Use a distroless base image #1656
Conversation
Use a distroless base image for our porter docker images. This has less of an attack surface because it only ships the essentials to run porter, not the extra stuff that usually comes with a linux distribution. Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com>
carolynvs
force-pushed
the
distroless
branch
from
7681b63 to
2fa4738
Compare
Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> Co-authored-by: Nathaniel "Church" Hatfield <church13halo@gmail.com>
|
@Church13 Previously the porter agent image had a script for an entry point. Will that still work? When I try to run the image I am getting |
Distroless containers typically do not include shells. For google’s distroless image, “sh” is not an included binary. Can you show me the contents of run.sh? Ideally, it’s functionality would be replaced with a portable application, or with a more advanced entrypoint vector with all arguments and needed commands. If the entrypoint specifies a binary, you can also precede it with multiple CMD vectors, like so: |
|
It's a very simple script that just copies some files where it needs to go before running. I'll make a binary and use that instead. I just wanted to confirm that was the right solution. Thanks! |
|
@carolynvs Moving a container to distroless is a big paradigm shift -- it's minimum level runtime, providing virtually no environment or operating system. Since you were using the From Google's GitHub distroless repo readme:
It's not unheard of to build a shell into a distroless image (read: distroless python, powershell), and there may be a good use case for doing so here -- but there are often different (and better) ways to build the image or utilize the application such that a shell isn't necessary. Here's an interesting golang project I found on converting UNIX shell scripts to golang binaries (https://pkg.go.dev/github.com/ganbarodigital/go_scriptish) -- could be an avenue worth pursuing. As time allows I might look into converting the run.sh script to a static golang binary using this tool. |
That works as well. Awesome! |
carolynvs
force-pushed
the
distroless
branch
from
eeca060 to
f4ed8da
Compare
Since the nonroot distroless image doesn't have a shell, we can't use run.sh to copy the porter config files into PORTER_HOME at container start. I have implemented that in Go (sorry it's a lot vs what good ole cp did for us under the hood). One trick is that when /porter-config is mounted into the container by k8s, it uses symlinks like this: /porter-config ..data/porter.config porter.config -> ..data/porter.config So it's not a straightforward as you'd think at first glance. Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com>
carolynvs
force-pushed
the
distroless
branch
from
f4ed8da to
04aad45
Compare
|
@Church13 I've replaced run.sh with a go binary (I have newfound respect for the humble |
Signed-off-by: Carolyn Van Slyck <me@carolynvanslyck.com> Co-authored-by: Vaughn Dice <vaughn.dice@fermyon.com>
What does this change
Use a distroless base image for our porter docker images. This has less of an attack surface because it only ships the essentials to run porter, not the extra stuff that usually comes with a linux distribution.
What issue does it fix
Part of getporter/operator#38
Notes for the reviewer
This relies on #1655 and needs to be rebased after that is merged.Checklist