-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Switch default base image to ghcr.io/distroless/static #722
Comments
Is it possible for |
Maybe, but I think I'd rather do away with the "nonroot" distinction and assume nonroot. Having the images be one character off might be confusing even, I don't know. The images should be comparable in size, both small enough you shouldn't notice it. I can do a more thorough comparison if there's something you're interested in. |
As long this doesn't increase the base image size by more than a single MB, it should be fine. I use |
I have excellent news for you:
In either case, the Go binary you're building on top of it will still absolutely dominate the size of the image (as it should). |
The main difference in size is the absence of time zone data in ghcr.io/distroless/static. Will go binaries that need to convert timezones function properly without it? |
Yeah, looks like it. Building a basic app that converts timezones in go fails when built atop
But it succeeds if you add an underscore import for
(This increases binary size by 450KB) This is something we could address either by documenting that you'll need to import Thanks for bringing this up. |
I wonder if we should just add this tag at build-time... 🤔 It would increase image sizes unnecessarily for apps built on base images that already have tzdata, and for apps that don't use tzdata, and it'd be ~equivalent to just being based on a distroless image that includes tzdata (which would also be unnecessary for apps that don't use tzdata) |
450KB on the scale of a go binary seems a worthy cost. If that same size was baked into the base image then it would be a shared cost. A slippery slope I know. |
What about adding the alpine tzdata? https://pkgs.alpinelinux.org/package/edge/main/x86/tzdata I don't know why it depends on musl though |
Switching to ghcr.io/distroless/static will also mean our base image is an OCI image, which will give us more consistent behavior around setting the base image annotations. Since Docker-typed manifest lists don't support annotations, and
Yeah, we can either add tzdata to the ghcr.io/distroless/static image, or (more likely) create a new distroless base image that has tzdata. But I'd like to explore setting |
@jonjohnsonjr had a crazy idea, which was (me paraphrasing) to embed the layer data for the default base image into the This embedded layer data could be fetched in a Would we check in layers into the repo? Would we Technically it's orthogonal to changing the base image from gcr.io/distroless to ghcr.io/distroless, but if we're going to change how the default base image works, we might as well change where it comes from at the same time. |
It means we are signing up to release I think having support for |
I don't want to freeze it -- I just want to embed it and for cache purposes. If you request that image by digest, we can just use the embedded version, and we could give you an easy way to configure it as your defaultBaseImage (by digest) so ko ships with everything you need to work offline. |
ghcr.io/distroless/static should include tzdata starting with tonight's nightly build. 🎉 The question I have now is, if:
Do we need to warn about the upgrade at all? Can we just switch the base image and folks will get the new behavior after the next |
I'm fine with not warning given that we don't expect it to be breaking, but we should have something very obvious in the release notes. |
Also - does |
I haven't been able to find anything official in the docs. https://git.luolix.topmunity/t/container-registry-will-the-be-rate-limits-for-public-package-manifest-queries/136725 is as close as I could find. Notably, it sounds like GHCR doesn't do Dockerhub-style rate limits, where requests to get manifests are rate limited. It sounds like it's based on blob pull bandwidth. Anecdotally, I've been using ghcr-distroless in some projects for a while and haven't had any issues. |
The current default base image is
gcr.io/distroless/static:nonroot
, which we switched two about 2 years ago in #160 (from the non-nonroot
variant).I'd like to propose we switch the default base image to
ghcr.io/distroless/static
(which is also non-root), produced usingapko
nightly, from here https://github.com/distroless/staticLike
gcr.io/distroless/static:nonroot
,ghcr.io/distroless/static
is signed (keylessly!). It also includes a generated SBOM of the base image contents, and an attestation about how it was built.Being on GitHub Actions, its build process and logs are more visible and publicly auditable.
Being defined in not-Bazel, in a not-Google-owned repo, makes it easier to contribute changes to it.
If this proposal is accepted, I'd like to suggest adding a warning when
defaultBaseImage
is not set, saying that the change is coming in a future release.If you want to retain the existing base image, simply add
defaultBaseImage: gcr.io/distroless/static:nonroot
. To opt-in to the change before it's imposed on you automatically in a future release,defaultBaseImage: ghcr.io/distroless/static
.Then we cut a release with that warning, wait a release, change the default base image and remove the warning.
WDYT?
@jonjohnsonjr @mattmoor
The text was updated successfully, but these errors were encountered: