visit
Performance
Docker images are copied, transmitted, and launched by container fleet managers. It all takes time, time spent on a disk I/O and a networking I/O.And there are min spec machines which are cheap in the cloud, so fitting more containers into one machine means less machine spawns.Security
Attack surface can be explained in a few words: whatever your docker image has can be attacked, and the more it has the more likely it will be attacked. It’s that simple. Usually, Linux distribution based docker images contain tons of stuff you won’t ever need, but hackers can use it to hack into your system.Money
Remember your favorite cloud provider and its offer. Let’s imagine you want to pay only for a low spec machine with just 1 GB of RAM. If your image size is 500 MB then you can fit two, but if you can reduce it to 100 MB then you can fit ten containers. It really matters! Even if you are not an internet behemoth like Google or Netflix, and even if you have relatively small applications with much fewer users, the costs accumulate over time.Contents
Containers are not virtual machines, you don’t need huge binaries for the OS to run your application. You don’t need ls or grep find cat or even bash in your container to run the java/go/node app. If you are used to logging into your container images and playing with bash as a root, you’re out of luck in general (highly not recommended), but with distroless it’s simply impossible.Size
Compare the image sizes for a second.Security
It’s a recommended practice, and even more a simply obligatory practice (compliance etc.), to scan the containers for known vulnerabilities using scanners.A better signal to noise for container security scanners is one of the important reasons for distroless containers, also less files to scan and less I/O and CPU consumption for scanning as well. What does this really mean? Usually, the default distributions come with tens of security warnings and issues, which are often ignored, which is a risky strategy because among them (noise) can be a few significant security issues that can jeopardize your application security.With cleaner container images, which generate close to zero warnings and errors during the scanning process, you can clearly see things that matter, so the signal to noise ratio is much higher.Let’s scan our images using a clair-scanner.docker run -d --name db arminc/clair-db
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
Do it yourself
Distroless images are here. Google, which seemed to start this movement, is publishing their own distroless images for Java, Python, Go and C++.Note that you do not (usually) have the package manager in a distroless base image (which can be shocking at first). Again no apt or pip, you have to install the dependencies in another way. An alternative way is to use a multi stage build, a feature from Docker which will allow us the effects (files) created by a package manager for our target of a distroless based image. So we can have both, the temporary package manager in a temporary docker image and the flattened file system resulting in a smaller image. Like everything you do yourself, the question of maintenance arises. Who, when, and how will it update your local distroless image? This has to be addressed, otherwise, without proper maintenance and base dependencies updates, it will rust very quickly and defeat the purpose of its creation.Alpine Linux
Alpine Linux is a very tiny linux distribution which is only 4 MB in size.Alpine musl libc and busybox lack GNU glibc support and lack of GNU glibc support means trouble.For instance, JDK doesn’t run on musl libc, there is a port called Portola, but it’s certainly not as well tested and reliable as official JDK distributions. It's hard to imagine running critical business applications on protype. Of course there is news that the new version is working or soon will be working.Alpine meant for instance, that Python containers had to download all the dependencies and as a consequence they have become bigger with the Alpine base image than without it (sic!).Additionally, Alpine Linux image contains busybox tools, apk (package manager) and other binaries you simply don’t need to run your application. Alpine with glibc? Yes, there are containers based on Alpine plus glibc libraries. Still it’s not as easy as Alpine fans would like it to be.Slim images
As you could see in the example above, there are readily available ‘slim’ versions of the official images for any given language runtime, which are well worth investigating. However, they often do have a shell and command tools that are not good for container security. Sometimes they can contain excess binaries you don’t need, and they don’t have the ones you do need which can break your runtime dependencies.Minimize image size using tools
Another approach is to use a standard base image (not minimized) and then use automatic tools to detect dependencies and remove files that are not needed. For example a minicon analysis existing in containers gives some hints, for instance the RUN commands and other commands that will be required, and based on that, hints are able to significantly reduce the image size of the container.The risk however is that automated dependency findings may fail and result in a runtime container unable to run your application. I endured tiresome trial and error efforts in order to fix runtime errors (file not found, dependent library missing etc.) by adding missing libraries, configuration files and environment settings.Felix Hassert, Avenga, Director of Products & Hosting
In the Go(lang) environment distroless images have been around for quite a while. Go usually compiles ‘almost statically’ linked fat binaries. This makes it especially easy to use distroless containers.For our Go based components in , we use multi-stage docker builds: The Go build is carried out in a
golang:<version>
image; the produced binary is copied into a scratch image afterwards. The `FROM SCRATCH` directive is not only distroless, it’s literally empty. Less of a footprint in terms of size and the attack surface isn’t even possible.In times where everyone pushes their branches early-and-often and CI/CD is in place, faster downloads and less space used in the Docker Registry is a plus on its own. But more important are the positive effects of enforced discipline:If nothing is in the base image, you have to bring everything needed deliberately. There are no hidden dependencies. Your software won’t break if lib A forces you to upgrade the base image that could come with an incompatible version of lib B.It is much easier to follow security best practices too. Without files, there is no hassle with file permissions. Just run your entrypoint with an unprivileged user id and make the root folder unwriteable. This will avoid a whole class of file system related errors. You simply cannot write to a disk without a Docker volume. There is no temptation to write logs anywhere else than to stdout/stderr.However, even for the Go software it can be tricky to run in a scratch container. For example, if you need to process HTTPS traffic, you need to bring the CA certificates yourself. Debugging can also be tricky, because you don’t have a shell to execute, but Docker allows you to start a full fledged debugging container (with shell, strace and other handy tools) and attach that to the process space of the specimen container docker run -it --rm --pid=container:<go-container> --cap-add SYS_PTRACE alpine sh
Vladyslav Litovka, DevOps expert
On recent projects we’ve moved to using multistage builds and minified containers; mostly Alpine based but also distorless. In some cases it was forced by customer requirements (like Andriy said), and in some cases it was our decision. Anyway, project wide I can say that in most cases it’s option 1, in some option 2 and 3.Great article. Good and simple explanations. It contains the exact amount of technical details which allows us to understand the main purpose and implementation direction in just 15 minutes of a reader’s time.Andrew Petryk, Java Engineering Manager
We, at , have used distroless containers in production environments for more than 3 months and are already using multi-stage builds. We weren’t there from the beginning but we were forced, by the security restrictions of our customer to do that. And it worked like a charm (of course with proper orchestration and logging management).Overall, it seems to be a trend - everything is becoming smaller. I remember the days when deploying .war to a Java Web Application Server was a several minute task where now micro-frameworks fight for sub-second startup time. We have made quite good progress there. The same goes for docker images, but the fight is for MBs rather than seconds. I can’t say that I am solidly in one of the camps Jacek mentioned above (except for camp 1 :) ) because, as it usually happens in IT, it depends on many factors. But for sure, distroless images are a thing and you definitely should give it a try.Find out what else Avenga is doing and also check out ourprofile.