Open javorszky opened 3 days ago
python:*-slim
Doesn't contain curl(1) which can limit the ability to manage/configure Unit in a container. Until we have a zero-dependency, fully-featured CLI tool…
This is not an urgent ask, so can definitely wait until unitctl
:)
See https://github.com/nginx/unit/issues/725 and https://github.com/nginx/unit/issues/622 and https://github.com/nginx/unit/issues/519 for some related details. The functionality does indeed change.
@thresheek I had a look through https://github.com/nginx/unit/issues/725 and https://github.com/nginx/unit/issues/622 and https://github.com/nginx/unit/issues/519.
I want to reiterate what @javorszky said in the issue description but with more context. I asked if using the -slim
variant of the python image was a possibility due to the amount of packages in the main image (720 vs 303) which significantly increases our attack surface. The -slim
variant comes with 91 fewer detected vulnerabilities (-1 critical, -2 high, -3 medium, -86 low). I do not have a concern with the final size of the image, only the security posture and dependency requirements.
The impact on functionality is project specific to what I was discussing with @javorszky , its not a general comment on what is and isn't included in the image, as @lcrilly pointed out -slim doesn't come with curl(1). I will admit that this is unclear from the description.
I think it is worth discussing from a security perspective, weighing up the pros and cons, and determining if there is a path forward for a slim variant. There is no hard timeline on this, happy to wait if a solution requires something like unitctl
.
After a conversation with @MichaelMcAleer and our docker initiatives, he suggested we use the
-slim
variant python images as base when creating the unit-python dockerfiles.Main reason is the slim image has a lot fewer packages and therefore a lot smaller vulnerability surface and count.
The functionality would not change.
He also suggested we take a look at how ingress controller generates images: https://github.com/nginxinc/kubernetes-ingress/blob/main/.github/workflows/build-base-images.yml