GoogleContainerTools
Images do not provide sanitizer runtime libs
Describe the bug This is somewhat of a feature request, but it is annoying to create asan/tsan enabled builds because distroless does not ship an image with these runtimes. Though we can build with these features enabled we would need to package these runtimes separately from the distroless image.
To Reproduce
Build an image with asan enabled such as bazel build //hello_world_container --copt=-fsanitize=address --linkopt=-fsanitize=address and observe that it fails to run.
Expected behavior A distroless image (the debug image or a new kind of image) could be provided with sanitizer runtimes.
I'm not sure exactly what this is asking, because I don't know much about sanitizer runtime libs. We're working on making distroless more extensible though. Maybe towards the end of Q1 2023, we can let people build/add-on whatever they want without some bonkers looking dockerbuild.
In my case, i only needed asan. So that would be including the libasan.so.5 along with the other libc runtimes.
I'm also not an expert in how these are setup but it may be that they are tied to the specific compiler used in which case maybe they dont really belong in distroless. Ill try find if they are compiler specific unlike libc.
We're working on making distroless more extensible though. Maybe towards the end of Q1 2023, we can let people build/add-on whatever they want without some bonkers looking dockerbuild.
We are actually using bazel so composing an image on top of distroless isnt much of an issue for us, I just thought this might be a useful extension if it fits with distroless.
The library is from the libasan5 package, https://packages.debian.org/file:libasan.so.5
So either that is bundled with the app, or included in a custom base layer on top of base ?
It does depend on the compiler (gcc-9-base):
- https://packages.debian.org/bullseye/libasan5
