Closed hazcod closed 3 years ago
alexellis
commented
4 years ago Hi @hazcod Alpine Linux was chosen as a base image for a reason and barely adds any additional size to the image. You are free to fork the templates and customise as you wish.
We also don't encourage people to raise PRs without approval / discussion. See the contribution guide: https://github.com/openfaas/faas/blob/master/CONTRIBUTING.md#i-have-a-great-idea
Alex
hazcod
commented
4 years ago Hi Alex, where can I take this up for discussion? The main reason I propose this change is to have secure defaults for users that wouldn't change the template and use basic Go functions. Any advanced user will have to fork either way it since it's read-only.
It's easy to run an old(er) linux distribution and leave all those packages lying around.
Not to mention, it might be nice to easily swap the compiler to e.g. debian-based to not have musl.
alexellis
commented
3 years ago Thanks for your interest.
We would be more likely to move to distroless than SCRATCH, but then a secondary debug container is required for all templates in order to shell into containers and have tools during development.
If the community templates are not to your taste then you're welcome to fork and maintain your own.
Hi, I was looking at the golang template and noticed the image being based on an Alpine image. Wouldn't it make more sense to base ourselves on a scratch image with non-root user? e.g. look at https://github.com/ironpeakservices/iron-scratch/blob/master/Dockerfile
I can imagine smaller images (and no shell!) greatly reduce the size again and the attack surface. Additional templates that require some additional binaries can use a full linux distribution, but the default behavior should be as secure/optimized as possible.
If you want I can open a PR for this.