Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-7068] - Use a distroless container image for bws #681

Merged
merged 3 commits into from
Apr 8, 2024
Merged

[PM-7068] - Use a distroless container image for bws #681

merged 3 commits into from
Apr 8, 2024

Conversation

tangowithfoxtrot
Copy link
Contributor

@tangowithfoxtrot tangowithfoxtrot commented Mar 26, 2024
edited by jira bot
Loading

Type of change

  • Bug fix
  • New feature development
  • Tech debt (refactoring, code cleanup, dependency upgrades, etc)
  • Build/deploy pipeline (DevOps)
  • Other

Objective

Addresses PM-7068. Build the bws Docker image from an empty file system. This results in a much smaller Docker image (~16MB, uncompressed) with a smaller threat surface than bundling it with a distro.

Code changes

  • ./crates/bws/Dockerfile: Use scratch for the final build stage. This results in a distroless image that only contains our binary, the libraries that it depends on, and the CA certificates needed for SSL to work. The ldd line automatically determines what dependencies we need to copy over so we don't have to manually maintain a list of them.

Before you submit

  • Please add unit tests where it makes sense to do so

@codecov Codecov
Copy link

codecov bot commented Mar 26, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 60.61%. Comparing base (596ce17) to head (5643fca).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #681   +/-   ##
=======================================
  Coverage   60.61%   60.61%           
=======================================
  Files         170      170           
  Lines       10387    10387           
=======================================
  Hits         6296     6296           
  Misses       4091     4091

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@tangowithfoxtrot tangowithfoxtrot marked this pull request as ready for review March 27, 2024 12:22
@tangowithfoxtrot tangowithfoxtrot requested review from a team and withinfocus March 27, 2024 12:23
@withinfocus
Copy link
Contributor

Novel approach! Is this feasible for what we're offering here? I haven't seen scratch used directly like this.

@tangowithfoxtrot
Copy link
Contributor Author

Thanks! I borrowed this approach from some of the "hello-docker" examples.

I also use it for another container that I made for personal use.

This runs every major function of our CLI without issue: listing secrets, getting secrets, mounting config + state files, etc.

Using ldd to grab the dynamic dependencies has worked well in my experience. The image could be simplified to remove this in the future as well, if we can statically-link bws.

Thomas-Avery
Thomas-Avery approved these changes Mar 27, 2024
View reviewed changes
Copy link
Contributor

@Thomas-Avery Thomas-Avery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very cool, thank you!

@tangowithfoxtrot tangowithfoxtrot merged commit 014855c into main Apr 8, 2024
72 checks passed
@tangowithfoxtrot tangowithfoxtrot deleted the bws-distroless branch April 8, 2024 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Thomas-Avery Thomas-Avery Thomas-Avery approved these changes

@michalchecinski michalchecinski michalchecinski approved these changes

@withinfocus withinfocus Awaiting requested review from withinfocus

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tangowithfoxtrot @withinfocus @michalchecinski @Thomas-Avery