-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use "distroless" images for linkerd proxy components #5198
Comments
I'm generally +1 on this idea, though I believe that it may not currently be possible. In order to build a static binary (i.e. that doesn't need an OS-provided
Some folks have expressed interest in building the proxy against alternate TLS implementations, so this may become possible in the future. |
Also it seems like there's some progress on this in |
Actually, I think that above error is a red herring. I was missing musl-gcc from my host . It looks like this should be doable. We'll need to vet that this is possible for ARM builds, but seems like a good goal for 2.10! |
OK, while it's pretty simple to modify the build to produce static binaries for x86_64, but getting cross-compilation to work for arm builds seems to be substantially more complex. Given the state of the linkerd build/release process, it's not really feasible for us to support a one-off configuration only for x86_64... I'd love help figuring out how to get the ARM builds working with musl, though! |
As of briansmith/ring#1118 there is a documented and mostly tested way of cross-compiling for ARM targets in particular. Look at how ring's build system does it, particularly its mk/cargo.sh. It's much better than using musl-gcc because you can install clang once and that one installation will work for all targets. |
Thanks for the helpful pointer, @briansmith. |
We might be able to just avoid static compilation/musl for now and use https://github.com/GoogleContainerTools/distroless to provide a base image with glib |
Did we get any traction on this issue? We are being flagged by internal security tool for base ubuntu image vulnerability for following three containers: proxy-init, proxy, and web |
@ericsuhong This is scheduled for stable-2.11.0. The best way to make this happen quickly is to submit a PR, though :D |
It only required removing `RUN mkdir -p app` from the Dockerfile, which is not really needed. This diminishes the image size and avoids having frequent vulnerability reports by image scanners in clusters appearing in debian. We were upgrading the base image whenever we could, but it's an issue for older releases. Addresses comment in #5198
It only required removing `RUN mkdir -p app` from the Dockerfile, which is not really needed. This diminishes the image size and avoids having frequent vulnerability reports by image scanners in clusters appearing in debian. We were upgrading the base image whenever we could, but it's an issue for older releases. Addresses comment in #5198
It only required removing `RUN mkdir -p app` from the Dockerfile, which is not really needed. This diminishes the image size and avoids having frequent vulnerability reports by image scanners in clusters appearing in debian. We were upgrading the base image whenever we could, but it's an issue for older releases. Addresses comment in #5198
I couldn't get rid of the base image (in an attempt to get rid of unrelated CVE warnings thrown by cluster image scanners) because of the need of iptables and the shared libs it depends on, so the best I could do was to switch to Alpine. Still, that reduces the image size in amd64 from 77.3MB to 13MB. I also changed the registry from docker hub to ghcr.io for the tester images, because `k3d image import` was complaining (note these images aren't pushed though). Finally, it's no longer necessary to install `procps` (used to run `sysctl`) as it already comes installed in Alpine. This was tested successfully in the ARM host. Partially addresses comment in linkerd/linkerd2#5198
I couldn't get rid of the base image (in an attempt to get rid of unrelated CVE warnings thrown by cluster image scanners) because of the need of iptables and the shared libs it depends on, so the best I could do was to switch to Alpine. Still, that reduces the image size in amd64 from 77.3MB to 13MB. I also changed the registry from docker hub to ghcr.io for the tester images, because `k3d image import` was complaining (note these images aren't pushed though). Finally, it's no longer necessary to install `procps` (used to run `sysctl`) as it already comes installed in Alpine. This was tested successfully in the ARM host. Partially addresses comment in linkerd/linkerd2#5198 Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
It only required removing `RUN mkdir -p app` from the Dockerfile, which is not really needed. This diminishes the image size and avoids having frequent vulnerability reports by image scanners in clusters appearing in debian. We were upgrading the base image whenever we could, but it's an issue for older releases. Addresses comment in linkerd#5198 Signed-off-by: Jijeesh <jijeesh.ka@gmail.com>
I couldn't get rid of the base image (in an attempt to get rid of unrelated CVE warnings thrown by cluster image scanners) because of the need of iptables and the shared libs it depends on, so the best I could do was to switch to Alpine. Still, that reduces the image size in amd64 from 77.3MB to 13MB. I also changed the registry from docker hub to ghcr.io for the tester images, because `k3d image import` was complaining (note these images aren't pushed though). Finally, it's no longer necessary to install `procps` (used to run `sysctl`) as it already comes installed in Alpine. This was tested successfully in the ARM host. Partially addresses comment in linkerd/linkerd2#5198 Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
It only required removing `RUN mkdir -p app` from the Dockerfile, which is not really needed. This diminishes the image size and avoids having frequent vulnerability reports by image scanners in clusters appearing in debian. We were upgrading the base image whenever we could, but it's an issue for older releases. Addresses comment in #5198
It only required removing `RUN mkdir -p app` from the Dockerfile, which is not really needed. This diminishes the image size and avoids having frequent vulnerability reports by image scanners in clusters appearing in debian. We were upgrading the base image whenever we could, but it's an issue for older releases. Addresses comment in #5198
Related: #6165 |
Recent proxy images use |
Feature Request
What problem are you trying to solve?
Reduce container image size + Reduce unnecessary security vulnerabiltiies flagged for base debian image.
How should the problem be solved?
All linkerd controller plane components EXCEPT proxy use distroless images, and I would like to have distroless images for proxy component as well (if possible).
Any alternatives you've considered?
N/A
The text was updated successfully, but these errors were encountered: