Closed thockin closed 11 months ago
justinsb
commented
11 months ago Looks good, but one question... why do we do this in stage_binaries.sh?
dpkg -s "${package}" > "${staging}/var/lib/dpkg/status.d/${package}"Is apt / dpkg available in the final image? Is it used somewhere in the staging process?
thockin
commented
11 months ago re /var/lib/dpkg/status.d/ - apt is not in the final image. This seems to be the negotiated truce between such images (including those created by bazel) and security scanners. Just enough metadata to satisfy trivy.
thockin
commented
11 months ago Added some comments
thockin
commented
11 months ago Result: 57.7MB
A build looks like:
<other stuff unchanged here>
#9 [base 5/8] RUN mkdir -p /staging
#9 DONE 0.2s
#10 [base 6/8] COPY stage_binaries.sh /
#10 DONE 0.1s
#11 [base 7/8] RUN /stage_binaries.sh -o /staging -p base-files -p dash -p coreutils -p git -p openssh-client -p ca-certificates -p socat -b /bin/grep -b /bin/sed -f /etc/debian_version -f /etc/group -f /etc/nsswitch.conf -f /etc/os-release -f /etc/passwd -f /etc/shadow
#11 0.959 staging package base-files
#11 2.897 package base-files size: +388 kB (of 392 kB)
#11 2.898 staging package dash
#11 5.773 package dash size: +5748 kB (of 6140 kB)
#11 5.774 staging package coreutils
#11 11.66 package coreutils size: +7644 kB (of 13784 kB)
#11 11.66 staging package git
#11 13.28 debconf: delaying package configuration, since apt-utils is not installed
#11 13.34 Selecting previously unselected package perl-modules-5.36.
#11 13.34 (Reading database ... 4582 files and directories currently installed.)
#11 13.34 Preparing to unpack .../00-perl-modules-5.36_5.36.0-7_all.deb ...
#11 13.35 Unpacking perl-modules-5.36 (5.36.0-7) ...
#11 13.66 Selecting previously unselected package libgdbm6:amd64.
#11 13.66 Preparing to unpack .../01-libgdbm6_1.23-3_amd64.deb ...
#11 13.68 Unpacking libgdbm6:amd64 (1.23-3) ...
#11 13.74 Selecting previously unselected package libgdbm-compat4:amd64.
#11 13.74 Preparing to unpack .../02-libgdbm-compat4_1.23-3_amd64.deb ...
#11 13.74 Unpacking libgdbm-compat4:amd64 (1.23-3) ...
#11 13.80 Selecting previously unselected package libperl5.36:amd64.
#11 13.80 Preparing to unpack .../03-libperl5.36_5.36.0-7_amd64.deb ...
#11 13.81 Unpacking libperl5.36:amd64 (5.36.0-7) ...
#11 14.15 Selecting previously unselected package perl.
#11 14.15 Preparing to unpack .../04-perl_5.36.0-7_amd64.deb ...
#11 14.17 Unpacking perl (5.36.0-7) ...
#11 14.24 Selecting previously unselected package libbrotli1:amd64.
#11 14.24 Preparing to unpack .../05-libbrotli1_1.0.9-2+b6_amd64.deb ...
#11 14.25 Unpacking libbrotli1:amd64 (1.0.9-2+b6) ...
#11 14.33 Selecting previously unselected package libcom-err2:amd64.
#11 14.33 Preparing to unpack .../06-libcom-err2_1.47.0-2_amd64.deb ...
#11 14.34 Unpacking libcom-err2:amd64 (1.47.0-2) ...
#11 14.39 Selecting previously unselected package libkrb5support0:amd64.
#11 14.39 Preparing to unpack .../07-libkrb5support0_1.20.1-2_amd64.deb ...
#11 14.40 Unpacking libkrb5support0:amd64 (1.20.1-2) ...
#11 14.47 Selecting previously unselected package libk5crypto3:amd64.
#11 14.47 Preparing to unpack .../08-libk5crypto3_1.20.1-2_amd64.deb ...
#11 14.47 Unpacking libk5crypto3:amd64 (1.20.1-2) ...
#11 14.53 Selecting previously unselected package libkeyutils1:amd64.
#11 14.53 Preparing to unpack .../09-libkeyutils1_1.6.3-2_amd64.deb ...
#11 14.54 Unpacking libkeyutils1:amd64 (1.6.3-2) ...
#11 14.60 Selecting previously unselected package libssl3:amd64.
#11 14.60 Preparing to unpack .../10-libssl3_3.0.9-1_amd64.deb ...
#11 14.61 Unpacking libssl3:amd64 (3.0.9-1) ...
#11 14.78 Selecting previously unselected package libkrb5-3:amd64.
#11 14.78 Preparing to unpack .../11-libkrb5-3_1.20.1-2_amd64.deb ...
#11 14.78 Unpacking libkrb5-3:amd64 (1.20.1-2) ...
#11 14.87 Selecting previously unselected package libgssapi-krb5-2:amd64.
#11 14.87 Preparing to unpack .../12-libgssapi-krb5-2_1.20.1-2_amd64.deb ...
#11 14.87 Unpacking libgssapi-krb5-2:amd64 (1.20.1-2) ...
#11 14.93 Selecting previously unselected package libsasl2-modules-db:amd64.
#11 14.93 Preparing to unpack .../13-libsasl2-modules-db_2.1.28+dfsg-10_amd64.deb ...
#11 14.93 Unpacking libsasl2-modules-db:amd64 (2.1.28+dfsg-10) ...
#11 14.98 Selecting previously unselected package libsasl2-2:amd64.
#11 14.98 Preparing to unpack .../14-libsasl2-2_2.1.28+dfsg-10_amd64.deb ...
#11 14.99 Unpacking libsasl2-2:amd64 (2.1.28+dfsg-10) ...
#11 15.05 Selecting previously unselected package libldap-2.5-0:amd64.
#11 15.05 Preparing to unpack .../15-libldap-2.5-0_2.5.13+dfsg-5_amd64.deb ...
#11 15.06 Unpacking libldap-2.5-0:amd64 (2.5.13+dfsg-5) ...
#11 15.12 Selecting previously unselected package libnghttp2-14:amd64.
#11 15.12 Preparing to unpack .../16-libnghttp2-14_1.52.0-1_amd64.deb ...
#11 15.13 Unpacking libnghttp2-14:amd64 (1.52.0-1) ...
#11 15.19 Selecting previously unselected package libpsl5:amd64.
#11 15.19 Preparing to unpack .../17-libpsl5_0.21.2-1_amd64.deb ...
#11 15.19 Unpacking libpsl5:amd64 (0.21.2-1) ...
#11 15.25 Selecting previously unselected package librtmp1:amd64.
#11 15.25 Preparing to unpack .../18-librtmp1_2.4+20151223.gitfa8646d.1-2+b2_amd64.deb ...
#11 15.26 Unpacking librtmp1:amd64 (2.4+20151223.gitfa8646d.1-2+b2) ...
#11 15.32 Selecting previously unselected package libssh2-1:amd64.
#11 15.32 Preparing to unpack .../19-libssh2-1_1.10.0-3+b1_amd64.deb ...
#11 15.33 Unpacking libssh2-1:amd64 (1.10.0-3+b1) ...
#11 15.39 Selecting previously unselected package libcurl3-gnutls:amd64.
#11 15.39 Preparing to unpack .../20-libcurl3-gnutls_7.88.1-10+deb12u1_amd64.deb ...
#11 15.40 Unpacking libcurl3-gnutls:amd64 (7.88.1-10+deb12u1) ...
#11 15.47 Selecting previously unselected package libexpat1:amd64.
#11 15.48 Preparing to unpack .../21-libexpat1_2.5.0-1_amd64.deb ...
#11 15.48 Unpacking libexpat1:amd64 (2.5.0-1) ...
#11 15.53 Selecting previously unselected package liberror-perl.
#11 15.53 Preparing to unpack .../22-liberror-perl_0.17029-2_all.deb ...
#11 15.54 Unpacking liberror-perl (0.17029-2) ...
#11 15.60 Selecting previously unselected package git-man.
#11 15.60 Preparing to unpack .../23-git-man_1%3a2.39.2-1.1_all.deb ...
#11 15.60 Unpacking git-man (1:2.39.2-1.1) ...
#11 15.74 Selecting previously unselected package git.
#11 15.75 Preparing to unpack .../24-git_1%3a2.39.2-1.1_amd64.deb ...
#11 15.76 Unpacking git (1:2.39.2-1.1) ...
#11 16.14 Setting up libexpat1:amd64 (2.5.0-1) ...
#11 16.16 Setting up libkeyutils1:amd64 (1.6.3-2) ...
#11 16.18 Setting up libpsl5:amd64 (0.21.2-1) ...
#11 16.20 Setting up libbrotli1:amd64 (1.0.9-2+b6) ...
#11 16.22 Setting up libssl3:amd64 (3.0.9-1) ...
#11 16.24 Setting up libnghttp2-14:amd64 (1.52.0-1) ...
#11 16.26 Setting up libcom-err2:amd64 (1.47.0-2) ...
#11 16.29 Setting up libkrb5support0:amd64 (1.20.1-2) ...
#11 16.31 Setting up libsasl2-modules-db:amd64 (2.1.28+dfsg-10) ...
#11 16.33 Setting up perl-modules-5.36 (5.36.0-7) ...
#11 16.35 Setting up librtmp1:amd64 (2.4+20151223.gitfa8646d.1-2+b2) ...
#11 16.37 Setting up libk5crypto3:amd64 (1.20.1-2) ...
#11 16.39 Setting up libsasl2-2:amd64 (2.1.28+dfsg-10) ...
#11 16.41 Setting up git-man (1:2.39.2-1.1) ...
#11 16.43 Setting up libssh2-1:amd64 (1.10.0-3+b1) ...
#11 16.45 Setting up libkrb5-3:amd64 (1.20.1-2) ...
#11 16.47 Setting up libgdbm6:amd64 (1.23-3) ...
#11 16.49 Setting up libldap-2.5-0:amd64 (2.5.13+dfsg-5) ...
#11 16.51 Setting up libgssapi-krb5-2:amd64 (1.20.1-2) ...
#11 16.53 Setting up libgdbm-compat4:amd64 (1.23-3) ...
#11 16.55 Setting up libperl5.36:amd64 (5.36.0-7) ...
#11 16.57 Setting up libcurl3-gnutls:amd64 (7.88.1-10+deb12u1) ...
#11 16.59 Setting up perl (5.36.0-7) ...
#11 16.63 Setting up liberror-perl (0.17029-2) ...
#11 16.65 Setting up git (1:2.39.2-1.1) ...
#11 16.69 Processing triggers for libc-bin (2.36-9+deb12u1) ...
#11 37.79 package git size: +49500 kB (of 63284 kB)
#11 37.79 staging package openssh-client
#11 38.90 debconf: delaying package configuration, since apt-utils is not installed
#11 38.95 Selecting previously unselected package libbsd0:amd64.
#11 38.95 (Reading database ... 7820 files and directories currently installed.)
#11 38.95 Preparing to unpack .../libbsd0_0.11.7-2_amd64.deb ...
#11 38.97 Unpacking libbsd0:amd64 (0.11.7-2) ...
#11 39.03 Selecting previously unselected package libedit2:amd64.
#11 39.03 Preparing to unpack .../libedit2_3.1-20221030-2_amd64.deb ...
#11 39.04 Unpacking libedit2:amd64 (3.1-20221030-2) ...
#11 39.09 Selecting previously unselected package libcbor0.8:amd64.
#11 39.10 Preparing to unpack .../libcbor0.8_0.8.0-2+b1_amd64.deb ...
#11 39.10 Unpacking libcbor0.8:amd64 (0.8.0-2+b1) ...
#11 39.16 Selecting previously unselected package libfido2-1:amd64.
#11 39.16 Preparing to unpack .../libfido2-1_1.12.0-2+b1_amd64.deb ...
#11 39.17 Unpacking libfido2-1:amd64 (1.12.0-2+b1) ...
#11 39.23 Selecting previously unselected package openssh-client.
#11 39.23 Preparing to unpack .../openssh-client_1%3a9.2p1-2_amd64.deb ...
#11 39.25 Unpacking openssh-client (1:9.2p1-2) ...
#11 39.35 Setting up libcbor0.8:amd64 (0.8.0-2+b1) ...
#11 39.37 Setting up libfido2-1:amd64 (1.12.0-2+b1) ...
#11 39.39 Setting up libbsd0:amd64 (0.11.7-2) ...
#11 39.42 Setting up libedit2:amd64 (3.1-20221030-2) ...
#11 39.44 Setting up openssh-client (1:9.2p1-2) ...
#11 39.54 Processing triggers for libc-bin (2.36-9+deb12u1) ...
#11 45.13 package openssh-client size: +10996 kB (of 74280 kB)
#11 45.13 staging package ca-certificates
#11 46.17 debconf: delaying package configuration, since apt-utils is not installed
#11 46.22 Selecting previously unselected package openssl.
#11 46.23 (Reading database ... 7901 files and directories currently installed.)
#11 46.23 Preparing to unpack .../openssl_3.0.9-1_amd64.deb ...
#11 46.23 Unpacking openssl (3.0.9-1) ...
#11 46.36 Selecting previously unselected package ca-certificates.
#11 46.37 Preparing to unpack .../ca-certificates_20230311_all.deb ...
#11 46.37 Unpacking ca-certificates (20230311) ...
#11 46.45 Setting up openssl (3.0.9-1) ...
#11 46.48 Setting up ca-certificates (20230311) ...
#11 46.56 debconf: unable to initialize frontend: Dialog
#11 46.56 debconf: (TERM is not set, so the dialog frontend is not usable.)
#11 46.56 debconf: falling back to frontend: Readline
#11 46.56 debconf: unable to initialize frontend: Readline
#11 46.56 debconf: (This frontend requires a controlling tty.)
#11 46.56 debconf: falling back to frontend: Teletype
#11 46.95 Updating certificates in /etc/ssl/certs...
#11 47.52 140 added, 0 removed; done.
#11 47.56 Processing triggers for ca-certificates (20230311) ...
#11 47.57 Updating certificates in /etc/ssl/certs...
#11 48.01 0 added, 0 removed; done.
#11 48.01 Running hooks in /etc/ca-certificates/update.d...
#11 48.01 done.
#11 52.28 package ca-certificates size: +1836 kB (of 76116 kB)
#11 52.28 staging package socat
#11 53.40 debconf: delaying package configuration, since apt-utils is not installed
#11 53.44 Selecting previously unselected package libtirpc-common.
#11 53.45 (Reading database ... 8377 files and directories currently installed.)
#11 53.45 Preparing to unpack .../libtirpc-common_1.3.3+ds-1_all.deb ...
#11 53.45 Unpacking libtirpc-common (1.3.3+ds-1) ...
#11 53.51 Selecting previously unselected package libtirpc3:amd64.
#11 53.51 Preparing to unpack .../libtirpc3_1.3.3+ds-1_amd64.deb ...
#11 53.52 Unpacking libtirpc3:amd64 (1.3.3+ds-1) ...
#11 53.58 Selecting previously unselected package libnsl2:amd64.
#11 53.58 Preparing to unpack .../libnsl2_1.3.0-2_amd64.deb ...
#11 53.59 Unpacking libnsl2:amd64 (1.3.0-2) ...
#11 53.66 Selecting previously unselected package libwrap0:amd64.
#11 53.66 Preparing to unpack .../libwrap0_7.6.q-32_amd64.deb ...
#11 53.67 Unpacking libwrap0:amd64 (7.6.q-32) ...
#11 53.72 Selecting previously unselected package socat.
#11 53.72 Preparing to unpack .../socat_1.7.4.4-2_amd64.deb ...
#11 53.72 Unpacking socat (1.7.4.4-2) ...
#11 53.79 Setting up libtirpc-common (1.3.3+ds-1) ...
#11 53.82 Setting up libtirpc3:amd64 (1.3.3+ds-1) ...
#11 53.84 Setting up libnsl2:amd64 (1.3.0-2) ...
#11 53.86 Setting up libwrap0:amd64 (7.6.q-32) ...
#11 53.88 Setting up socat (1.7.4.4-2) ...
#11 53.90 Processing triggers for libc-bin (2.36-9+deb12u1) ...
#11 56.61 package socat size: +960 kB (of 77076 kB)
#11 56.61 staging binary /bin/grep
#11 56.67 binary /bin/grep size: +204 kB (of 77280 kB)
#11 56.67 staging binary /bin/sed
#11 56.74 binary /bin/sed size: +128 kB (of 77408 kB)
#11 56.74 staging file /etc/debian_version
#11 56.76 file /etc/debian_version size: +0 kB (of 77408 kB)
#11 56.77 staging file /etc/group
#11 56.79 file /etc/group size: +4 kB (of 77412 kB)
#11 56.79 staging file /etc/nsswitch.conf
#11 56.81 file /etc/nsswitch.conf size: +4 kB (of 77416 kB)
#11 56.81 staging file /etc/os-release
#11 56.83 file /etc/os-release size: +0 kB (of 77416 kB)
#11 56.83 staging file /etc/passwd
#11 56.85 file /etc/passwd size: +4 kB (of 77420 kB)
#11 56.85 staging file /etc/shadow
#11 56.87 file /etc/shadow size: +4 kB (of 77424 kB)
#11 56.88 final staged size: 77424 kB
#11 56.89 4 /staging/bin
#11 56.89 4 /staging/lib/systemd/system
#11 56.89 4 /staging/lib/x86_64-linux-gnu
#11 56.89 4 /staging/lib64
#11 56.89 4 /staging/sbin
#11 56.89 8 /staging/copyright/base-files
#11 56.89 8 /staging/copyright/libbrotli1
#11 56.89 8 /staging/copyright/libcbor0.8
#11 56.89 8 /staging/copyright/libedit2
#11 56.89 8 /staging/copyright/liberror-perl
#11 56.89 8 /staging/copyright/libexpat1
