Closed prajaybasu closed 1 year ago
We had scratch container images for a long time but people often complained that it was not easy to debug so we decided to base on Alpine instead. In practice, it's not a lot of work to add distroless - just a matter of whether we want to go back on this and re-introduce distroless images.
We had scratch container images for a long time but people often complained that it was not easy to debug so we decided to base on Alpine instead. In practice, it's not a lot of work to add distroless - just a matter of whether we want to go back on this and re-introduce distroless images.
It should be an option. I would definitely prefer alpine for debugging and dev images or for images that run a set of jobs offline but not for the instance that is serving the public web
Hello contributors!
I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue
Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.
Unfortunately, burnout has become a topic of concern amongst open-source projects.
It can lead to severe personal and health issues as well as opening catastrophic attack vectors.
The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.
If this issue was marked as stale erroneously you can exempt it by adding the backlog
label, assigning someone, or setting a milestone for it.
Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!
Thank you 🙏✌️
We have a distroless Dockerfile and publish it to Docker Hub now.
Preflight checklist
Describe your problem
Right now kratos images published on Docker Hub use alpine as base which has an inbuilt shell and other utilities.
Whether distroless is better for security or not is a long discussion, however I see the container not having an inbuilt shell or a package manager as a feature at least.
Describe your ideal solution
It would be nice to have an option for a distroless flavor of the images published on Docker Hub - using the base debian distroless images published by Google, or if size and attack surface are concern, apko could be used to build an alpine image that would be even smaller
Workarounds or alternatives
Building your image
Version
0.10.1
Additional Context
No response