search

nginx / unit

NGINX Unit - universal web app server - a lightweight and versatile open source server that simplifies the application stack by natively executing application code across eight different programming language runtimes.
https://unit.nginx.org
Apache License 2.0
5.27k stars 323 forks source link

Docker: for python based images, use the -slim version #1352

Open javorszky opened 3 days ago

javorszky commented 3 days ago

After a conversation with @MichaelMcAleer and our docker initiatives, he suggested we use the -slim variant python images as base when creating the unit-python dockerfiles.

Main reason is the slim image has a lot fewer packages and therefore a lot smaller vulnerability surface and count.

The functionality would not change.

He also suggested we take a look at how ingress controller generates images: https://github.com/nginxinc/kubernetes-ingress/blob/main/.github/workflows/build-base-images.yml

lcrilly commented 3 days ago

python:*-slim Doesn't contain curl(1) which can limit the ability to manage/configure Unit in a container. Until we have a zero-dependency, fully-featured CLI tool…

javorszky commented 3 days ago

This is not an urgent ask, so can definitely wait until unitctl :)

thresheek commented 2 days ago

See https://github.com/nginx/unit/issues/725 and https://github.com/nginx/unit/issues/622 and https://github.com/nginx/unit/issues/519 for some related details. The functionality does indeed change.

MichaelMcAleer commented 8 hours ago

@thresheek I had a look through https://github.com/nginx/unit/issues/725 and https://github.com/nginx/unit/issues/622 and https://github.com/nginx/unit/issues/519.

I want to reiterate what @javorszky said in the issue description but with more context. I asked if using the -slim variant of the python image was a possibility due to the amount of packages in the main image (720 vs 303) which significantly increases our attack surface. The -slim variant comes with 91 fewer detected vulnerabilities (-1 critical, -2 high, -3 medium, -86 low). I do not have a concern with the final size of the image, only the security posture and dependency requirements.

The impact on functionality is project specific to what I was discussing with @javorszky , its not a general comment on what is and isn't included in the image, as @lcrilly pointed out -slim doesn't come with curl(1). I will admit that this is unclear from the description.

I think it is worth discussing from a security perspective, weighing up the pros and cons, and determining if there is a path forward for a slim variant. There is no hard timeline on this, happy to wait if a solution requires something like unitctl.