[Feature] No SSL variant of gcr.io/distroless/cc #1210
Comments
|
If you're up for it, the images at cgr.dev/chainguiard/glibc-dynamic should be roughly what you're looking for here: https://github.com/chainguard-images/images/blob/main/images/glibc-dynamic/configs/latest.apko.yaml |
|
Thanks Dan for the suggestion. We also ship a |
FWIW that's pretty easy on our end, we can add debug variants with a single yaml file if you want! We do something similar with our PHP images, where the default tags have no shell or package manager but then we have a -dev variant with busybox and a pcakage manager: https://github.com/chainguard-images/images/blob/main/images/php/configs/latest-dev.apko.yaml#L9 |
|
yeah I think we can do this, it'll be a bit slow as I'm currently on leave. I don't see a strong reason why the chainguard images wouldn't work for you (the only potential problem I can think of is glibc version compatibility -- you'd have to have build infra that is compatible with your runtime images). |
|
Thanks both! 😊 good to know we have some options. If you're interested @dlorenc and have the bandwidth that would be really helpful. I've dropped you a message. |
|
Hi! I was also surprised that there is no |
This completes the work started in #5540 Fixes #5544 We can't use distroless since they don't have a nossl cc image: GoogleContainerTools/distroless#1210 Chainguard have added this (-dev rather than :debug) to their image collection: chainguard-images/images#187 Following advice here, using their busybox is the best replacement for `gcr.io/distroless/static:debug` chainguard-images/images#368 (comment) Signed-off-by: Charlie Egan <[email protected]>
|
Unless I'm mistaken, the java base images also don't need openssl as java ships its own crypto libraries. |
Hi, we use distroless images in our open source project OPA. The project uses CGO, and our binaries are linked against glibc.
While we don't use the openssl binaries in the images, they appear in our user's security audits and automated scans, which they then report to us. If we can, it'd be nice to use a base image without openssl binaries to reduce alarm.
I was looking into the matter in December and noticed that there was a new nossl flavour of the base image that's now been merged (#1201). Would the project be interested in a nossl glibc variant? I'd be willing to help but my bazel experience close to 0 😄
The text was updated successfully, but these errors were encountered: