cloud-code-samples icon indicating copy to clipboard operation
cloud-code-samples copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Look into using distroless runtime images

Open jonjohnsonjr opened this issue 6 years ago • 6 comments
trafficstars

We currently use random images from dockerhub as the runtime images instead of gcr.io/distroless.

This has some performance benefits due to locality of images when running any of this on GCP.

jonjohnsonjr avatar Sep 30 '19 20:09 jonjohnsonjr

Who is maintaining these images? Is there a delta between what's found at gcr.io/distroless and docker registry?

simonz130 avatar Oct 30 '19 22:10 simonz130

Who is maintaining these images?

We are! (well... our organizational cousins are): https://github.com/GoogleContainerTools/distroless

Is there a delta between what's found at gcr.io/distroless and docker registry?

Yeah, distroless doesn't contain a shell or any random binaries. This results in smaller images and a smaller attack surface for vulnerabilities.

jonjohnsonjr avatar Oct 30 '19 23:10 jonjohnsonjr

+1 on this for minimal images - I just tried the python guestbook app from Hungary, the image is 1.1GB and that takes 3.7minutes just to push to eu.gcr.io.

balopat avatar Dec 17 '19 06:12 balopat

N.B: some of our images (everything except Java and Golang) have been moved to Alpine linux for performance reasons.

This might be worth trying for Java and Golang at some point.

ace-n avatar Aug 17 '22 15:08 ace-n

@jonjohnsonjr distroless Java images don't seem to support ARM, which is required for GKE.

Is that something y'all plan to add? If not, do you mind if I close this issue?

ace-n avatar Aug 25 '22 18:08 ace-n

Java images don't seem to support ARM

The debian11 variants do, e.g. https://explore.ggcr.dev/?image=gcr.io/distroless/java17-debian11:nonroot

See https://github.com/GoogleContainerTools/distroless#docker for current images.

jonjohnsonjr avatar Aug 26 '22 18:08 jonjohnsonjr