distroless
distroless copied to clipboard
GoogleContainerTools
[docs request] Method for building customized distroless images
What is the preferred method for building customized / modified distroless images? There seem to be two separate methods:
- https://github.com/GoogleContainerTools/distroless/tree/main/debian_package_manager
- https://github.com/GoogleContainerTools/distroless/tree/main/package_manager
Is there some example / process for modifying the "base" images (via Bazel)?
I have created some hack that works by manually specifying a bunch of http_file()s in the project WORKSPACE for each additional package, then creating a container_image() rule based on an existing distroless image with additional debs from the http_file()s. However, this process requires a bunch of toil work to specify each of the package URLs / versions. It will not be easy to upgrade the package versions. For example
WORKSPACE:
http_file(
name = "amd64_debian11_isomd5sum",
downloaded_file_path = "isomd5sum_1.2.3-4+b4_amd64.deb",
sha256 = "d9c66e2278fc16cde37b18b92f7ce9a77930b6a69771dcbdf5d24974e94c74ff",
urls = ["https://snapshot.debian.org/archive/debian/20230311T025924Z/pool/main/i/isomd5sum/isomd5sum_1.2.3-4%2Bb4_amd64.deb"],
)
http_file(
name = "amd64_debian11_libacl1",
downloaded_file_path = "libacl1_2.2.53-10_amd64.deb",
sha256 = "aa18d721be8aea50fbdb32cd9a319cb18a3f111ea6ad17399aa4ba9324c8e26a",
urls = ["https://snapshot.debian.org/archive/debian/20230311T025924Z/pool/main/a/acl/libacl1_2.2.53-10_amd64.deb"],
)
http_file(
name = "amd64_debian11_libburn4",
downloaded_file_path = "libburn4_1.5.2-1_amd64.deb",
sha256 = "3dc912b97373ec2d4134286426455918d7b049c199430e5ed035eb65298273d5",
urls = ["https://snapshot.debian.org/archive/debian/20230311T025924Z/pool/main/libb/libburn/libburn4_1.5.2-1_amd64.deb"],
)
# ...
BUILD.bazel:
container_image(
name = "custom_base_image",
base = "@go_image_static//image",
debs = [
"@amd64_debian11_isomd5sum//file",
"@amd64_debian11_libacl1//file",
"@amd64_debian11_libburn4//file",
# ...
],
)
Is there a way to use https://github.com/GoogleContainerTools/distroless/tree/main/debian_package_manager for downstream builds / customizations of distroless images? Or, is that even the preferred tool for distroless debian package management going forward?
So we hope to eventually have this, we plan on extracting the necessary tooling in github.com/GoogleContainerTools/rules_distroless but that's not ready (and I don't know when it will be).
In the meantime, I believe commercial vendors like ubuntu, chainguard, etc have offerings to make this easier for you
So we hope to eventually have this, we plan on extracting the necessary tooling in github.com/GoogleContainerTools/rules_distroless but that's not ready (and I don't know when it will be).
In the meantime, I believe commercial vendors like ubuntu, chainguard, etc have offerings to make this easier for you
You mind if I start by moving over the debian_package_manager tooling to this repo? I already did all of the work locally to pull this into my own repo and then saw that you had created the rules_distroless repo. What do you think should all be pulled into the rules repo?
@michaeljs1990 go for it. I'm not actually sure when I'll find the time to do this, it's not in the near future.