Please add an exception for the Distroless image in the repeatability section

[tymonx]

I have noticed this restriction in the repeatability section:

No official images can be derived from, or depend on, non-official images with the following notable exceptions:

- FROM scratch
- FROM mcr.microsoft.com/windows/servercore
- FROM mcr.microsoft.com/windows/nanoserver

My proposition is to add also the Distroless image to exceptions. It is supported and maintained by the Google company and their developers, build using the GCP (Google Cloud Platform) and it is already stored and available through the GCR (Google Container Registry).

Pros:

• Small base image size (19MB) compared to other base images
• It is based on the Debian base image. In many cases, to prepare a distroless image it requires only a multi stage build, copy necessary executables (glibc based), scripts and libraries from the original image into new created distroless image
• Secure, no shell and no package manager (it is a security feature, not a flaw) for in-container attacks, smaller security surface attacks (less libraries/executetables to scan), quick and better security audits
• It uses glibc (no musl Alpine issues, no performance drops or stability issues compared to musl)
• Stable and mature (based on the Debian 10 distro)
• Popular in cloud and microservices based application
• Supported and maintained by the Google company

Non-mandatory proposition/suggestion example for official images scheme tag name based on the Distroless like <image-name>:<version>-distroless or <image-name>:<version>-minimal.

An alternative approach to this it would be to add the Distroless image as part of official Docker images.

Related:

• Add Distroless variant MariaDB/mariadb-docker#379
• Add Alpine variant MariaDB/mariadb-docker#343 (comment)

[tymonx]

Related GoogleContainerTools/distroless#739

[issuefiler]

I second.

I like its compactness (smaller than UBI8-micro!), glibc support, and most importantly, smaller attack surface for intracontainer attacks. I’d call it “semi-scratch.”

[yosifkit]

I applaud the work done by the distroless team; it is good for advanced users wanting a smaller attack surface. Unfortunately, it will not be added as an exception. Microsoft images are an exception because a) we can't build them (proprietary software) and b) we aren't supposed to push the Microsoft layers (licensing; the images use foreign layers and so none of the Microsoft OS layers are pushed to Docker Hub even when we push an image based on it).

As for being part of official images, we are not opposed, but I think it would require a very large change in how they build. In order for an image to be added to official-images, we require a Dockerfile and build context so that our build servers can build and push all images across multiple architectures. distroless doesn't use a Dockerfile but uses bazel to build their images and we do not support that.