distroless icon indicating copy to clipboard operation
distroless copied to clipboard
verified publisher icon GoogleContainerTools

distroless/python3-debian11 and distroless/python3-debian11:nonroot contain shell

Open griggheo opened this issue 3 years ago • 5 comments

Describe the bug The images distroless/python3-debian11 and distroless/python3-debian11:nonroot contain the sh shell, contrary to what the documentation says.

To Reproduce

$ docker run --rm -it --entrypoint sh gcr.io/distroless/python3-debian11:latest
Unable to find image 'gcr.io/distroless/python3-debian11:latest' locally
latest: Pulling from distroless/python3-debian11
8fdb1fc20e24: Already exists 
fda4ba87f6fb: Already exists 
a1f1879bb7de: Already exists 
456b1c818ab2: Pull complete 
Digest: sha256:d78a749034380426dd6cec6a0db139459ca701630533ffce112adbcdd996fddd
Status: Downloaded newer image for gcr.io/distroless/python3-debian11:latest
# exit

$ docker run --rm -it --entrypoint sh gcr.io/distroless/python3-debian11:nonroot
Unable to find image 'gcr.io/distroless/python3-debian11:nonroot' locally
nonroot: Pulling from distroless/python3-debian11
8fdb1fc20e24: Already exists 
fda4ba87f6fb: Already exists 
a1f1879bb7de: Already exists 
456b1c818ab2: Already exists 
3c2cba919283: Pull complete 
Digest: sha256:16a3e673c2138d1896a20664659c5d0d225be429fe374bb1d38a2a8a94a9b260
Status: Downloaded newer image for gcr.io/distroless/python3-debian11:nonroot
$

Expected behavior The expected behavior is displayed when running this command:

$ docker run --rm -it --entrypoint sh gcr.io/distroless/java17-debian11
Unable to find image 'gcr.io/distroless/java17-debian11:latest' locally
latest: Pulling from distroless/java17-debian11
8fdb1fc20e24: Already exists 
fda4ba87f6fb: Already exists 
a1f1879bb7de: Already exists 
407f249037ea: Already exists 
8a4811140f89: Already exists 
Digest: sha256:61c05080a2fbf2f6fcb2eb11b936e30ebc7eb5cad474056e5e356b5b1b94d200
Status: Downloaded newer image for gcr.io/distroless/java17-debian11:latest
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown.

griggheo avatar Nov 13 '22 17:11 griggheo

Yeah this is intentional. I believe it had something to do with supporting os.system? Or something else that was widely present in python applications that required a shell. I'm no python expert, and it is in experimental. It is a bit odd though, I'd be down to remove it if someone can provide a strong reason we wont break everything.

loosebazooka avatar Nov 14 '22 16:11 loosebazooka

That is a bit strange, as one of the main selling points of distroless is Docker image security and the lack of a shell. Hopefully your security committee will make the right call there.

griggheo avatar Nov 14 '22 16:11 griggheo

so here's some context, but once again python is in experimental: https://github.com/GoogleContainerTools/distroless/pull/229

loosebazooka avatar Nov 17 '22 14:11 loosebazooka

Yeah this is intentional. I believe it had something to do with supporting os.system?

But isn't system(3) equally broken for other languages (such as C), not only for Python ?

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>

int main()
{
	printf("hello world\n");
	if (system("echo Hello World") == -1) {
		fprintf(stderr, "system: %s\n", strerror(errno));
	}
}

gcr.io/distroless/static-debian11

hello world
system: No such file or directory

afbjorklund avatar Nov 24 '22 11:11 afbjorklund

  • https://github.com/GoogleContainerTools/distroless/issues/601

afbjorklund avatar Nov 24 '22 18:11 afbjorklund