Document instructions for Alpine distroless

[richlander]

We (.NET Team) are interested in producing Alpine distroless container images. We'd only want to do that based on official instructions. We've talked to @kaniini about that in the past. It would be great if official instructions were posted that we could rely on with confidence. We did a similar project with Canonical and that worked well for us.

Alpine is already very small. As you know, distroless isn't just about size reduction.

Related context:

• https://twitter.com/dpbevin/status/1644519523624837121
• https://github.com/dotnet/dotnet-docker/issues/4162

[kaniini]

Since I was tagged, I will simply state that Alpine itself does not provide any official guidance for going smaller than alpine-base.

There are a few tools that can be used to compose such images, alpine-make-rootfs is one option, or if you want something more explicitly declarative, you can build with apko and build packages for use with apko using either abuild or melange.

I would personally recommend going with the package + apko route, so that SCA tools can fully understand the contents of the image. This is something that chisel doesn't get right: it does not store the dpkg database, so SCA tools fail to analyze the base image components.

[richlander]

Thanks for that. We will likely look into that and was expecting we would end up there. We may ask for a review that we are on the right track.

The chisel folks are still working on that problem. Agree that auditability is a key requirement for container images.