![]() Please note that minimising attack surface area is recommended by OWASP. You can reduce the overall risk by having only one binary installed in the container.Īs an example, if an attacker was able to exploit a vulnerability in your app running on Distroless, they won't be able to spawn a shell in the container because there isn't one! ![]() If you're running in production and you're concerned about security, perhaps distroless images are more appropriate.Įvery binary that is added to a Docker image adds a certain amount of risk to the overall application. What base image should you choose?ĭo you use Alpine, distroless or vanilla images? You may notice discrepancies particularly when you're dealing with precompiled binaries such as Node.js C++ extensions.Īs an example, the PhantomJS prebuilt package doesn't work on Alpine. In other words, building your containers with Alpine images may lead to unexpected behaviour because the standard C library is different. If you wish to use them with another libc you have to recompile them. When an application is compiled, it is compiled against a specific libc for the most part. muslc uses less space and is written with security in mind.The two libraries are supposed to implement the same interface to the kernel. However, most Linux distribution such as Ubuntu, Debian and CentOS are based on glibc. It sounds promising, but there's a catch.Īlpine based images are based on muslc - an alternative standard library for C. Yes! You can still attach to a running container and you have an overall smaller image. You can tweak the Dockerfile to leverage the new base image like this: They do not contain package managers, shells any other programs you would expect to find in a standard Linux distribution. "Distroless" images contain only your application and its runtime dependencies. In fact, you could remove everything but Node.js.įortunately, Google had the same idea and came up with GoogleCloudPlatform/distroless.Īs the description for the repository points out: The only dependency you need is Node.js.ĭocker containers should wrap a single process and contain the bare minimal to run it. You don't need any of those when you run your container. So you have a fully fledged operating system with all its little binaries and utilities. The current image ships Node.js as well as yarn, npm, bash and a lot of other binaries. Remove all the unnecessary cruft from the container with distroless Is there anything you can do to make it even smaller? 2. Not too bad! You reduced the overall size even if this is an already slimmed down application. Hurrah! Has the file size changed at all? Instead the resulting image has five new layers: one for each statement in your Dockerfile. bin/sh -c apt-get update & apt-get install… 44.6MB bin/sh -c set -ex if ! command -v gpg > /… 0B bin/sh -c apt-get update & apt-get install… 123MB bin/sh -c set -ex apt-get update apt-ge… 324MB bin/sh -c groupadd -gid 1000 node & use… 335kB bin/sh -c set -ex & for key in 94AE3… 129kB bin/sh -c #(nop) ENV NODE_VERSION=8.9.4 0B bin/sh -c #(nop) ENV YARN_VERSION=1.3.2 0B /bin/sh -c ARCH = & dpkgArch = "$(dpkg -print… 56.9MB It turns out you can do something similar in Docker too with a multi-stage build. When a Git repository becomes bigger, you can choose to squash the history into a single commit and forget about the past. Squash multiple layers into one with multi-stage Docker builds In the past, it was a good practice to combine several RUN statements on a single line. The size of your repository increases with the number of layers because Git has to store all the changes between commits. Git repositories are similar in this respect. Layers use space and the more layer you have, the heavier the final image is. This way is much more efficient to share images. In fact, when you request an image from a registry you download only the layers that you don't own already. And like git commits they're handy if you share them with other repositories or images. Docker layers store the difference between the previous and the current version of the image.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |