• Stars
    star
    18,731
  • Rank 1,391 (Top 0.03 %)
  • Language Starlark
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

πŸ₯‘ Language focused docker images, minus the operating system.

"Distroless" Container Images.

CI Build Status

"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.

For more information, see this talk (video).

Since March 2023, Distroless images use oci manifests, if you see errors referencing application/vnd.oci.image.manifest.v1+json or application/vnd.oci.image.index.v1+json, update your container tooling (docker, jib, etc) to latest.

Why should I use distroless images?

Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.

Distroless images are very small. The smallest distroless image, gcr.io/distroless/static-debian11, is around 2 MiB. That's about 50% of the size of alpine (~5 MiB), and less than 2% of the size of debian (124 MiB).

How do I use distroless images?

These images are built using bazel, but they can also be used through other Docker image build tooling.

What images are available?

The following images are currently published and updated by the distroless project (see SUPPORT_POLICY for support timelines)

Image Tags Architecture Suffixes
gcr.io/distroless/static-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64, arm, s390x, ppc64le
gcr.io/distroless/base-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64, arm, s390x, ppc64le
gcr.io/distroless/base-nossl-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64, arm, s390x, ppc64le
gcr.io/distroless/cc-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64, arm, s390x, ppc64le
gcr.io/distroless/python3-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64
gcr.io/distroless/java-base-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64, s390x, ppc64le
gcr.io/distroless/java11-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64, s390x, ppc64le
gcr.io/distroless/java17-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64, s390x, ppc64le
gcr.io/distroless/nodejs16-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64
gcr.io/distroless/nodejs18-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64
gcr.io/distroless/nodejs20-debian11 latest, nonroot, debug, debug-nonroot amd64, arm64

These images refer to image indexes with references to all supported architectures. Architecture specific images can be directly referenced using an additional architecture suffix on the tag, like gcr.io/distroless/static-debian11:latest-amd64

Any other tags are considered deprecated and are no longer updated

How do I verify distroless images?

All distroless images are signed by cosign. We recommend verifying any distroless image you use before building your image.

Keyless (recommended)

Distroless images are signed with cosign in keyless mode. You can verify the keyless signature of any distroless image with:

cosign verify $IMAGE_NAME --certificate-oidc-issuer https://accounts.google.com  --certificate-identity [email protected]

Key (no tlog, deprecated, EOL Sept 2023)

Verifying using the distroless keys is deprecated in favor of keyless. These signing events are not uploaded to the transparency log. You can use the distroless public key to verify any distroless image with:

cat cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZzVzkb8A+DbgDpaJId/bOmV8n7Q
OqxYbK0Iro6GzSmOzxkn+N2AKawLyXi84WSwJQBK//psATakCgAQKkNTAA==
-----END PUBLIC KEY-----

cosign verify --key cosign.pub $IMAGE_NAME --insecure-ignore-tlog

Entrypoints

Note that distroless images by default do not contain a shell. That means the Dockerfile ENTRYPOINT command, when defined, must be specified in vector form, to avoid the container runtime prefixing with a shell.

This works:

ENTRYPOINT ["myapp"]

But this does not work:

ENTRYPOINT "myapp"

For the same reasons, if the entrypoint is set to the empty vector, the CMD command should be specified in vector form (see examples below). Note that by default static, base and cc images have the empty vector entrypoint. Images with an included language runtime have a language specific default (see: java, nodejs, python3).

Docker

Docker multi-stage builds make using distroless images easy. Follow these steps to get started:

Examples with Docker

Here's a quick example for go:

# Start by building the application.
FROM golang:1.18 as build

WORKDIR /go/src/app
COPY . .

RUN go mod download
RUN CGO_ENABLED=0 go build -o /go/bin/app

# Now copy it into our base image.
FROM gcr.io/distroless/static-debian11
COPY --from=build /go/bin/app /
CMD ["/app"]

You can find other examples here:

To run any example, go to the directory for the language and run

docker build -t myapp .
docker run -t myapp

To run the Node.js Express app node-express and expose the container's ports:

npm install # Install express and its transitive dependencies
docker build -t myexpressapp . # Normal build command
docker run -p 3000:3000 -t myexpressapp

This should expose the Express application to your localhost:3000

Bazel

For full documentation on how to use bazel to generate Container images, see the bazel-contrib/rules_oci repository.

For documentation and example on how to use the go-based debian package manager (current) to generate bazel config, see ./debian_package_manager For documentation and examples on how to use the bazel package manager rules (not used in this repo), see ./package_manager

Examples can be found in this repository in the examples directory.

Examples with Bazel

We have some examples on how to run some common application stacks in the /examples directory. See here for:

See here for examples on how to complete some common tasks in your image:

See here for more information on how these images are built and released.

Base Operating System

Distroless images are based on Debian 11 (bullseye). Images are explicitly tagged with Debian version suffixes (e.g. -debian11). Specifying an image without the distribution will currently select -debian11 images, but that will change in the future to a newer version of Debian. It can be useful to reference the distribution explicitly, to prevent breaking builds when the next Debian version is released.

Operating System Updates for Security Fixes and CVEs

Distroless tracks the upstream Debian releases, using Github actions to automatically generate a pull request when there are updates.

Debug Images

Distroless images are minimal and lack shell access. The :debug image set for each language provides a busybox shell to enter.

For example:

cd examples/python3/

edit the Dockerfile to change the final image to :debug:

FROM gcr.io/distroless/python3-debian11:debug
COPY . /app
WORKDIR /app
CMD ["hello.py", "/etc"]

then build and launch with an shell entrypoint:

$ docker build -t my_debug_image .
$ docker run --entrypoint=sh -ti my_debug_image

/app # ls
BUILD       Dockerfile  hello.py

Note: If the image you are using already has a tag, for example gcr.io/distroless/java17-debian11:nonroot, use the tag debug-<existing tag> instead, for example gcr.io/distroless/java17-debian11:debug-nonroot.

Note: ldd is not installed in the base image as it's a shell script, you can copy it in or download it.

Who uses Distroless?

If your project uses Distroless, send a PR to add your project here!

Community Discussion

More Repositories

1

skaffold

Easy and Repeatable Kubernetes Development
Go
14,994
star
2

kaniko

Build Container Images In Kubernetes
Go
14,610
star
3

jib

πŸ— Build container images for your Java applications.
Java
13,601
star
4

container-diff

container-diff: Diff your Docker containers
Go
3,760
star
5

container-structure-test

validate the structure of your container images
Go
2,317
star
6

kpt

Automate Kubernetes Configuration Editing
Go
1,509
star
7

base-images-docker

Base images for Google Docker containers.
Starlark
418
star
8

kpt-config-sync

Config Sync - used to sync Git, OCI and Helm charts to your clusters.
Go
235
star
9

jib-extensions

Java
117
star
10

kubehost

Expose web services directly on GKE nodes during development.
Shell
115
star
11

container-debug-support

Language-runtime support files for in-container debugging
Go
93
star
12

kpt-functions-catalog

Curated catalog of generally useful kpt functions
TypeScript
87
star
13

minikube-build-tools-for-java

Minikube lifecycle management tools for Gradle and Maven.
Java
57
star
14

google-container-tools-intellij

Plugin to support Kubernetes development in the IntelliJ family of IDEs - in development
Kotlin
56
star
15

kpt-functions-sdk

TypeScript
54
star
16

kpt-backstage-plugins

TypeScript
54
star
17

kit

Integration Testing for your Kubernetes apps
42
star
18

rules_distroless

Starlark
41
star
19

gcp-auth-webhook

A Kubernetes webhook for automated GCP authentication.
Go
20
star
20

kpt-resource-group

Go
8
star
21

kpt-samples

kpt project samples
7
star
22

.allstar

6
star
23

consolidate-gradle-plugin

Java
2
star
24

.github

1
star
25

minikube-image-benchmark

Go
1
star