Harden Docker container #2153
Harden Docker container #2153
Conversation
hazcod
commented
Nov 13, 2019
hazcod
commented
- produce go static builds
- remove unused libraries
- remove shell
No need for a full shell/system
|
|
|
|
zwass
left a comment
zwass
left a comment
There was a problem hiding this comment.
Very cool! Thank you for your contribution.
|
|
||
| fleet: .prefix .pre-build .pre-fleet | ||
| go build -i -o build/${OUTPUT} -ldflags ${KIT_VERSION} ./cmd/fleet | ||
| go build -i -o build/${OUTPUT} -ldflags ${KIT_VERSION} -ldflags "-w -s -extldflags '-static'" ./cmd/fleet |
There was a problem hiding this comment.
Is this change necessary when using base-debian10? https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md seems to suggest that this may not be needed.
There was a problem hiding this comment.
Exactly right, I've changed it to static since it now receives glibc from the original go image used to built the code from .circleci/. Seems clearer
There was a problem hiding this comment.
Sorry it wasn't clear, but my preferred strategy would be to leave the build the same while using the base-debian10 image. Do you see a compelling reason to change the build flags for all binaries vs. using the base image?
There was a problem hiding this comment.
@zwass care to share your relationale behind that? Since distroless does not have an update policy, there is no guarantee when they pull in new glibc versions so it would make more sense to me to package that in during compilation. GoogleContainerTools/distroless#326
There was a problem hiding this comment.
My rationale is that we are changing the build flags for all the binaries produced by this Makefile, not just those being placed in the Docker container. Maybe we can refactor the Makefile in such a way to enable the fully static build for the binary used in the container while leaving other binary builds unchanged?
There was a problem hiding this comment.
I think it would make more sense to build fleet in a multi-stage container, what do you think? So we can move GOOS=linux go build -i -o build/linux/${OUTPUT} -ldflags ${KIT_VERSION} ./cmd/fleet to the build container.
There was a problem hiding this comment.
I am on board with that strategy. It will likely require running make deps-js && make generate-js in a Node container, then make deps-go && make generate-go && make in a Go container.
3 participants
