Create Distroless Container Image (again)
Closed this issue · 5 comments
Huhu, out of security perspective.
It would be nice to has an Image without Distro (and all there vulnubilities inside).
This was already, but changed in #904 (to an ubuntu), by coping the binary from builder image to a new FROM scratch.
Ah right, so the reason for the default glibc-based images is that glibc is much faster in runtime speed (about 40% in my benchmarks). I'm not sure how much of a security problem this is realistically speaking. I guess I could add a third image variant.
Hmm, i understand - i would prefer a third image version.
Current you release really fast, so the based ubuntu is also really fresh (and secure).
Myself i just searched for an minimal server without distro in image ... (for less dependencies would have less (unknown) vulnilities).
Google's distroless images are stripped down debians; they are glibc-based, so the miniserve ubuntu image one could easily be made into a distroless one. It's slightly larger than alpine, but still has a smaller attack surface. However, miniserve also depends on libgcc at runtime, which the distroless version has stripped out. It has to be copied in. The base distroless image does not include libgcc, but there's also the cc image that does - updated the Containerfile.
Here's a full nonroot distroless Containerfile for miniserve compiled against glibc.
Containerfile
FROM gcr.io/distroless/cc-debian11:nonroot
COPY --chmod=nonroot miniserve /app/
# run as non-privileged user
USER nonroot
ENTRYPOINT ["/app/miniserve"]For reference, I know that cloudflared also use a distroless image for their glibc-based(?) CLI.
Oh shit @lilnasy that's perfect! Thanks! I'll change the default image to that one.
Happy to help :)