Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert to a distroless container #11

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Convert to a distroless container #11

wants to merge 1 commit into from

Conversation

samrocketman
Copy link

@samrocketman samrocketman commented Nov 21, 2022
edited
Loading

New features

  • Upgrade shellcheck to 0.8.0
  • Add PID1 process to manage other processes (dumb-init).
  • Convert image to minimal distroless instead of alpine in the final image (still includes busybox just removes alpine).
  • Add support for ARM64 CPU architecture.

What is distroless?

A minimal distroless container is smaller (faster to download), more secure, and follows general Linux best practices for system administration.

  • Old image size: 16MB
  • New image size: 8MB

You can learn more about minimal containers in my write up on docker images for production.

Hardening recommendation

Only symlink /bin/sh, /usr/bin/find, and /usr/bin/xargs to busybox since those are the only utilities necessary for your Docker image. However, if you're trying to provide a little more scripting flexibility to users I decided to leave in the full busybox tool set.

Dockerfile changes

  • X86_64 and ARM64 support
  • Make use of multistage build.
  • Final image is assembled from scratch and follows Linux best practices.

@samrocketman samrocketman force-pushed the distroless branch 8 times, most recently from f1f0221 to b481155 Compare November 21, 2022 03:43
@samrocketman
Copy link
Author

samrocketman commented Nov 21, 2022
edited
Loading

Travis CI arm infrastructure seems a bit funny (their container runtime might be running rootless). I had to test with

docker run --rm -w /tmp peterdavehello-shellcheck-test shellcheck --version

However, the Docker image should work on a proper ARM host.

@samrocketman
Convert to a distroless container
e650967 
A minimal distroless container is smaller (faster to download), more secure, and follows general Linux best practices for system administration.

* Old image size: 16MB
* New image size: 8MB

You can learn more about minimal containers in my write up on [docker images for production][1].

[1]: https://sam.gleske.net/blog/engineering/2022/10/25/guide-to-production-docker-images.html

Hardening recommendation
------------------------

Only symlink `/bin/sh`, `/usr/bin/find`, and `/usr/bin/xargs` to busybox since those are the only utilities necessary for your Docker image.  However, if you're trying to provide a little more scripting flexibility to users I decided to leave in the full busybox tool set.

Dockerfile changes
------------------

* X86_64 and ARM64 support
* Make use of multistage build.
* Final image is assembled from scratch and follows Linux best practices.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@samrocketman