Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Distroless based image #25

Open
anuraaga opened this issue Aug 25, 2020 · 3 comments
Open

Distroless based image #25

anuraaga opened this issue Aug 25, 2020 · 3 comments
Labels
enhancement New feature or request

Comments

@anuraaga
Copy link

Currently, there are small runtime images of corretto using Alpine Linux. Is there any appetite for images based on distroless? I've been playing with a Dockerfile for it here

Distroless includes glibc so will work with boringssl (for example when used with gRPC / other Netty frameworks) while being about as small if not smaller than the Alpine-based linux. It doesn't include a package manager either so has a bit less of a security surface.
@anuraaga anuraaga added the enhancement New feature or request label Aug 25, 2020
@davecurrie
Copy link

@anuraaga Thanks for the idea. This is something that's come up in conversations but we don't have a roadmap item for it (yet). Does the image you have work as expected? Any problems you've observed?

If you can share, we'd also like to know what influences your choice to use distroless vs e.g. Alpine Linux for deployments. That also helps us to choose and prioritize upcoming features.

@anuraaga
Copy link
Author

@davecurrie Thanks! Yeah I have used that image in some sample apps and have not run into any issues. Using the :debug variant feels very much like Alpine since it provides busybox for troubleshooting scenarios.

A very similar image, which uses zulu instead of corretto but otherwise set up in almost the same way, has also worked great in production across Zipkin and its various storage backends (cassandra, kafka, elasticsearch). I think in general, this approach doesn't have gotchas (at the risk of speaking too soon :P)

https://github.com/openzipkin/docker-jre-full/blob/master/Dockerfile#L7

As for distroless vs Alpine Linux, most of my apps use gRPC or some other Netty-based framework. I have found Netty's TCNative-BoringSSL to perform at least as well as Java 11+ TLS, the bigger difference tends to be on apps with larger payloads. So it's a goto library for me and that requires a base image that includes glibc, meaning it doesn't work with Alpine. This is the #1 deciding factor for me and unfortunately is a hard yes / no, as opposed to e.g., comparing the image size itself. Other than that, less apps, such as Alpine's apk, means less chance of container security scanners triggering for the image - I think this is nice too but not a dealbreaker since Alpine is already quite small.

Hope this helps, let me know if you need anything more from me.

@Fleshgrinder
Copy link

For what it's worth, we'd also be interested in this. We also need glibc and generally prefer images without any additional software for increased security.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@anuraaga @Fleshgrinder @davecurrie