Wolfi Distroless Images
Based on this tweet, i decided to do this write up to show how you can create distroless images using wolfi
What is Distroless
read more here
Why Distroless
read more here
What is wolfi
Wolfi is a Linux undistro designed for containers, making it an excellent choice for creating distroless images. Read more here
How to get started
You will need to install apko and have an editor
Lets look at how distroless stacks its images
Static Base Image
This images is for all statically compiled programs which has a directory structure, ca-certificates and tzdata
So lets setup an apko config to install these
this installs
- baselayout - this is the basic layout of the container filesystem, sets up directory structure and permissions for paths, sets root password as
*
in the passwd file so that the user cannot login, sets upos-release
so scanners are able to identify the os and get the vulnerability db for the same - ca-certificates-bundle - these are the cert chains for ssl connections
- tzdata - is the data with which timezones are used by the OS
you can build the image with
this will give an image which you can load a statically compiled program such as a go binary
With the apko install, there is no package manager which is added to the container, so we are closer to a distroless install.
Now we need to make sure that the container does not run with root
user
this will ensure that the container is run with the user non-root
.
We need to ensure a few defaults so that the container will run as required
Nodejs Runtime Image
Lets now setup nodejs
with the above container as base
build it with
the above container is to be used to run the code and any of the nodejs containers such as node:lts
( glibc based ) can be used in any of the build,lint etc steps
This ensures that the container which is deployed is minimal, has only the packages required and runs with the non-root
user which was added in the static container
Nodejs Debug Image
Now is the question of the debug container, distroless provides this as the language container along with a shell. If running kubernetes the best way to debug would be to use the cdebug
utility but since we are talking about images lets create a nodejs debug image.
For debugging lets add the following
- shell
- package manager
so that as someone who is debugging can exec into the container and install any debug tool of preference and switch the user to root
.
build it with
this setup would allow the user to switch to the debug container which is built on top of the container which runs the code along with access to necessary tooling.
This can be used as an example and one can build out custom base images using wolfi while keeping them distroless.
Image Size
Here are the images sizes post creation
Scanning the image
here is a trivy scan of the above node image
it has identified the OS and the packages installed. And reports 0 vulnerabilities.
Creating a base image equivalent to alpine
Now that wolfi-base is an image which comes with a shell and packaging tools, this container image can be used to create images which are used in multi-stage build as the build container as multiple packages would be required in the build step.
We use the static config here as well and add the wolfi-base
package which adds busybox and apk-tools to the container, similar to what was added in the debug container but we use this meta package instead.
Here is a link to all the files on github along with a plausable directory structure for multi versioned builds