search

fanquake / core-review

Scripts, tools & info for doing Bitcoin Core development and code review
https://github.com/bitcoin/bitcoin
107 stars 33 forks source link

Consider moving to a distroless image #26

Open naveensrinivasan opened 2 years ago

naveensrinivasan commented 2 years ago

https://github.com/GoogleContainerTools/distroless#why-should-i-use-distroless-images

Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.

Distroless images are very small. The smallest distroless image, gcr.io/distroless/static-debian11, is around 2 MiB. That's about 50% of the size of alpine (~5 MiB), and less than 2% of the size of debian (124 MiB).

https://github.com/fanquake/core-review/blob/741d40294b028b7131d65746e6eb564c7de51965/guix/debian.Dockerfile#L1

These images are also signed https://github.com/GoogleContainerTools/distroless#how-do-i-verify-distroless-images

maflcko commented 1 year ago

Not sure. Those are not available on, let's say, riscv64. Also, a package manger is required to install required packages, such as the guix package, or tools to download and install guix.