#11 56.89 8 /staging/copyright/libfido2-1
#11 56.89 8 /staging/copyright/libkeyutils1
#11 56.89 8 /staging/copyright/libnghttp2-14
#11 56.89 8 /staging/copyright/libnsl2
#11 56.89 8 /staging/copyright/libpsl5
#11 56.89 8 /staging/copyright/librtmp1
#11 56.89 8 /staging/copyright/libssh2-1
#11 56.89 8 /staging/copyright/libssl3
#11 56.89 8 /staging/copyright/libtirpc3
#11 56.89 8 /staging/copyright/libwrap0
#11 56.89 8 /staging/copyright/openssh-client
#11 56.89 8 /staging/copyright/openssl
#11 56.89 8 /staging/copyright/socat
#11 56.89 8 /staging/etc/alternatives
#11 56.89 8 /staging/etc/bash_completion.d
#11 56.89 8 /staging/etc/cron.daily
#11 56.89 8 /staging/etc/default
#11 56.89 8 /staging/etc/dpkg/origins
#11 56.89 8 /staging/etc/ld.so.conf.d
#11 56.89 8 /staging/etc/perl/Net
#11 56.89 8 /staging/etc/ssh
#11 56.89 8 /staging/etc/update-motd.d
#11 56.89 8 /staging/lib/systemd
#11 56.89 8 /staging/usr/lib/tmpfiles.d
#11 56.89 8 /staging/usr/libexec/dpkg
#11 56.89 8 /staging/usr/share/bug
#11 56.89 8 /staging/usr/share/menu
#11 56.89 12 /staging/copyright/ca-certificates
#11 56.89 12 /staging/copyright/git
#11 56.89 12 /staging/copyright/libbsd0
#11 56.89 12 /staging/copyright/libc6
#11 56.89 12 /staging/copyright/libcom-err2
#11 56.89 12 /staging/copyright/libcurl3-gnutls
#11 56.89 12 /staging/copyright/libsasl2-2
#11 56.89 12 /staging/copyright/libudev1
#11 56.89 12 /staging/etc/logrotate.d
#11 56.89 12 /staging/etc/perl
#11 56.89 12 /staging/usr/share/apport
#11 56.89 12 /staging/usr/share/polkit-1
#11 56.89 16 /staging/copyright/libgssapi-krb5-2
#11 56.89 16 /staging/copyright/libk5crypto3
#11 56.89 16 /staging/copyright/libkrb5-3
#11 56.89 16 /staging/copyright/libkrb5support0
#11 56.89 16 /staging/copyright/libldap-2.5-0
#11 56.89 16 /staging/etc/dpkg
#11 56.89 16 /staging/lib
#11 56.89 16 /staging/usr/share/debianutils
#11 56.89 16 /staging/usr/share/lintian
#11 56.89 20 /staging/usr/libexec/coreutils
#11 56.89 24 /staging/etc/pam.d
#11 56.89 24 /staging/usr/lib/ssl
#11 56.89 28 /staging/usr/lib/systemd
#11 56.89 28 /staging/usr/share/dpkg
#11 56.89 32 /staging/copyright/perl
#11 56.89 32 /staging/usr/libexec
#11 56.89 36 /staging/usr/share/base-files
#11 56.89 140 /staging/usr/share/git-core
#11 56.89 148 /staging/usr/share/perl5
#11 56.89 216 /staging/etc/ssl/certs
#11 56.89 236 /staging/etc/ssl
#11 56.89 264 /staging/usr/share/common-licenses
#11 56.89 272 /staging/var/lib/dpkg
#11 56.89 276 /staging/var/lib
#11 56.89 280 /staging/var
#11 56.89 324 /staging/usr/share/gitweb
#11 56.89 364 /staging/copyright
#11 56.89 400 /staging/etc
#11 56.89 576 /staging/usr/share/ca-certificates
#11 56.89 1560 /staging/usr/lib/openssh
#11 56.89 1592 /staging/usr/share
#11 56.89 1720 /staging/usr/sbin
#11 56.89 15048 /staging/usr/lib/git-core
#11 56.89 22776 /staging/usr/bin
#11 56.89 33548 /staging/usr/lib/x86_64-linux-gnu
#11 56.89 50224 /staging/usr/lib
#11 56.89 76348 /staging/usr
#11 56.89 77424 /staging
#11 DONE 57.0sGreat to know how we can fix all CVEs ;-)
/approve /lgtm
k8s-ci-robot
commented
11 months ago [APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: justinsb, thockin
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Distroless is stuck on debian 11 - we can do the same thing, more or less in our own script. Sad that we have to, but here we are.
The net result is a about 8MB smaller and passes e2e and passes trivy.
Fixes #779 Fixes #780