pre lunch break
This commit is contained in:
parent
c471e24340
commit
78b3826cbb
|
@ -3,4 +3,38 @@ title: Is your image really distroless?
|
|||
weight:7
|
||||
---
|
||||
|
||||
Laurent Goderre from Docker
|
||||
Laurent Goderre from Docker.
|
||||
The entire talk was very short, but it was a nice demo of init containers
|
||||
|
||||
## Baseline
|
||||
|
||||
* Security is hard - distroless sounds like a nice helper
|
||||
* Basic Challenge: Usability-Security Dilemma -> But more usability doesn't mean less secure, but more updating
|
||||
* Distro: Kernel + Software Packages + Package manager (optional) -> In Containers just without the kernel
|
||||
* Distroless: No package manager, no shell, no webcluent (curl/wget) - only minimal sofware bundels
|
||||
|
||||
## Tools for distroless image creation
|
||||
|
||||
* Multi-Stage Builds: No cleanup needed and better caching
|
||||
* Buildkit: More complex, but a pluggable build architecture
|
||||
|
||||
## The title question
|
||||
|
||||
* Well many images don't include a package manager, but a shell and some tools (busybox)
|
||||
* Tools are usually included as config-time tools (init) -> They just stay around after init - unused
|
||||
* Solution: Our lord and savior init containers without any inbound traffic that just does config stuff
|
||||
|
||||
## Demo
|
||||
|
||||
* A (rough) distroless postgres with alpine build step and scratch final step
|
||||
* A basic pg:alpine container used for init with a shared data volume
|
||||
* The init uses the pg admin user to initialize the pg server (you don't need the admin creds after this)
|
||||
|
||||
### Kube
|
||||
|
||||
* K apply failed b/c no internet, but was fixed by connecting to wifi
|
||||
* Without the init container the pod just crashes, with the init container the correct config gets created
|
||||
|
||||
### Docker compose
|
||||
|
||||
* Just use `service_completed_successfully` condition in depends on
|
||||
|
|
Loading…
Reference in New Issue