Skip to content

feat: switch gateway image to distroless base#1004

Closed
dimityrmirchev wants to merge 1 commit intoNVIDIA:mainfrom
dimityrmirchev:minimal-gateway-image
Closed

feat: switch gateway image to distroless base#1004
dimityrmirchev wants to merge 1 commit intoNVIDIA:mainfrom
dimityrmirchev:minimal-gateway-image

Conversation

@dimityrmirchev
Copy link
Copy Markdown

@dimityrmirchev dimityrmirchev commented Apr 28, 2026

Summary

Replace the Ubuntu-based gateway image with gcr.io/distroless/cc-debian13 to minimize attack surface and image size. In addition removes the migration scripts as those are embedded into the gateway binary.

Let me know what do you think about this change and if you are willing to accept such contribution.

Related Issue

I did not find an issue about this, however I can open one if you advise so.

Changes

  • Base ubuntu image is replaced with distroless/cc-debian13 (suitable for Rust binaries)
  • Copying of migration scripts was removed as those are embedded into the binary ref
  • The user ID was preserved to be 1000, however the distroless images come with a built in nonroot user. IMO it is a matter of preference so I kept the original openshell user. If agreed, I can switch to distroless's nonroot user.

Testing

  • mise run pre-commit passes
  • Unit tests added/updated - not applicable
  • E2E tests added/updated (if applicable) - not applicable
  • Ran mise run cluster and mise run sandbox. Verified that the gateway works as expected.

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@dimityrmirchev
feat: switch gateway image to distroless base
afc81ed 
Replace the Ubuntu-based gateway image with gcr.io/distroless/cc-debian13
to minimize attack surface and image size.
@dimityrmirchev dimityrmirchev requested a review from a team as a code owner April 28, 2026 13:33
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented Apr 28, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 28, 2026

Thank you for your interest in contributing to OpenShell, @dimityrmirchev.

This project uses a vouch system for first-time contributors. Before submitting a pull request, you need to be vouched by a maintainer.

To get vouched:

  1. Open a Vouch Request discussion.
  2. Describe what you want to change and why.
  3. Write in your own words — do not have an AI generate the request.
  4. A maintainer will comment /vouch if approved.
  5. Once vouched, open a new PR (preferred) or reopen this one after a few minutes.

See CONTRIBUTING.md for details.

@github-actions github-actions Bot closed this Apr 28, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 28, 2026

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

I have read the DCO document and I hereby sign the DCO.

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dimityrmirchev