corretto-docker icon indicating copy to clipboard operation
corretto-docker copied to clipboard

Published 20 hours ago verified publisher icon corretto

Distroless based image

Open anuraaga opened this issue 5 years ago • 3 comments

Currently, there are small runtime images of corretto using Alpine Linux. Is there any appetite for images based on distroless? I've been playing with a Dockerfile for it here

Distroless includes glibc so will work with boringssl (for example when used with gRPC / other Netty frameworks) while being about as small if not smaller than the Alpine-based linux. It doesn't include a package manager either so has a bit less of a security surface.

anuraaga avatar Aug 25 '20 06:08 anuraaga

@anuraaga Thanks for the idea. This is something that's come up in conversations but we don't have a roadmap item for it (yet). Does the image you have work as expected? Any problems you've observed?

If you can share, we'd also like to know what influences your choice to use distroless vs e.g. Alpine Linux for deployments. That also helps us to choose and prioritize upcoming features.

davecurrie avatar Aug 25 '20 18:08 davecurrie

@davecurrie Thanks! Yeah I have used that image in some sample apps and have not run into any issues. Using the :debug variant feels very much like Alpine since it provides busybox for troubleshooting scenarios.

A very similar image, which uses zulu instead of corretto but otherwise set up in almost the same way, has also worked great in production across Zipkin and its various storage backends (cassandra, kafka, elasticsearch). I think in general, this approach doesn't have gotchas (at the risk of speaking too soon :P)

https://github.com/openzipkin/docker-jre-full/blob/master/Dockerfile#L7

As for distroless vs Alpine Linux, most of my apps use gRPC or some other Netty-based framework. I have found Netty's TCNative-BoringSSL to perform at least as well as Java 11+ TLS, the bigger difference tends to be on apps with larger payloads. So it's a goto library for me and that requires a base image that includes glibc, meaning it doesn't work with Alpine. This is the #1 deciding factor for me and unfortunately is a hard yes / no, as opposed to e.g., comparing the image size itself. Other than that, less apps, such as Alpine's apk, means less chance of container security scanners triggering for the image - I think this is nice too but not a dealbreaker since Alpine is already quite small.

Hope this helps, let me know if you need anything more from me.

anuraaga avatar Aug 26 '20 05:08 anuraaga

For what it's worth, we'd also be interested in this. We also need glibc and generally prefer images without any additional software for increased security.

Fleshgrinder avatar Mar 25 '22 20:03 Fleshgrinder