Docker Distroless Space Suit
Synopsis: If you read this post then by now you probably know that containers are like a chocolate box and a single docker image is like a chocolate. Typically, a single docker container contains following:
- Linux distribution files (Ubuntu, CentOS, Debian, etc.)
- Runtime (Golang, Php, Python runtime, glibc for C++)
- Application codes or binaries and configuration files
Furthermore, it also contains ls
, grep
, find
, cat
or even bash
in the container. You can login to your docker container as root
using this command (nginx is the container name):
docker exec -it nginx bash
As a result, typical docker image has 2 downsides:
Size — Docker container image get loaded into memory by docker engine. If the image size is big, container memory footprint
will be big as well. Therefore, if the HW specification of the machine is minimum then we can’t run multiple container in one machine. This eventually increase monthly budget for a project as well as degraded the performance of the container.
Security — Usually, Linux distribution based docker images contain tons of stuff you won’t ever need, but hackers
can use it to hack into your system.
What is distroless image: “Distroless” image is a slimmed down Linux distribution image contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to…