[GitHub] [pulsar] hpvd edited a discussion: Build distroless package for better security, smaller size, speed and more
GitHub user hpvd edited a discussion: Build distroless package for better security, smaller size, speed and more As proofed in practice (e.g. see our own example https://github.com/apache/pulsar/discussions/20253#discussioncomment-5835696 ) there are sometimes (often!) security problems in a container/package whose origin is not the software one build, but in the software which is also situated in this container. In most cases, there is no (little) use case for this additional software. This is where the idea of **distroless containers** comes in and "free" your software: 1) for **better security** 2) fewer bugs 3) smaller packages 4) a faster build process 5) a faster check process (e.g. security scans for CVEs and CWEs) 6) **faster, cheaper and less annoying development** process, because of less noise to understand and fix 7) faster spin-up / faster **dynamic scaling** on load 8) less demanding for needed infrastructure = **less cost** for infrastructure to run on 9) ... Traditional, this approach is somehow strenuous to implement and associated with restrictions. But it looks like **2 new tools makes it pretty easy and straight forward**: **good overview on distroless containers** https://dev.to/dansiviter/distroless-alpine-ci8 and https://blog.chainguard.dev/minimal-container-images-towards-a-more-secure-future/ see last paragraph for how it works **the tools:** source to abk: https://github.com/chainguard-dev/melange abk to oci: https://github.com/chainguard-dev/apko **to debug distroless containers:** official: https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/ detail flow: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/ (this idea/issue was created as follow-up to ongoing progress in distroless for functionmesh see https://github.com/streamnative/function-mesh/issues/448) GitHub link: https://github.com/apache/pulsar/discussions/20253 This is an automatically sent email for commits@pulsar.apache.org. To unsubscribe, please send an email to: commits-unsubscr...@pulsar.apache.org
[GitHub] [pulsar] hpvd edited a discussion: Build distroless package for better security, smaller size, speed and more
GitHub user hpvd edited a discussion: Build distroless package for better security, smaller size, speed and more As proofed in practice (e.g. see our own example https://github.com/apache/pulsar/discussions/20253#discussioncomment-5835696 ) there are sometimes (often!) security problems in a container/package whose origin is not the software one build, but in the software which is also situated in this container. In most cases, there is no use case for this additional software. This is where the idea of **distroless containers** comes in and "free" your software: 1) for **better security** 2) fewer bugs 3) smaller packages 4) a faster build process 5) a faster check process (e.g. security scans for CVEs and CWEs) 6) **faster, cheaper and less annoying development** process, because of less noise to understand and fix 7) faster spin-up / faster **dynamic scaling** on load 8) less demanding for needed infrastructure = **less cost** for infrastructure to run on 9) ... Traditional, this approach is somehow strenuous to implement and associated with restrictions. But it looks like **2 new tools makes it pretty easy and straight forward**: **good overview on distroless containers** https://dev.to/dansiviter/distroless-alpine-ci8 and https://blog.chainguard.dev/minimal-container-images-towards-a-more-secure-future/ see last paragraph for how it works **the tools:** source to abk: https://github.com/chainguard-dev/melange abk to oci: https://github.com/chainguard-dev/apko **to debug distroless containers:** official: https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/ detail flow: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/ (this idea/issue was created as follow-up to ongoing progress in distroless for functionmesh see https://github.com/streamnative/function-mesh/issues/448) GitHub link: https://github.com/apache/pulsar/discussions/20253 This is an automatically sent email for commits@pulsar.apache.org. To unsubscribe, please send an email to: commits-unsubscr...@pulsar.apache.org
[GitHub] [pulsar] hpvd edited a discussion: Build distroless package for better security, smaller size, speed and more
GitHub user hpvd edited a discussion: Build distroless package for better security, smaller size, speed and more As proofed in practice there are sometimes (often!) security problems in a container/package whose origin is not the software one build, but in the software which is also situated in this container. In most cases, there is no use case for this additional software. This is where the idea of **distroless containers** comes in and "free" your software: 1) for **better security** 2) fewer bugs 3) smaller packages 4) a faster build process 5) a faster check process (e.g. security scans for CVEs and CWEs) 6) **faster, cheaper and less annoying development** process, because of less noise to understand and fix 7) faster spin-up / faster **dynamic scaling** on load 8) less demanding for needed infrastructure = **less cost** for infrastructure to run on 9) ... Traditional, this approach is somehow strenuous to implement and associated with restrictions. But it looks like **2 new tools makes it pretty easy and straight forward**: **good overview on distroless containers** https://dev.to/dansiviter/distroless-alpine-ci8 and https://blog.chainguard.dev/minimal-container-images-towards-a-more-secure-future/ see last paragraph for how it works **the tools:** source to abk: https://github.com/chainguard-dev/melange abk to oci: https://github.com/chainguard-dev/apko **to debug distroless containers:** official: https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/ detail flow: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/ (this idea/issue was created as follow-up to ongoing progress in distroless for functionmesh see https://github.com/streamnative/function-mesh/issues/448) GitHub link: https://github.com/apache/pulsar/discussions/20253 This is an automatically sent email for commits@pulsar.apache.org. To unsubscribe, please send an email to: commits-unsubscr...@pulsar.apache.org