aimichelle
commented
1 year ago Hey @oppegard ! Just wanted to check in and see if https://github.com/chainguard-images/images/tree/main/images/curl for curl works as a good alternative for you all.
Open oppegard opened 1 year ago
aimichelle
commented
1 year ago Hey @oppegard ! Just wanted to check in and see if https://github.com/chainguard-images/images/tree/main/images/curl for curl works as a good alternative for you all.
oppegard
commented
1 year ago Thank you for looking into this @aimichelle. I've run our compliance scanner against cgr.dev/chainguard/curl, and am asking the internal Open Source team to review the results. 🤞
I'm surprised there isn't a minimal and maintained curl image out there based on debian, ubuntu, or rhel. But I haven't found anything promising yet. If there isn't anything, perhaps there's a curl alternative we can find to serve the same purpose in the initContainers.
oppegard
commented
1 year ago Thank you for looking into this @aimichelle. I've run our compliance scanner against cgr.dev/chainguard/curl, and have asked the internal Open Source team for their thoughts. They replied that it would require a fair bit of time for them to fully vet the underlying OS (Wolfi).
An alternative was given: https://hub.docker.com/r/bitnami/bitnami-shell. It's based on Debian, is maintained, has curl (7.74.0), and specifically calls out a use-case of initContainers:
Bitnami Shell is a general-purpose image based on minideb. It is a minimal image well-suited to helper tasks, such as running initialization tasks in initContainers from Helm charts.
What do you think?
oppegard
commented
1 year ago Hi folks, just checking if it's feasible to replace gcr.io/pixie-oss/pixie-dev-public/curl:multiarch-7.87.0 with the image at https://hub.docker.com/r/bitnami/bitnami-shell? If so, then I think this issue could be resolved.
Describe the Task
We're checking on the feasibility of switching to non-Alpine images for Vizier components:
nats,curl, and maybe(?)etcd.Background on why we want this: we're planning to package Pixie Vizier for installation onto customer K8s clusters. As part of this, we have to get sign-off from our open source compliance and legal team. All of the core Vizier components are based on Debian and are approved. But the third-party images based on Alpine are blockers (specifically,
natsandcurl).There's an official NATS image of
nats:2.8.4-scratchthat may be a drop-in replacement, and I imagine there's a Debian-basedcurlalternative for the initContainers.I'm not sure if the etcd image is based on Alpine – it's not a present concern since we deploy Vizier without etcd for the metadata store.
Subtasks
gcr.io/pixie-oss/pixie-prod/vizier-deps/nats:multiarch-2.8.4-alpine3.15tonats:2.8.4-scratch.gcr.io/pixie-oss/pixie-dev-public/curl:multiarch-7.87.0with a Debian, Ubuntu orscratchalternative.