What does HackerNews think of distroless?

πŸ₯‘ Language focused docker images, minus the operating system.

Language: Starlark

#24 in Docker
Gokrazy is cool | Sep 2023
Expand Context ↕
>tons of docker images in production that lack basic debugging functionality like... a shell

That's a commendable security practice. A whole class of vulnerabilities is mitigated (and others are much harder to exploit) if you don't add unnecessary junk to your images, like a shell.

It's also endorsed by Google via distroless: https://github.com/GoogleContainerTools/distroless
Musl 1.2.4 adds TCP DNS fallback | Jul 2023
I hadn't heard of "distroless" before. Confusing name for a container with just main process runtimes, but neat idea.

https://github.com/GoogleContainerTools/distroless

Alpine Linux does not make the news | Jul 2023
Expand Context ↕
If you are optimizing for image size, Alpine is not the best choice. For example, Distroless (https://github.com/GoogleContainerTools/distroless) has options 50% smaller than Alpine.
Wolfi: A community Linux OS designed for the container and cloud-native era | Jun 2023
Expand Context ↕
From my side I'd love to see clear comparison to distroless[1] images, the best info I could find was this Github issue comment[2], although I would expect to find it in https://github.com/wolfi-dev#faq. Or maybe my google-fu failed me :(

[1]: https://github.com/GoogleContainerTools/distroless

[2]: https://github.com/tektoncd/pipeline/issues/5507#issuecommen...
Build your own Docker with Linux namespaces, cgroups, and chroot | Jun 2023
Expand Context ↕
Lots of examples without the entire OS as other comments mention, an example would be Googles distroless[0]

[0]: https://github.com/GoogleContainerTools/distroless
MRSK: Deploy web apps anywhere | Apr 2023
Expand Context ↕
I find Docker running a full Linux userspace a little bloated. Thankfully there are distroless base images(https://github.com/GoogleContainerTools/distroless). Haven't done service dev in a while, so I don't really have experience with this, but it looks promising.
Alpine Linux in the Browser | Jan 2023
Expand Context ↕
For code that compiles into a binary like Rust, distroless is another option for a minimal image that doesn't run into the compiling issues of Alpine. (Python and Node are supported but lose benefits rapidly depending on any added dependencies)

https://github.com/GoogleContainerTools/distroless
Ask HN: Do you use a dev container and why? | Nov 2022
> people are using them for their dev environments [?]

Yes, we use a container for dev environment so that we can share the same env across all the team. If it's decided that we need 1 more tool in our toolbox, the script that generates the container is updated (the script is version controlled in the repo too), the CI/CD generates a new container version, all the devs can now use the same NEW environment.

We actually use the container as image for (remote) virtual machines, so we don't really compose multiple containers.

The container has all the tools (for several languages) that we use as a team.

IDEs and debuggers can connect through ssh.

> post-development workflow do you ever use separate containers for build and test?

We build different flavors of the final packaged application, for example:

- production flavor: uses a minimal, nonroot container base image (see: https://github.com/GoogleContainerTools/distroless)

- debug flavor: includes few extra debug tools inside the container

Minify your container | Aug 2022
An alternative is a multi step build, then running with Google’s Distroless https://github.com/GoogleContainerTools/distroless