Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] No SSL variant of gcr.io/distroless/cc #1210

Open
charlieegan3 opened this issue Jan 3, 2023 · 7 comments
Open

[Feature] No SSL variant of gcr.io/distroless/cc #1210

charlieegan3 opened this issue Jan 3, 2023 · 7 comments

Comments

@charlieegan3
Copy link

Hi, we use distroless images in our open source project OPA. The project uses CGO, and our binaries are linked against glibc.

While we don't use the openssl binaries in the images, they appear in our user's security audits and automated scans, which they then report to us. If we can, it'd be nice to use a base image without openssl binaries to reduce alarm.

I was looking into the matter in December and noticed that there was a new nossl flavour of the base image that's now been merged (#1201). Would the project be interested in a nossl glibc variant? I'd be willing to help but my bazel experience close to 0 😄
@dlorenc
Copy link
Contributor

dlorenc commented Jan 3, 2023

If you're up for it, the images at cgr.dev/chainguiard/glibc-dynamic should be roughly what you're looking for here: https://github.com/chainguard-images/images/blob/main/images/glibc-dynamic/configs/latest.apko.yaml

@charlieegan3
Copy link
Author

Thanks Dan for the suggestion. We also ship a -debug version of our images which are based on distroless debug images containing a busybox shell. We'd need to maintain that channel I think with if we are to make this change.

@dlorenc
Copy link
Contributor

dlorenc commented Jan 3, 2023

Thanks Dan for the suggestion. We also ship a -debug version of our images which are based on distroless debug images containing a busybox shell. We'd need to maintain that channel I think with if we are to make this change.

FWIW that's pretty easy on our end, we can add debug variants with a single yaml file if you want! We do something similar with our PHP images, where the default tags have no shell or package manager but then we have a -dev variant with busybox and a pcakage manager: https://github.com/chainguard-images/images/blob/main/images/php/configs/latest-dev.apko.yaml#L9

@loosebazooka
Copy link
Member

loosebazooka commented Jan 3, 2023
edited

yeah I think we can do this, it'll be a bit slow as I'm currently on leave. I don't see a strong reason why the chainguard images wouldn't work for you (the only potential problem I can think of is glibc version compatibility -- you'd have to have build infra that is compatible with your runtime images).

@charlieegan3
Copy link
Author

Thanks both! 😊 good to know we have some options. If you're interested @dlorenc and have the bandwidth that would be really helpful. I've dropped you a message.

@lcmgh
Copy link

lcmgh commented Jan 25, 2023

Hi! I was also surprised that there is no cc variant without ssl. I'd like to stick to Google's images due to the trust factor.

@charlieegan3 charlieegan3 mentioned this issue Mar 22, 2023
Merged
charlieegan3 added a commit to open-policy-agent/opa that referenced this issue Mar 23, 2023
@charlieegan3
Update debug build base images to remove openssl (#5787)
2f8c0cd 
This completes the work started in #5540

Fixes #5544

We can't use distroless since they don't have a nossl cc image: GoogleContainerTools/distroless#1210

Chainguard have added this (-dev rather than :debug) to their image collection: chainguard-images/images#187

Following advice here, using their busybox is the best replacement for `gcr.io/distroless/static:debug` chainguard-images/images#368 (comment)

Signed-off-by: Charlie Egan <charlie@styra.com>
@Sineaggi
Copy link
Contributor

Sineaggi commented Apr 6, 2023

Unless I'm mistaken, the java base images also don't need openssl as java ships its own crypto libraries.

@ReillyBrogan ReillyBrogan mentioned this issue Jul 22, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Sineaggi @loosebazooka @dlorenc @charlieegan3 @lcmgh