I would like to share a side project I am working on on my spare time, aka distroless docker images.
In distroless docker images, you won’t find any shell, package manager or utilities such as grep, sed, awk, … It runs only your application and nothing else.
Don’t expect to be able to launch commands like
docker run -it my-distroless-image something, it will fail with a message like this one:
standard_init_linux.go:228: exec user process caused: no such file or directory
Long story short, it is better for security.
The first time I ever heard about distroless was by reading this blog post from passbolt: Improving passbolt security with distroless containers | by Diego Lendoiro | passbolt
And I told myself: wow, this is what I want! So I took inspiration from what @diego did and made a reboot of this project.
Basically, you will need to run 4 distroless containers to make passbolt work:
- mariadb for database
- nginx as web server
- php for passbolt code
- redis to handle php sessions (optional)
Google has created distroless images but even if they contains no shell or package manager, you will see remaining vulnerabilities if you scan them with a vulnerability scanner, and some of them have a Won’t fix flag:
$ grype gcr.io/distroless/base-debian11 ✔ Vulnerability DB [updated] ✔ Loaded image ✔ Parsed image ✔ Cataloged packages [6 packages] ✔ Scanned image [19 vulnerabilities] NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY libc6 2.31-13+deb11u2 CVE-2021-43396 Negligible libc6 2.31-13+deb11u2 (won't fix) CVE-2021-3998 Unknown libc6 2.31-13+deb11u2 (won't fix) CVE-2021-3999 Unknown libc6 2.31-13+deb11u2 (won't fix) CVE-2022-23218 Critical libc6 2.31-13+deb11u2 (won't fix) CVE-2022-23219 Critical (...etc...)
As I would like to focus on security, I chose alpine as base image, because it will usually return zero vulnerabilities and this is what I want:
$ grype alpine:latest No vulnerabilities found
I didn’t encounter any issue like the one related with gnupg php module by diego in his blog article. I personnaly use this stack on my own self-hosted passbolt instance since some days, plus a traefik container to handle SSL termination and I am so happy with it.
If you want to spin a demo, I wrote shell scripts as usual to make it easy and you will find all details in the README of this gitlab repository.
Last but not least, these distroless images are also multiarch ones, so they will run perfectly also on raspberry pi or M1 processors.