Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
minimal images #15
Is there any plan to support minimal images? The current Amazon Linux 2 image is 163mb on disk and contains quite a few packages that probably aren't required. This presents an unnecessary surface area for security vulnerabilities.
Project Atomic have released Buildah which can create extremely small Centos base images.
This blog describes how to strip all packages out except bash and coreutils.
It would be great if Amazon Linux was made available with a minimal tag. Or, if somebody could provide some info on how to build a minimal image themselves.
Our images are already as minimal as we can reasonably make it without major (breaking!) changes. For instance, the
We can't ship you a container without yum, because then you can't use it. Every single other package here is in service of yum, or doesn't significantly increase the footprint (amazon-linux-extras entirely uses the Python standard library which you're going to have anyway with yum, for instance). The goal of the official images program that we participate in is to ship base images reasonable for most users.
I think that if we can get Buildah or another project to work with Amazon Linux we should document that, and if that interests you we'll accept a pull request to the README here if you get to it before we can. :)
The Centos minimal that I built with Yum installed using Buildah came to 120mb on disk. That was only:
RHEL Atomic have got around this by using microdnf. This gets it down to around 30mb compressed and 80mb on disk.
Debian stable-slim tag is now 22mb on disk and 55mb compressed. Similarly Ubuntu latest is now 31mb compressed and 81mb on disk.
We're evaluating a switch away from Alpine at work to a distribution with a CVE database. These new minimal alternatives from Ubuntu and Debian are quite attractive from a size and surface area perspective and are fully functional with a package manager.
Amazon Linux 2 would be our preference. We may still go with it as the package list is quite small. It looks like there should be some investigation into switching out Yum to provide a true minimal fully functional image in line with what Debian and Ubuntu are doing. Then it would make it a non-decision for most.
Why is this a problem now? We're using Kubernetes and have quite a few clusters. Many tens of thousands of containers. Base images get cached on disk but we still have a pipeline for every image and we still copy these around a lot.
microdnf seems promising then, especially if RHEL is doing it (our versions of yum are very close). We'll take a look. Being able to drop Python would give us a pretty good slim image. (I think we'd need a micro amazon-linux-extras CLI then but that doesn't seem like that bad of a problem.)