Skip to content

containers: Move more Dockerfiles to be based on distroless#35631

Merged
def- merged 1 commit intoMaterializeInc:mainfrom
def-:pr-distroless-mroe
Mar 26, 2026
Merged

containers: Move more Dockerfiles to be based on distroless#35631
def- merged 1 commit intoMaterializeInc:mainfrom
def-:pr-distroless-mroe

Conversation

@def-
Copy link
Copy Markdown
Contributor

@def- def- commented Mar 25, 2026
edited
Loading

balancerd: 56MB -> 23MB
fivetran-destination: 49MB -> 16MB

Similar to #35595

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 25, 2026

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

@def- def- changed the title containers: More distroless containers: Move more Dockerfiles to be based on distroless Mar 25, 2026
@def- def- force-pushed the pr-distroless-mroe branch 9 times, most recently from 9c7c3b0 to 56795d9 Compare March 26, 2026 08:30
@def- def- marked this pull request as ready for review March 26, 2026 09:07
@def- def- requested review from a team as code owners March 26, 2026 09:07
alex-hunt-materialize
alex-hunt-materialize reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@alex-hunt-materialize alex-hunt-materialize left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like we need additional changes for the orchestratord tests to pass. I assume these aren't coming up at all. I see in the cloud test describe output that environmentd has exit code 127, so we're probably trying to call something that doesn't exist.

[pod/environmentd-0/environmentd] environmentd: error while loading shared libraries: liblzma.so.5: cannot open shared object file: No such file or directory

I also suspect we will need additional changes to support ssh tunnels, since distroless doesn't ship ssh by default, and that likely relies on other libs (openssl?) which likely don't exist either. That's the only thing I know off the top of my head that we subprocess out to in environmentd/clusterd, but database folks may know others.

Comment thread src/balancerd/ci/Dockerfile Outdated
@def- def- marked this pull request as draft March 26, 2026 10:50
@def- def- force-pushed the pr-distroless-mroe branch 3 times, most recently from b4239bf to 328f4b5 Compare March 26, 2026 11:53
@def- def- marked this pull request as ready for review March 26, 2026 11:53
@def- def- force-pushed the pr-distroless-mroe branch from 328f4b5 to 46a7f0b Compare March 26, 2026 11:54
@def-
Copy link
Copy Markdown
Contributor Author

def- commented Mar 26, 2026

Indeed, environmentd & clusterd turned out to be too complex, so I gave up on them.

@def- def- force-pushed the pr-distroless-mroe branch from 46a7f0b to a839800 Compare March 26, 2026 11:59
@def- def- merged commit 03e1f22 into MaterializeInc:main Mar 26, 2026
34 checks passed
@def- def- deleted the pr-distroless-mroe branch March 26, 2026 13:15
jasonhernandez added a commit to jasonhernandez/materialize that referenced this pull request Apr 10, 2026
@jasonhernandez @claude
orchestratord: version-gate pod security context UID/GID for distroless
bac8591 
During rolling upgrades, orchestratord may manage pods running old
Ubuntu-based images (uid/gid 999 `materialize` user) alongside new
distroless images (uid/gid 65534 `nonroot` user). Gate the
PodSecurityContext uid/gid based on the image version to prevent
permission mismatches:

- environmentd/clusterd: use meets_minimum_version(V26_20_0) to select
  65534 for distroless images, 999 for older Ubuntu-based images
- balancerd: parse the image ref directly (balancerd switched to
  distroless in v26.19 via MaterializeInc#35631, earlier than environmentd/clusterd)
- Make parse_image_ref public for reuse by the balancer controller

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jasonhernandez added a commit to jasonhernandez/materialize that referenced this pull request Apr 10, 2026
@jasonhernandez @claude
orchestratord: version-gate pod security context UID/GID for distroless
9705185 
During rolling upgrades, orchestratord may manage pods running old
Ubuntu-based images (uid/gid 999 `materialize` user) alongside new
distroless images (uid/gid 65534 `nonroot` user). Gate the
PodSecurityContext uid/gid based on the image version to prevent
permission mismatches:

- environmentd/clusterd: use meets_minimum_version(V26_20_0) to select
  65534 for distroless images, 999 for older Ubuntu-based images
- balancerd: parse the image ref directly (balancerd switched to
  distroless in v26.19 via MaterializeInc#35631, earlier than environmentd/clusterd)
- Make parse_image_ref public for reuse by the balancer controller

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jasonhernandez added a commit that referenced this pull request Apr 15, 2026
@jasonhernandez @claude
orchestratord: version-gate pod security context UID/GID for distroless
c54383a 
During rolling upgrades, orchestratord may manage pods running old
Ubuntu-based images (uid/gid 999 `materialize` user) alongside new
distroless images (uid/gid 65534 `nonroot` user). Gate the
PodSecurityContext uid/gid based on the image version to prevent
permission mismatches:

- environmentd/clusterd: use meets_minimum_version(V26_20_0) to select
  65534 for distroless images, 999 for older Ubuntu-based images
- balancerd: parse the image ref directly (balancerd switched to
  distroless in v26.19 via #35631, earlier than environmentd/clusterd)
- Make parse_image_ref public for reuse by the balancer controller

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jasonhernandez added a commit that referenced this pull request Apr 15, 2026
@jasonhernandez @claude
orchestratord: version-gate pod security context UID/GID for distroless
3d27ed8 
During rolling upgrades, orchestratord may manage pods running old
Ubuntu-based images (uid/gid 999 `materialize` user) alongside new
distroless images (uid/gid 65534 `nonroot` user). Gate the
PodSecurityContext uid/gid based on the image version to prevent
permission mismatches:

- environmentd/clusterd: use meets_minimum_version(V26_20_0) to select
  65534 for distroless images, 999 for older Ubuntu-based images
- balancerd: parse the image ref directly (balancerd switched to
  distroless in v26.19 via #35631, earlier than environmentd/clusterd)
- Make parse_image_ref public for reuse by the balancer controller

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@def- def- mentioned this pull request Apr 15, 2026
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alex-hunt-materialize alex-hunt-materialize alex-hunt-materialize approved these changes

@aljoscha aljoscha Awaiting requested review from aljoscha aljoscha is a code owner automatically assigned from MaterializeInc/adapter

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@def- @alex-hunt-materialize