ci: publish distroless images #385
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cwaldren-ld
force-pushed
the
cw/sc-163093/distroless
branch
from
2566e13 to
535458b
Compare
cwaldren-ld
force-pushed
the
cw/sc-163093/distroless
branch
from
adb15f6 to
2c20b3a
Compare
cwaldren-ld
force-pushed
the
cw/sc-163093/distroless
branch
from
b50ab60 to
c7fbdbb
Compare
cwaldren-ld
changed the title
louis-launchdarkly
approved these changes
Jun 10, 2024
cwaldren-ld
force-pushed
the
cw/sc-163093/distroless
branch
from
2492936 to
0e3d7d4
Compare
cwaldren-ld
added a commit
that referenced
this pull request
Jun 12, 2024
We've had a long history of Alpine vulnerability reports on Relay's Docker images. The patches percolate into the upstream tools that are bundled in Alpine, then into Alpine, then into the Alpine docker image release, and finally into a Relay release. Since Relay is a simple Go binary, we could take advantage of Google's "distroless" container system. This is an extremely stripped down debian12 image with "just" the Go binary. The attack surface is smaller and we'd have less necessary maintenance. This PR adds two new image manifests: - `static-debian12-nonroot` (based on `gcr.io/distroless/static-debian12:nonroot`) - `static-debian12-debug-nonroot` (based on `gcr.io/distroless/static-debian12:debug-nonroot`). Each manifest supports amd64, armv7, and armv8 architectures. There is additional support for `ppc64le` and `s390x` in those base images, but I haven't exposed them here yet in order to give a similar offering to the Alpine image (note: we're missing `i386`.)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We've had a long history of Alpine vulnerability reports on Relay's Docker images. The patches percolate into the upstream tools that are bundled in Alpine, then into Alpine, then into the Alpine docker image release, and finally into a Relay release.
Since Relay is a simple Go binary, we could take advantage of Google's "distroless" container system. This is an extremely stripped down debian12 image with "just" the Go binary. The attack surface is smaller and we'd have less necessary maintenance.
This PR adds two new image manifests:
static-debian12-nonroot(based ongcr.io/distroless/static-debian12:nonroot)static-debian12-debug-nonroot(based ongcr.io/distroless/static-debian12:debug-nonroot).Each manifest supports amd64, armv7, and armv8 architectures. There is additional support for
ppc64leands390xin those base images, but I haven't exposed them here yet in order to give a similar offering to the Alpine image (note: we're missingi386.)TODO:
BEGIN_COMMIT_OVERRIDE
feat: publish distroless debian12 image
END_COMMIT_OVERRIDE