aws-app-mesh-roadmap icon indicating copy to clipboard operation
aws-app-mesh-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

Feature Request: offer images with shell in addition to distroless

Open nwsparks opened this issue 2 years ago • 7 comments

If you want to see App Mesh implement this idea, please upvote with a :+1:.

Tell us about your request

Please offer an additional image that contains a shell. It is nearly impossible to get started use AppMesh or debug things without a shell in the containers. This makes it very difficult to get going.

It's common for most vendors to provide multiple image options and I think that should be the case here as well.

Which integration(s) is this request for?

All

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

I'm trying to improve my ability to maintain and debug appmesh. This is incredibly difficult without a shell in the container.

Are you currently working around this issue?

Reverted to older image that contains a shell

nwsparks avatar Aug 17 '22 13:08 nwsparks

Hi You can build your own image based on amazonlinux2 or set else, as it described on https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy.html That approach works for me.

Stazz-Sphinx avatar Aug 17 '22 13:08 Stazz-Sphinx

Yes I saw that. I'd prefer not to have to build a pipeline for producing images. The barrier for entry for AppMesh is high enough already without also needing to do this. It would be simple for AWS to just provide multiple options.

nwsparks avatar Aug 17 '22 13:08 nwsparks

We have a plan to release FIPS 140-2 compatible images in the future https://github.com/aws/aws-app-mesh-roadmap/issues/410

With that we would end up releasing multiple tags of App Mesh envoy images.

  1. AppMesh distroless v1.2x.x.x-prod
  2. AppMesh Amazon Linux2 v1.2x.x.x-prod-al2 <-- Would continue to show unrelated CVEs on scan
  3. AppMesh FIPS distroless fips-v1.2x.x.x-prod
  4. AppMesh FIPS Amazon Linux2 fips-v1.2x.x.x-prod-al2 <-- Would continue to show unrelated CVEs on scan

Not to forget these tags are released as multi-arch manifests containing both ARM64 & x86_64

So, I would let App Mesh PM @herrhound take this question on what is best for the customers.

suniltheta avatar Aug 17 '22 20:08 suniltheta

Another issue is how can we specify a health check with distroless? There is no documentation that I can find for this.

nwsparks avatar Aug 19 '22 11:08 nwsparks

there is no change in how we specify health check for distroless image. The image is shipped with lightweight custom built curl Go binary that should support commands like

curl -s http://localhost:9901/server_info | grep state | grep -q LIVE

example

suniltheta avatar Aug 19 '22 17:08 suniltheta

@suniltheta thanks. I did some more digging and it seems like the problem I was having is that this new binary doesn't support combining flags. on the previous appmesh image curl -fs would work, but on this one it does not.

nwsparks avatar Aug 20 '22 12:08 nwsparks

I can confirm that the new curl binary doesn't support combining flags as per POSIX/GNU-style --flags. We shall fix this in the next image release v1.23.x.x

Meanwhile the workaround is to generate a custom image for now as mentioned above in https://github.com/aws/aws-app-mesh-roadmap/issues/428#issuecomment-1218040472 or not to combine the flags curl -f -s.

suniltheta avatar Aug 23 '22 23:08 suniltheta