Use distroless docker containers

Question

Use distroless docker containers

naveensrinivasan opened this issue 3 years ago · comments

Using distroless https://github.com/GoogleContainerTools/distroless docker containers is recommended approach in increasing the security posture.

Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.

Distroless images are very small. The smallest distroless image, gcr.io/distroless/static, is around 650 kB. That's about 25% of the size of alpine (~2.5 MB), and less than 1.5% of the size of debian (50 MB).

For example, gcr.io/distroless/static is a container image that's much smaller than this image of a shipping container. It's about 1/3rd the size of all the resources on this page you're reading right now. It's very small.

Here is an example how distroless can be used along with the standard go application https://github.com/ossf/scorecard/blob/main/Dockerfile

Dave Collins · Answer 1 · Wed Sep 08 2021 04:55:00 GMT+0800 (China Standard Time)

I already have some local work that does this which is mostly done that I was planning on finalizing after the next release when I have a bit more free time to finish it up.

Naveen · Answer 2 · Wed Sep 08 2021 05:00:25 GMT+0800 (China Standard Time)

I can also take it up.

Dave Collins · Answer 3 · Wed Sep 08 2021 08:10:32 GMT+0800 (China Standard Time)

Cool. If you'll give me a day or two, I can get a draft PR up that has everything working (and tested) already via a multi-stage build where the final image is distroless (based on scratch) and is right around 10.5MiB. What isn't finished is some of the documentation as well as some final decisions regarding the configuration aspects.

Then if you want to run the ball on finishing up those final tidbits, that would be helpful.

Dave Collins · Answer 4 · Wed Sep 08 2021 15:16:23 GMT+0800 (China Standard Time)

I pushed PR #2740 which is probably 90-95% of this. As previously mentioned, there are some remaining TODOs as far as documentation and a couple of questions in the Dockerfile to be decided on.

It should serve as an excellent base to finish this work up.

Josh Rickmar · Answer 5 · Wed Sep 22 2021 01:15:50 GMT+0800 (China Standard Time)

I believe this can be closed

Dave Collins · Answer 6 · Wed Sep 22 2021 01:28:37 GMT+0800 (China Standard Time)

I left it open for tracking purposes because there are still some of the aforementioned TODOs outstanding.