv6 DNS servers (e.g. Fly.io's
fdaa::3) - Embedded CA certificates — full Mozilla CA bundle, downloaded at build time
- TLS via Zig stdlib — no OpenSSL dependency
- memfd exec — writes downloaded binary to memfd, exec's from
/proc/self/fd/N - Small binary — ~460 KB stripped, ~220 KB with UPX compression
| Variable | Required | Default | Description |
|---|---|---|---|
VGI_INJECTOR_URL |
Yes | — | HTTPS URL of the binary to download and execute |
VGI_INJECTOR_DNS |
No | 1.1.1.1 |
DNS server address (IPv4 or IPv6) |
Requires Zig 0.15.x. Cross-compiles to Linux from any platform.
# Download/update CA bundle (required before first build)
./update-ca-bundle.sh
# Build for amd64 (default)
zig build
# Build for arm64
zig build -Darch=aarch64
# Build with version string
zig build -Dversion=v1.0.0
# Output: zig-out/bin/vgi-injectorOptionally compress with UPX (amd64 only):
cp zig-out/bin/vgi-injector injector-upx
upx --best injector-upxThe binary is injected into a FROM scratch container via Fly's [[files]] config:
fly deploySee fly.toml for the deployment configuration.
GitHub Actions builds on push to main, PRs, and version tags. Matrix builds for amd64 and arm64.
- Push to main / PR — build and upload artifacts
- Push to main — also publish to Cloudflare R2
- Tag
v*— publish to R2 and create GitHub Release
To create a release:
git tag v1.0.0
git push origin v1.0.0Binaries are available at https://vgi-injector.query-farm.services/.
The Mozilla CA certificate bundle is not checked into source control. It is downloaded automatically:
- Locally: Run
./update-ca-bundle.shbefore building. The script downloads the bundle if missing or older than 7 days. - CI: The workflow runs the script before each build, ensuring a fresh bundle.
The bundle is sourced from curl.se/ca/cacert.pem, which is an extraction of Mozilla's trusted root certificates.
Copyright 2026 Query.Farm LLC
Licensed under the Apache License, Version 2.0. See LICENSE.md for details.