dwarak

Distroless images

Published by

dwarakanath jampani

on

Introduction

Distroless images are minimal Docker images designed to include only the essential components required to run an application. They exclude package managers, shells, and other utilities that typically come with standard Docker images. This approach enhances security and performance by reducing the attack surface.

For a Java application, a distroless image that contains only the Java Runtime Environment (JRE). Below is an example Dockerfile demonstrating how to set up a Java application using a distroless image:

# Stage 1: Build the application using Maven
FROM maven:3.8.5-openjdk-17 AS build
WORKDIR /app
COPY . .
RUN mvn clean package -DskipTests

# Stage 2: Run the application using a distroless image
FROM gcr.io/distroless/java17
COPY --from=build /app/target/myapp.jar /app/myapp.jar

# Specify the command to run the application
CMD ["-jar", "/app/myapp.jar"]

In this Dockerfile:

  1. The first stage uses the maven:3.8.5-openjdk-17 image to compile the Java application.
  2. The WORKDIR command sets the working directory to /app.
  3. The COPY command copies all the source files into the container.
  4. The RUN command executes Maven to build the application and create a JAR file, skipping tests.
  5. The second stage uses a distroless image (gcr.io/distroless/java17) to run the compiled Java application.
  6. The COPY --from=build command copies the JAR file from the build stage into the distroless image.
  7. The CMD command specifies the command to run the Java application using the JAR file.

This setup ensures that the final image is minimal, containing only what is necessary to run the Java application.

why to use

  • Lightweight: Smaller size makes them easier to store and transport.
  • Enhanced Security: Fewer packages mean fewer potential vulnerabilities.
  • Reduced Blast Radius: Minimizing the number of components limits the damage in case of a security compromise.

How to use

Google provides the opensource distroless images, an appropriate image can be used.

As of now distroless images may not be production ready based on the open source images, but they really shine in combination with ephemeral containers.

Ephemeral containers differ from other containers in that they lack guarantees for resources or execution, and they will never be automatically restarted, so they are not appropriate for building applications.

Future

This is just the beginning for distroless images. As more and more images are being shipped as chiseled images, this trend is only starting to gain momentum.

Chiseled Images

Chiseled images expand on the principles of distroless images by removing even more unnecessary components. They are optimized for specific workloads, containing only the essential components required to run an application.

Benefits of Chiseled Images:

  1. Smaller Size: Chiseled images are even smaller than distroless images, making them easier to distribute and deploy.
  2. Enhanced Security: With fewer components, there are fewer potential attack vectors, improving security.
  3. Optimized Performance: Tailored for specific applications, chiseled images can lead to performance improvements.

References

Leave a comment

Previous Post

Discover more from dwarak

Subscribe to the newsletter to keep reading and get access to the full archive.

Continue Reading with out subscribing