Distroless Docker Images

A presentation at Cloud Native London Meetup in August 2021 in by Melissa McKay

Slide 1

Slide 1

DISTROLESS IMAGES Securing Your Docker Images Melissa McKay Developer Advocate @JFrog

Slide 2

Slide 2

MELISSA MCKAY Developer Advocate @JFrog @melissajmckay linkedin.com/in/melissajmckay

Slide 3

Slide 3

THE AGENDA • Container History • Containers in Real Life • Container Gotchas • Distroless Images

Slide 4

Slide 4

ALL ABOUT … CONTAINERS

Slide 5

Slide 5

SHARING LIMITED RESOURCES 1979 / 1982- chroot

Slide 6

Slide 6

PROGRESS TOWARD VIRTUALIZATION ▪ 2000 - FreeBSD jail ▪ 2004 - Solaris Zones / snapshots ▪ 2006 - Google Process Containers / cgroups ▪ 2008 - IBM LinuX Containers (LXC) ▪ 2013 - Docker (open source!) - Google LMCTFY (open source!) ▪ 2014 - Docker trades LXC for libcontainer ▪ … more stuff happened 1 201 7 a v a J 2014 Java 8 ▪ June 2015 - Open Container Project/Initiative (OCI) ○ Runtime Specification (runtime-spec) ○ Image Specification (image-spec) ▪ … even more stuff happened and is still happening!

Slide 7

Slide 7

WHAT EXACTLY IS A CONTAINER? 9

Slide 8

Slide 8

CONTAINER COMPONENTS TARBALL OF A FILESYSTEM LINUX FEATURES • namespaces • cgroups • Union File systems Mix these together to create and run a container! Voila! https://docs.docker.com/get-started/overview/ 10

Slide 9

Slide 9

FILESYSTEM DETAILS … … NOTE: On OSX, containers will actually be running in a tiny Linux VM (use screen) screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty 11

Slide 10

Slide 10

FILESYSTEM DETAILS … … 12

Slide 11

Slide 11

FILESYSTEM DETAILS 13

Slide 12

Slide 12

CONTAINER GOTCHAS 14

Slide 13

Slide 13

CONTAINER GOTCHAS - RUNNING AS ROOT 15

Slide 14

Slide 14

CONTAINER GOTCHAS - NO CONSTRAINTS 16

Slide 15

Slide 15

CONTAINER GOTCHAS - NEVER UPDATING 17

Slide 16

Slide 16

CONTAINER GOTCHAS - JAVA/JVM GOTCHAS 18

Slide 17

Slide 17

CONTAINER GOTCHAS - IMAGE BLOAT 19

Slide 18

Slide 18

DISTROLESS IMAGES - AND MULTISTAGE BUILDS • Waste Not Want Not (smaller images) • No Shell • No Exec https://github.com/GoogleContainerTools/distroless (examples) 20

Slide 19

Slide 19

MANAGING YOUR IMAGES - REMOTE BY DEFAULT https://dzone.com/refcardz/getting-started-with-container-registries START FREE: https://bit.ly/MelissaWKSHP 21