Skip to content

Use Distroless as base image#13556

Merged
ptabor merged 2 commits intoetcd-io:mainfrom
yank1:use-distroless-as-base-image
Jan 22, 2022
Merged

Use Distroless as base image#13556
ptabor merged 2 commits intoetcd-io:mainfrom
yank1:use-distroless-as-base-image

Conversation

@yank1
Copy link
Copy Markdown

@yank1 yank1 commented Dec 23, 2021

Use Distroless as base image to reduce attack surface and image size.

Metioned by #13459 , #10804 and #10805 .

Signed-off-by: yankay [email protected]

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

@yank1 yank1 mentioned this pull request Dec 23, 2021
Merged
serathius
serathius approved these changes Dec 24, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@serathius serathius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't followed previous discussions about Etcd base image, however I'm fully supporting for switching to distroless image for security reasons.

ptabor
ptabor suggested changes Jan 12, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@ptabor ptabor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM.

Could you please add it to changelog, as it might be important that some debugging tools will not be available within the image.

@yank1 yank1 force-pushed the use-distroless-as-base-image branch from 45e8346 to 94c426f Compare January 18, 2022 12:26
@yank1
Copy link
Copy Markdown
Author

yank1 commented Jan 18, 2022

Thanks for comments, the message have been add to changelog

SGTM.

Could you please add it to changelog, as it might be important that some debugging tools will not be available within the image.

@yankay
Fix for code style
3817521 
Signed-off-by: yankay <[email protected]>
@yank1 yank1 force-pushed the use-distroless-as-base-image branch from 94c426f to 3817521 Compare January 18, 2022 13:13
ptabor
ptabor approved these changes Jan 21, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@ptabor ptabor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. Will merge when tests are green.

@ptabor ptabor merged commit 451ea54 into etcd-io:main Jan 22, 2022
This was referenced May 20, 2022
Closed
Closed
@joestringer
Copy link
Copy Markdown

joestringer commented Aug 24, 2022

Hi @yank1 , I see that this changed the base image to gcr.io/distroless/base-debian11. However, it seems like etcd is compiled statically so it may be possible to further reduce the attack surface by switching to gcr.io/distroless/static-debian11. Did you consider this option?

@serathius
Copy link
Copy Markdown
Member

serathius commented Dec 21, 2022

It struck me when reading #14792. Busybox is a GPL licensed https://hub.docker.com/_/busybox https://www.busybox.net/license.html

Not a expert, but I think there is a risk of etcd breaking busybox license by distributing docker image that busybox. My recommendation would be to remove it.

Problem is that we backported this PR and released v3.4.23. I would recommend to remove/replace docker images.
cc @ahrtr @ptabor @spzala.

@ptabor
Copy link
Copy Markdown
Contributor

ptabor commented Dec 21, 2022

Thank you Marek, for spotting this.

My thoughts are following:

  1. I think it didn't introduced any regression. Full debian (k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0) contained also e.g. bash, that is GPL licensed software: https://www.gnu.org/licenses/gpl-3.0.html
  2. Thus I wouldn't perform any replacement in 3.4.23.
  3. Having said that, I think we might not need the busybox at all:

@ptabor ptabor mentioned this pull request Dec 21, 2022
Closed
@ahrtr
Copy link
Copy Markdown
Member

ahrtr commented Dec 22, 2022

It struck me when reading #14792.

I assume you were talking about #15017 or #15016

Not a expert, but I think there is a risk of etcd breaking busybox license by distributing docker image that busybox

Shouldn't it be OK as long as etcd's an open source project?

3. Having said that, I think we might not need the busybox at all:

The only impact would be that users can't log into a running container firstly and then execute command (e.g etcdctl). Instead, they can do it in just one command.

@iavael
Copy link
Copy Markdown
Contributor

iavael commented Jan 20, 2023

@serathius if etcd doesn't link to busybox, then it's fine

@ahrtr
Copy link
Copy Markdown
Member

ahrtr commented Jan 20, 2023

FYI. #15037

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@serathius serathius serathius approved these changes

+1 more reviewer

@ptabor ptabor ptabor approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

stage/merge-when-tests-green

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@yank1 @joestringer @serathius @ptabor @ahrtr @iavael @yankay