Open jonjohnsonjr opened 5 years ago
Who is maintaining these images? Is there a delta between what's found at gcr.io/distroless and docker registry?
Who is maintaining these images?
We are! (well... our organizational cousins are): https://github.com/GoogleContainerTools/distroless
Is there a delta between what's found at gcr.io/distroless and docker registry?
Yeah, distroless doesn't contain a shell or any random binaries. This results in smaller images and a smaller attack surface for vulnerabilities.
+1 on this for minimal images - I just tried the python guestbook app from Hungary, the image is 1.1GB and that takes 3.7minutes just to push to eu.gcr.io.
N.B: some of our images (everything except Java and Golang) have been moved to Alpine linux for performance reasons.
This might be worth trying for Java and Golang at some point.
@jonjohnsonjr distroless
Java images don't seem to support ARM, which is required for GKE.
Is that something y'all plan to add? If not, do you mind if I close this issue?
Java images don't seem to support ARM
The debian11 variants do, e.g. https://explore.ggcr.dev/?image=gcr.io/distroless/java17-debian11:nonroot
See https://github.com/GoogleContainerTools/distroless#docker for current images.
We currently use random images from dockerhub as the runtime images instead of gcr.io/distroless.
This has some performance benefits due to locality of images when running any of this on GCP.