undefined | Better HN

0 pointsqbasic_forever2y ago0 comments

It's best practice not to have any shell tools in your app container, including package managers. It bloats the image and can be a security vulnerability if a zero day exploit hits the app. Ideally a container is something like distroless which just has the libc and dependencies you care about and nothing else, not even bash.

0 comments

Steltek2y ago

But where do your dependencies come from? Your compiler? Are you building everything from source after libc?

qbasic_foreverOP2y ago

If you're shipping modern code like go or rust you have a static build with no real dependencies. If you're shipping a scripting language like python you're probably going to use their base images, and if you're shipping native C/C++ you have to figure out your risk tolerance for trusting a distro to ship good dependencies vs. just building them yourself. It's not hard to build all your deps in a container, and arguably is the best security practice so you have total control and knowledge of their versions.

m4rtink2y ago

Wouldn't something like that be really hard to debug in real world scenarios ?

j / k navigate · click thread line to collapse