Use busybox from alpine #51
Conversation
liam-verta
force-pushed
the
ln/alpine-busybox
branch
from
a96036a to
3300f01
Compare
Signed-off-by: Liam Newman <[email protected]>
liam-verta
force-pushed
the
ln/alpine-busybox
branch
from
3300f01 to
67a9d1a
Compare
|
I'm wondering if we should make a new prometheus It doesn't quite make sense to me to call it |
|
Looks like this will create an image from busybox:glibc, then copy over alpine busybox and musl which seems like fragile. Why do we still need to base this on the upstream busybox image if we replace it anyway? I'd rather to FROM scratch and copy in from alpine. But then, yes a new image tag. |
Signed-off-by: Liam Newman <[email protected]>
liam-verta
force-pushed
the
ln/alpine-busybox
branch
from
703a099 to
7db9a8c
Compare
|
@discordianfish @SuperQ From the perspective of consumers of these images, the key features are:
This is why I chose to continue to base this image on the same Given that a particular libc flavor is present, it is convenient for Using a statically-linked The size on of the
Taking this change will improve the security profile of projects based on these images with minimal change to user facing features. |
|
I don't think we should touch the existing package flavors. Rather, we should create a new image |
|
@SuperQ @discordianfish |
liam-verta
force-pushed
the
ln/alpine-busybox
branch
from
2a6488e to
a0f8c67
Compare
Signed-off-by: Liam Newman <[email protected]>
liam-verta
force-pushed
the
ln/alpine-busybox
branch
from
a0f8c67 to
9b33bd6
Compare
alpine-glibc/Dockerfile
Outdated
| /tmp/busybox --install /bin && \ | ||
| mv /tmp/busybox /bin/ | ||
|
|
||
| FROM ${ARCH}busybox:glibc |
There was a problem hiding this comment.
Why not FROM scratch? If we're not going to use the busybox binary from this package, why use this as the image? All of the prometheus project binaries are static, we don't actually use glibc anymore.
Also, maybe we can simplify this to just pull the misc etc files from alpine as well, skip the debian layer as well.
There was a problem hiding this comment.
I consume this image: https://hub.docker.com/r/prom/prometheus
I opened this PR to try to produce a more secure base image for that image to be based on so I (and every other consumer) don't have to repackage it for busybox security issues. I was trying to do this with the least set of changes in order to have the least risk of breakages and to respect the intent of the existing images.
As I noted above, I believe:
From the perspective of consumers of these images, the key features are:
- The busybox toolset
- The specified libc flavor
This PR provides the above with the least changes from the existing behavior.
What you're suggesting is I skip this and go make the case for prometheus scratch images. Fair enough.
There was a problem hiding this comment.
Yeah I don't get why this isn't FROM scratch either. I would also assume that the final image will contain both the original busybox (in a hidden layer) as well as the new one.
|
@discordianfish @SuperQ I'm sure there is more that can be removed from this image, but perhaps this is good enough a first iteration? |
liam-verta
force-pushed
the
ln/alpine-busybox
branch
from
6910c91 to
f092044
Compare
Signed-off-by: Liam Newman <[email protected]>
liam-verta
force-pushed
the
ln/alpine-busybox
branch
from
f092044 to
dc1e8c1
Compare
| # Use the busybox.static to avoid dynamic library dependencies. | ||
| RUN apk add busybox-static && \ | ||
| mv /bin/busybox.static /bin/busybox && \ | ||
| /bin/busybox --install -s /bin | ||
|
|
There was a problem hiding this comment.
Previous iterations were trying to not include musl-libc . In this iteration, I haven't remove it. If that is okay, then we can leave the default dynamic linked busybox.
| # Use the busybox.static to avoid dynamic library dependencies. | |
| RUN apk add busybox-static && \ | |
| mv /bin/busybox.static /bin/busybox && \ | |
| /bin/busybox --install -s /bin |
|
@SuperQ @discordianfish |
| FROM scratch | ||
| MAINTAINER The Prometheus Authors <[email protected]> | ||
|
|
||
| COPY --from=alpine / / |
There was a problem hiding this comment.
This is copying everything, so, doing FROM scratch seems unnecessary. Our other images only copy over specific configuration files in order to make sure busybox is the only binary in the final image.
There was a problem hiding this comment.
I'm not sure what you're asking for here.
There was a problem hiding this comment.
I think what @SuperQ is suggesting is instead of removing the unneeded things in the base image and then copying everything here, we should use explicitly only COPY here what we need.
Can you only copy busybox here and then run /bin/busybox --install -s /bin in the final image?
| RUN apk del libc-utils | ||
|
|
||
| # remove apk files and directories | ||
| RUN apk del apk-tools && \ | ||
| find / -name apk -prune -exec rm -rf {} ";" |
There was a problem hiding this comment.
Combine these steps to reduce layers.
There was a problem hiding this comment.
We don't need to worry about these layers because the COPY on line 26 flattens all the build layers to a single layer in the final image.
@SuperQ @discordianfish
I'll admit this is a little hacky, but it is sufficient.
Fixes #50