46 lines
1.7 KiB
Markdown
46 lines
1.7 KiB
Markdown
---
|
|
title: Is your image really distroless?
|
|
weight: 7
|
|
tags:
|
|
- images
|
|
- security
|
|
---
|
|
|
|
{{% button href="https://youtu.be/1iJTyf4O8T8" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}}
|
|
|
|
Laurent Goderre from Docker.
|
|
The entire talk was very short, but it was a nice demo of init containers
|
|
|
|
## Baseline
|
|
|
|
* Security is hard - distroless sounds like a nice helper
|
|
* Basic Challenge: Usability-Security Dilemma -> But more usability doesn't mean less secure, but more updating
|
|
* Distro: Kernel + Software Packages + Package manager (optional) -> In Containers just without the kernel
|
|
* Distroless: No package manager, no shell, no web client (curl/wget) - only minimal software bundles
|
|
|
|
## Tools for distroless image creation
|
|
|
|
* Multi-Stage Builds: No cleanup needed and better caching
|
|
* Buildkit: More complex, but a pluggable build architecture
|
|
|
|
## The title question
|
|
|
|
* Well many images don't include a package manager, but a shell and some tools (busybox)
|
|
* Tools are usually included as config-time tools (init) -> They just stay around after init - unused
|
|
* Solution: Our lord and savior init containers without any inbound traffic that just does config stuff
|
|
|
|
## Demo
|
|
|
|
* A (rough) distroless Postgres with alpine build step and scratch final step
|
|
* A basic pg:alpine container used for init with a shared data volume
|
|
* The init uses the pg admin user to initialize the pg server (you don't need the admin credentials after this)
|
|
|
|
### Kube
|
|
|
|
* K apply failed b/c no internet, but was fixed by connecting to Wi-Fi
|
|
* Without the init container the pod just crashes, with the init container the correct config gets created
|
|
|
|
### Docker compose
|
|
|
|
* Just use `service_completed_successfully` condition in depends on
|