chore: Replace alpine with distroless (#3437)

* chore: Replace alpine with distroless

Following a trend by at other database teams:

* grafana/loki#13325
* grafana/mimir#8204

* Also build debug image for main

.github/workflows/test.yml

@@ -132,7 +132,7 @@ jobs:
       - name: Pyroscope Build & push multi-arch image
         id: build-push
         run: |
-          make docker-image/pyroscope/push "BUILDX_ARGS=--cache-from=type=gha --cache-to=type=gha"
+          make docker-image/pyroscope/push docker-image/pyroscope/push-debug "BUILDX_ARGS=--cache-from=type=gha --cache-to=type=gha"
 
   deploy-dev-001:
     if: github.event_name == 'push' && github.repository == 'grafana/pyroscope'

Makefile

@@ -162,7 +162,7 @@ check/go/mod: go/mod
 
 
 define docker_buildx
-	docker buildx build $(1) --platform $(IMAGE_PLATFORM) $(BUILDX_ARGS) --build-arg=revision=$(GIT_REVISION) -t $(IMAGE_PREFIX)$(shell basename $(@D)) -t $(IMAGE_PREFIX)$(shell basename $(@D)):$(IMAGE_TAG) -f cmd/$(shell basename $(@D))/$(2)Dockerfile .
+	docker buildx build $(1) --platform $(IMAGE_PLATFORM) $(BUILDX_ARGS) --build-arg=revision=$(GIT_REVISION) -t $(IMAGE_PREFIX)$(shell basename $(@D)):$(2)latest -t $(IMAGE_PREFIX)$(shell basename $(@D)):$(2)$(IMAGE_TAG) -f cmd/$(shell basename $(@D))/$(2)Dockerfile .
 endef
 
 define deploy
@@ -188,6 +188,12 @@ docker-image/pyroscope/build-debug: GOARCH=amd64
 docker-image/pyroscope/build-debug: frontend/build go/bin-debug $(BIN)/linux_amd64/dlv
 	$(call docker_buildx,--load,debug.)
 
+.PHONY: docker-image/pyroscope/push-debug
+docker-image/pyroscope/push-debug: GOOS=linux
+docker-image/pyroscope/push-debug: GOARCH=amd64
+docker-image/pyroscope/push-debug: frontend/build go/bin-debug $(BIN)/linux_amd64/dlv
+	$(call docker_buildx,--push,debug.)
+
 .PHONY: docker-image/pyroscope/build
 docker-image/pyroscope/build: GOOS=linux
 docker-image/pyroscope/build: GOARCH=amd64
@@ -324,7 +330,7 @@ $(BIN)/gotestsum: Makefile go.mod
 	@mkdir -p $(@D)
 	GOBIN=$(abspath $(@D)) $(GO) install gotest.tools/gotestsum@v1.9.0
 
-DLV_VERSION=v1.21.0
+DLV_VERSION=v1.23.0
 
 $(BIN)/dlv: Makefile go.mod
 	@mkdir -p $(@D)

cmd/pyroscope/Dockerfile

@@ -1,17 +1,24 @@
-FROM alpine:3.18.7
+FROM gcr.io/distroless/static:debug AS debug
 
-RUN apk add --no-cache ca-certificates
+SHELL [ "/busybox/sh", "-c" ]
+
+RUN addgroup -g 10001 -S pyroscope && \
+    adduser -u 10001 -S pyroscope -G pyroscope -h /data
+
+FROM gcr.io/distroless/static
+
+COPY --from=debug /etc/passwd /etc/passwd
+COPY --from=debug /etc/group /etc/group
+
+# Copy folder from debug container, this folder needs to have the correct UID
+# in order for the container to run as non-root.
+VOLUME /data
+COPY --chown=pyroscope:pyroscope --from=debug /data /data
 
 COPY cmd/pyroscope/pyroscope.yaml /etc/pyroscope/config.yaml
 COPY profilecli /usr/bin/profilecli
 COPY pyroscope /usr/bin/pyroscope
 
-RUN addgroup -g 10001 -S pyroscope && \
-    adduser -u 10001 -S pyroscope -G pyroscope
-RUN mkdir -p /data && \
-    chown -R pyroscope:pyroscope /data
-VOLUME /data
-
 USER pyroscope
 EXPOSE 4040
 ENTRYPOINT [ "/usr/bin/pyroscope" ]

cmd/pyroscope/debug.Dockerfile

@@ -1,22 +1,19 @@
-FROM golang as builder
+FROM gcr.io/distroless/static:debug
 
-WORKDIR /app
-FROM alpine:3.18.7
+SHELL [ "/busybox/sh", "-c" ]
 
-RUN apk add --no-cache ca-certificates
+RUN addgroup -g 10001 -S pyroscope && \
+    adduser -u 10001 -S pyroscope -G pyroscope -h /data
 
-COPY .tmp/bin/linux_amd64/dlv /usr/bin/dlv
+# Copy folder from debug container, this folder needs to have the correct UID
+# in order for the container to run as non-root.
+VOLUME /data
 
+COPY .tmp/bin/linux_amd64/dlv /usr/bin/dlv
 COPY cmd/pyroscope/pyroscope.yaml /etc/pyroscope/config.yaml
 COPY profilecli /usr/bin/profilecli
 COPY pyroscope /usr/bin/pyroscope
 
-RUN addgroup -g 10001 -S pyroscope && \
-    adduser -u 10001 -S pyroscope -G pyroscope
-RUN mkdir -p /data && \
-    chown -R pyroscope:pyroscope /data
-VOLUME /data
-
 USER pyroscope
 EXPOSE 4040
 ENTRYPOINT ["/usr/bin/dlv", "--listen=:40000", "--headless=true", "--log", "--continue", "--accept-multiclient" , "--api-version=2", "exec", "/usr/bin/pyroscope", "--"]