rebase acme-dns docker image on google distroless #275
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Improvements over the current Dockerfile are: It uses the GoogleContainerTools/distroless static image as base, removing everything from the container including the shell, dynamic linker, etc. It builds a fully static acme-dns binary, including static-linking the CGO components, to be able to run without any dynamic linking, or libc, on the target system. It assembles the "release" layout of the application and support directories on the builder, then copies them wholesale to the final image. It *only* copies the `acme-dns` binary; it exclused the `.git` directory, and all other files, that are shipped in the current image. It uses a shallow checkout to build, which is appropriate since the builder is a throw-away image and will be destroyed when the build process is done. It uses the latest version of golang 1.*, ensuring that improvements and security fixes are picked up automatically. Limitations: The distroless image doesn't provide anything beyond the bare minimum to run the static binary – notably, no `/bin/sh` is present. If this is a concern the best strategy would be to add a second image, deploying `FROM gcr.io/distroless/static:debug` which provides busybod as `/bin/sh` and the rest of the standard utilities. I have not implemented this solution at this time. Background: The Google distroless images provide a base for running software containers with the absolute bare minimum of files. For more details see https://github.com/GoogleContainerTools/distroless This bases the acme-dns docker image off the distroless "static" image, `gcr.io/distroless/static`, which is suitable for running fully static application in languages like go – it has no dynamic linker.
|
note: tested locally, but only on x86 / amd64 platforms. |
linuxgemini
added a commit
to linuxgemini/acme-dns
that referenced
this pull request
Feb 9, 2022
Co-authored-by: Daniel Pittman <daniel@rimspace.net> Signed-off-by: İlteriş Yağıztegin Eroğlu <me@linuxgemini.space>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Improvements over the current Dockerfile are:
It uses the GoogleContainerTools/distroless static image as base,
removing everything from the container including the shell, dynamic
linker, etc.
It builds a fully static acme-dns binary, including static-linking the
CGO components, to be able to run without any dynamic linking, or libc,
on the target system.
It assembles the "release" layout of the application and support
directories on the builder, then copies them wholesale to the
final image.
It only copies the
acme-dnsbinary; it exclused the.gitdirectory, and all other files, that are shipped in the current image.
It uses a shallow checkout to build, which is appropriate since the
builder is a throw-away image and will be destroyed when the build
process is done.
It uses the latest version of golang 1.*, ensuring that improvements and
security fixes are picked up automatically.
Limitations:
The distroless image doesn't provide anything beyond the bare minimum to run
the static binary – notably, no
/bin/shis present.If this is a concern the best strategy would be to add a second image,
deploying
FROM gcr.io/distroless/static:debugwhich provides busybod as/bin/shand the rest of the standard utilities.I have not implemented this solution at this time.
Background:
The Google distroless images provide a base for running software containers
with the absolute bare minimum of files. For more details see
https://github.com/GoogleContainerTools/distroless
This bases the acme-dns docker image off the distroless "static" image,
gcr.io/distroless/static, which is suitable for running fully staticapplication in languages like go – it has no dynamic linker.