---
title: Is your image really distroless?
weight: 7
tags:
  - images
  - security
---

{{% button href="https://youtu.be/1iJTyf4O8T8" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}}

Laurent Goderre from Docker.
The entire talk was very short, but it was a nice demo of init containers

## Baseline

* Security is hard - distroless sounds like a nice helper
* Basic Challenge: Usability-Security Dilemma -> But more usability doesn't mean less secure, but more updating
* Distro: Kernel + Software Packages + Package manager (optional) -> In Containers just without the kernel
* Distroless: No package manager, no shell, no web client (curl/wget) - only minimal software bundles

## Tools for distroless image creation

* Multi-Stage Builds: No cleanup needed and better caching
* Buildkit: More complex, but a pluggable build architecture

## The title question

* Well many images don't include a package manager, but a shell and some tools (busybox)
* Tools are usually included as config-time tools (init) -> They just stay around after init - unused
* Solution: Our lord and savior init containers without any inbound traffic that just does config stuff

## Demo

* A (rough) distroless Postgres with alpine build step and scratch final step
* A basic pg:alpine container used for init with a shared data volume
* The init uses the pg admin user to initialize the pg server (you don't need the admin credentials after this)

### Kube

* K apply failed b/c no internet, but was fixed by connecting to Wi-Fi
* Without the init container the pod just crashes, with the init container the correct config gets created

### Docker compose

* Just use `service_completed_successfully` condition in depends on