Passbolt distroless docker images

Hello there,

I would like to share a side project I am working on on my spare time, aka distroless docker images.

In distroless docker images, you won’t find any shell, package manager or utilities such as grep, sed, awk, … It runs only your application and nothing else.

Don’t expect to be able to launch commands like docker run -it my-distroless-image something, it will fail with a message like this one:

standard_init_linux.go:228: exec user process caused: no such file or directory

Long story short, it is better for security.

The first time I ever heard about distroless was by reading this blog post from passbolt: Improving passbolt security with distroless containers | by Diego Lendoiro | passbolt

And I told myself: wow, this is what I want! So I took inspiration from what @diego did and made a reboot of this project.

Basically, you will need to run 4 distroless containers to make passbolt work:

  • mariadb for database
  • nginx as web server
  • php for passbolt code
  • redis to handle php sessions (optional)

Google has created distroless images but even if they contains no shell or package manager, you will see remaining vulnerabilities if you scan them with a vulnerability scanner, and some of them have a Won’t fix flag:

$ grype gcr.io/distroless/base-debian11
 ✔ Vulnerability DB        [updated]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [6 packages]
 ✔ Scanned image           [19 vulnerabilities]
NAME       INSTALLED         FIXED-IN     VULNERABILITY     SEVERITY
libc6      2.31-13+deb11u2                CVE-2021-43396    Negligible
libc6      2.31-13+deb11u2   (won't fix)  CVE-2021-3998     Unknown
libc6      2.31-13+deb11u2   (won't fix)  CVE-2021-3999     Unknown
libc6      2.31-13+deb11u2   (won't fix)  CVE-2022-23218    Critical
libc6      2.31-13+deb11u2   (won't fix)  CVE-2022-23219    Critical
(...etc...)

As I would like to focus on security, I chose alpine as base image, because it will usually return zero vulnerabilities and this is what I want:

$ grype alpine:latest
No vulnerabilities found

I didn’t encounter any issue like the one related with gnupg php module by diego in his blog article. I personnaly use this stack on my own self-hosted passbolt instance since some days, plus a traefik container to handle SSL termination and I am so happy with it.

If you want to spin a demo, I wrote shell scripts as usual to make it easy and you will find all details in the README of this gitlab repository.

Last but not least, these distroless images are also multiarch ones, so they will run perfectly also on raspberry pi or M1 processors.

Please enjoy :slight_smile:

4 Likes