Skip to content

Use a distroless based runtime image #18039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

Use a distroless based runtime image #18039

wants to merge 7 commits into from

Conversation

sandhose
Copy link
Member

Depends on #18038

Supersedes #18033

@sandhose sandhose mentioned this pull request Dec 18, 2024
Closed
@sandhose sandhose changed the base branch from develop to quenting/docker/speedup December 18, 2024 09:41
@sandhose sandhose force-pushed the quenting/docker/distroless branch from 5b9f7d9 to 7e5cbc6 Compare December 18, 2024 11:32
@sandhose sandhose force-pushed the quenting/docker/speedup branch from ea7a677 to d02f0cf Compare February 18, 2025 15:49
@sandhose sandhose force-pushed the quenting/docker/distroless branch 2 times, most recently from 97fd25c to 82c9a2a Compare February 19, 2025 10:33
Base automatically changed from quenting/docker/speedup to develop February 19, 2025 10:55
@sandhose sandhose force-pushed the quenting/docker/distroless branch from 82c9a2a to 47e4c6e Compare February 19, 2025 11:11
AndrewFerr
AndrewFerr reviewed Feb 21, 2025
View reviewed changes
docker/Dockerfile
done


###
### Stage 3: runtime
###

FROM docker.io/library/python:${PYTHON_VERSION}-slim-${DEBIAN_VERSION}
FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC}:debug
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any value in making the image unprivileged?

Suggested change
FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC}:debug
FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC}:debug-nonroot

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looping back on this, root is indeed necessary since the start script may take administrative actions like changing file owners and running as other users.

@AndrewFerr AndrewFerr mentioned this pull request Mar 3, 2025
Closed
3 tasks
@sandhose sandhose closed this May 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndrewFerr AndrewFerr AndrewFerr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sandhose @AndrewFerr