simonz130
commented
4 years ago Who is maintaining these images? Is there a delta between what's found at gcr.io/distroless and docker registry?
Open jonjohnsonjr opened 5 years ago
simonz130
commented
4 years ago Who is maintaining these images? Is there a delta between what's found at gcr.io/distroless and docker registry?
jonjohnsonjr
commented
4 years ago Who is maintaining these images?
We are! (well... our organizational cousins are): https://github.com/GoogleContainerTools/distroless
Is there a delta between what's found at gcr.io/distroless and docker registry?
Yeah, distroless doesn't contain a shell or any random binaries. This results in smaller images and a smaller attack surface for vulnerabilities.
balopat
commented
4 years ago +1 on this for minimal images - I just tried the python guestbook app from Hungary, the image is 1.1GB and that takes 3.7minutes just to push to eu.gcr.io.
ace-n
commented
2 years ago N.B: some of our images (everything except Java and Golang) have been moved to Alpine linux for performance reasons.
This might be worth trying for Java and Golang at some point.
ace-n
commented
2 years ago @jonjohnsonjr distroless Java images don't seem to support ARM, which is required for GKE.
Is that something y'all plan to add? If not, do you mind if I close this issue?
jonjohnsonjr
commented
2 years ago Java images don't seem to support ARM
The debian11 variants do, e.g. https://explore.ggcr.dev/?image=gcr.io/distroless/java17-debian11:nonroot
See https://github.com/GoogleContainerTools/distroless#docker for current images.
We currently use random images from dockerhub as the runtime images instead of gcr.io/distroless.
This has some performance benefits due to locality of images when running any of this on GCP.