Closed ailjushkin closed 5 years ago
lathama
commented
5 years ago The intent as stated is: """"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution."""
Further I am not sure that RHEL licensing supports docker containers.
lathama
commented
5 years ago @ailjushkin did that answer help or do you have more questions? If it answered your questions can you close this issue.
ailjushkin
commented
5 years ago Right, thanks
grepwood
commented
1 year ago Sorry to necro, but that's not entirely true...
""""Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution."""
For a solution that claims to be distro agnostic to the extreme, there sure seems to be a lot of code made for dealing with Debian lying around this repository:
distroless makes Docker images based on a particular version of Debian, Debian dependencies installed, your app, and now minus the Debian. Debian is simply used as a vehicle for obtaining a reproducible set of runtime dependencies, not even resolved by Debian's apt or dpkg, but with a 3rd-party dpkg resolver.
What if someone works in an organization that does not allow the use of Debian in any capacity?
afbjorklund
commented
1 year ago What if someone works in an organization that does not allow the use of Debian in any capacity?
You could make your own redhatless distro similar to the debianless, and it would still be distroless.
grepwood
commented
1 year ago You could make your own redhatless distro similar to the debianless, and it would still be distroless.
That's amazing! How much of my time should I reserve to pursue this? As I understand, distroless works pretty tight with Debian, so I don't know how many things need to be re-wired for RHEL.
afbjorklund
commented
1 year ago How much of my time should I reserve to pursue this?
Probably all of it, I think distroless is debian-only (as noted).
And most likely, if you do so you will need to use the UBI* as a base due to licensing concerns. Or Fedora, perhaps.
* https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image
I don't know enough of Bazel to know much work is involved, but the project is struggling to keep Debian up-to-date.
afbjorklund
commented
1 year ago Actually Red Hat recommends against using distroless...
https://www.redhat.com/en/blog/why-distroless-containers-arent-security-solution-you-think-they-are
Instead they are promoting their "UBI Micro": https://www.redhat.com/en/blog/introduction-ubi-micro
grepwood
commented
1 year ago 🤷♂️ I use their UBI images but outside of Bazel. Docker is not really something that plays well with Bazel's idea of reproducibility - that the same input data always yields the same output data. This is because in any distro perhaps except Nix, there's the package index and packages themselves that are beyond our control. I understand how distroless solves this problem and imho both RedHat articles fail to see this side of the issue.
That is the question. Is it possible to cut everything excluding Oracle Instant Client and python 3.6 libs?