undefined | Better HN

0 pointsOptionOfT6d ago0 comments

I always recommend to not have any dependencies outside of the code.

So we start at compiling the codebase (Rust) against MUSL. That way we can run it with FROM scratch images.

If we need more tooling available at runtime, then we look at alpine, but still using MUSL.

If MUSL itself is proving problematic, or if some of the libraries we use need glibc then we can look at using some locked down image.

The cool part about FROM scratch images is that you'll never have to update your base image to address CVEs. Only your software and its (compiled) dependencies.

0 comments

8 comments · 2 top-level

xmodem6d ago· 4 in thread

> The cool part about FROM scratch images is that you'll never have to update your base image to address CVEs. Only your software and its (compiled) dependencies.

What's the benefit really, though? If you still need to be able to rapidly deploy a new image in response to a dependency CVE, what have you gained?

regularfry6d ago

You've gained that happening much less frequently. The tradeoff is making every other problem harder to diagnose.

NewJazz6d ago

Debug containers are a thing.

Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.

https://kubernetes.io/docs/reference/kubectl/generated/kubec...

1 more reply

OptionOfTOP6d ago

If the base image I use is based on Debian, it comes with more than 15 binaries that I don't use.

But when Docker scans my image and notices that there is a CVE in one of those binaries, my image is currently out of compliance.

FROM scratch just reduces the surface.

xmodem6d ago

> FROM scratch just reduces the surface.

The actual attack surface of your application? Or the attack surface of you and your team's attention from a busybody security org.

It's important not to confuse the two.

2 more replies

xp846d ago· 2 in thread

preface: I'm not asking things rhetorically, I genuinely want to learn here.

> to not have any dependencies outside of the code.

> ... FROM scratch images is that you'll never have to update your base image to address CVEs...

So a FROM scratch image, basically doesn't have things like a package manager to install things, and maybe also libraries that things like curl would depend on? Sorry for my ignorance, I've heard of FROM scratch but never tried them.

OptionOfTOP5d ago

There is nothing there.

If you want to run as another user, you need to manually add an /etc/group & /etc/password (or generate them in a stage before that and copy them over).

If you need ca-certificates, you need to install ca-certificates in a stage before that and copy over /etc/ssl/certs/ca-certificates.crt from that stage to your current one.

gpvos6d ago

Apparently you get only an empty root directory, nothing else. https://medium.com/@fabrizio.sgura/the-forgotten-minimalist-...

j / k navigate · click thread line to collapse