pre lunch break

2024-03-20 12:32:32 +01:00 · 2024-03-20 12:32:32 +01:00 · 78b3826cbb
parent c471e24340
commit 78b3826cbb
1 changed files with 35 additions and 1 deletions
--- a/content/day2/07_is_your_image_distroless.md
+++ b/content/day2/07_is_your_image_distroless.md
@ -3,4 +3,38 @@ title: Is your image really distroless?
 weight:7
 ---

-Laurent Goderre from Docker
+Laurent Goderre from Docker.
+The entire talk was very short, but it was a nice demo of init containers
+
+## Baseline
+
+* Security is hard - distroless sounds like a nice helper
+* Basic Challenge: Usability-Security Dilemma -> But more usability doesn't mean less secure, but more updating
+* Distro: Kernel + Software Packages + Package manager (optional) -> In Containers just without the kernel
+* Distroless: No package manager, no shell, no webcluent (curl/wget) - only minimal sofware bundels
+
+## Tools for distroless image creation
+
+* Multi-Stage Builds: No cleanup needed and better caching
+* Buildkit: More complex, but a pluggable build architecture
+
+## The title question
+
+* Well many images don't include a package manager, but a shell and some tools (busybox)
+* Tools are usually included as config-time tools (init) -> They just stay around after init - unused
+* Solution: Our lord and savior init containers without any inbound traffic that just does config stuff
+
+## Demo
+
+* A (rough) distroless postgres with alpine build step and scratch final step
+* A basic pg:alpine container used for init with a shared data volume
+* The init uses the pg admin user to initialize the pg server (you don't need the admin creds after this)
+
+### Kube
+
+* K apply failed b/c no internet, but was fixed by connecting to wifi
+* Without the init container the pod just crashes, with the init container the correct config gets created
+
+### Docker compose
+
+* Just use `service_completed_successfully` condition in depends on