distroless icon indicating copy to clipboard operation
distroless copied to clipboard

Published 20 hours ago • verified publisher icon GoogleContainerTools

Split OpenSSL out from gcr.io/distroless/base images

Open wespanther opened this issue 3 years ago • 0 comments
trafficstars

Describe the bug This is less of a bug and more of a design choice.

Today, we include libssl / openssl in our distroless images. These two libraries are the major source of vulnerabilities in many of our distroless based container images in GKE. One example is the Critical OpenSSL vulnerability CVE-2022-2068.

Since many of our images do not actually require the libssl / openssl libraries, I propose we split out another variant with only libc. So then we would have these three:

  • static
  • libc
  • base

This would help downstream consumers have fewer vulnerabilities, and probably cut down on bug reports (e.g. https://github.com/GoogleContainerTools/distroless/issues/1002)

To Reproduce Extract any of the distroless images (e.g. gcr.io/distroless/base-debian11), and look at the included system packages in the /var/lib/dpkg/status.d files.

Expected behavior I expect the base image does not include libssl or openssl.

Console Output Example from extracting gcr.io/distroless/base-debian11

$ find . -path "*var/lib*" -name "dpkg" -exec ls -al "{}/status.d/" \;
total 20
drwxr-x--- 2 wpanther primarygroup 4096 Aug  1 10:38 .
drwxr-x--- 3 wpanther primarygroup 4096 Dec 31  1969 ..
-rw-r----- 1 wpanther primarygroup 1099 Dec 31  1969 libc6
-rw-r----- 1 wpanther primarygroup  791 Dec 31  1969 libssl1
-rw-r----- 1 wpanther primarygroup  918 Dec 31  1969 openssl
total 20
drwxr-x--- 2 wpanther primarygroup 4096 Aug  1 10:38 .
drwxr-x--- 3 wpanther primarygroup 4096 Dec 31  1969 ..
-rw-r----- 1 wpanther primarygroup  719 Dec 31  1969 base
-rw-r----- 1 wpanther primarygroup  484 Dec 31  1969 netbase
-rw-r----- 1 wpanther primarygroup  642 Dec 31  1969 tzdata
total 20
drwxr-x--- 2 wpanther primarygroup 4096 Aug  1 10:38 .
drwxr-x--- 3 wpanther primarygroup 4096 Dec 31  1969 ..
-rw-r----- 1 wpanther primarygroup  719 Dec 31  1969 base
-rw-r----- 1 wpanther primarygroup  484 Dec 31  1969 netbase
-rw-r----- 1 wpanther primarygroup  642 Dec 31  1969 tzdata
total 20
drwxr-x--- 2 wpanther primarygroup 4096 Aug  1 10:38 .
drwxr-x--- 3 wpanther primarygroup 4096 Dec 31  1969 ..
-rw-r----- 1 wpanther primarygroup 1099 Dec 31  1969 libc6
-rw-r----- 1 wpanther primarygroup  791 Dec 31  1969 libssl1
-rw-r----- 1 wpanther primarygroup  918 Dec 31  1969 openssl

Additional context N/A

wespanther avatar Aug 01 '22 17:08 wespanther