docker-tools icon indicating copy to clipboard operation
docker-tools copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Port Image Builder container image from Alpine to distroless Azure Linux

Open mthalman opened this issue 2 years ago • 2 comments

This would help to validate the benefits of distroless, and Mariner in general (a good dogfooding effort).

Originally, this was thought to have been blocked by not having a docker package in Mariner but I've now realized what we need is the moby-cli package. This allows us to run docker commands targeting the docker daemon on the host machine, connected by the docker socket.

My initial investigation into this has revealed a lot of changes necessary for this.

Tasks to complete:

  • [x] https://github.com/dotnet/docker-tools/issues/1392
  • [ ] Remove dependency on git CLI Currently Image Builder has a dependency on git for a single operation: to get the commit SHA of a file. Removing the dependency on the git CLI is useful because of the image size impact of including the git package in the image. It adds ~230 MB. The dependency on the git CLI can be replaced with equivalent logic that makes use of the libgit2sharp library which is already used.
  • [ ] Refactor pipeline to not rely on volume mounted artifacts directory As a result of running the container as a non-root user, that user does not have permission to write to the artifacts directory that gets volume mounted into the container. This is a bit of tricky problem to solve that would add complexity to the system. Instead, it can be mitigated by removing the volume mount altogether. The use of volume mounting was only done as a convenience to get files out of the container, not to send files in. So the pipeline can be updated to just use docker cp to get those artifact files out of the container.
  • [ ] Update Image Builder Dockerfile to be based on distroless Mariner

Related work:

  • [ ] https://github.com/microsoft/CBL-Mariner/issues/3811 As a result of installing moby-cli, bash is also getting included. This issue was logged in hopes of being able to remove that since we don't want bash in a distroless container.

mthalman avatar Sep 22 '22 15:09 mthalman

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

dotnet-issue-labeler[bot] avatar Sep 22 '22 15:09 dotnet-issue-labeler[bot]

We should also update the Docker TestRunner to be based on Mariner as well.

lbussell avatar Sep 26 '23 20:09 lbussell