Distroless Docker images

Published: Nov 14, 2018
Last Updated: Oct 28, 2020
Oct 2020

当为我们的应用构建 Docker 镜像的时候,我们常常会考虑两件事情:镜像的安全性和大小。通常情况下我们使用容器安全扫描工具来检测和修复常见的漏洞和风险,以及使用 Alpine Linux 来解决镜像大小和分发性能问题。我们现在已经获得了有关 distroless Docker images 的更多经验,并准备推荐这种方法作为容器化应用程序的另一重要安全预防措施。Distroless Docker images 通过移除完整的操作系统发行版来减少占用空间和依赖。此技术可减少安全扫描噪声和应用程序攻击面,需要修补的漏洞较少,此外,这些较小的镜像更有效。 Google 针对不同的语言发布了一套 distroless container images。你可以使用 Google 构建工具 Bazel 或者仅仅使用多阶段 Dockerfiles 创建简单的应用程序镜像。请注意,默认情况下,Distroless 容器没有用于调试的 shell。不过,你可以在网上轻松地找到 Distroless 容器的调试版本,包括 BusyBox shell。 Distroless Docker image 是 Google 率先提出的技术,根据我们的经验,仍然主要限于 Google 生成的镜像。我们希望这项技术能够超越这一生态系统。

Nov 2018

When building Docker images for our applications, we're often concerned with two things: the security and the size of the image. Traditionally, we've used container security scanning tools to detect and patch common vulnerabilities and exposures and small distributions such as Alpine Linux to address the image size and distribution performance. In this Radar, we're excited about addressing the security and size of containers with a new technique called distroless docker images, pioneered by Google. With this technique, the footprint of the image is reduced to the application, its resources and language runtime dependencies, without operating system distribution. The advantages of this technique include reduced noise of security scanners, smaller security attack surface, reduced overhead of patching vulnerabilities and even smaller image size for higher performance. Google has published a set of distroless container images for different languages. You can create distroless application images using the Google build tool Bazel, which has rules for creating distroless containers or simply use multistage Dockerfiles. Note that distroless containers by default don't have a shell for debugging. However, you can easily find debug versions of distroless containers online, including a busybox shell.