ld-relay icon indicating copy to clipboard operation
ld-relay copied to clipboard
verified publisher icon launchdarkly

Give us your feedback: Distroless docker image instead of Alpine

Open cwaldren-ld opened this issue 3 years ago • 1 comments

We're considering shipping a "distroless" Docker image (specifically gcr.io/distroless/static-debian11) in addition to - and after a deprecation period, instead of - the existing Alpine-based image.

The motivation is to reduce the attack surface of the image LaunchDarkly provides. In turn, this should reduce the amount of CVEs reported by tools like Trivy which aren't directly related to Relay itself.

We'd provide both production and debug versions of the image (containing the busybox suite).

Please feel free to comment/emoji if you have any opinion on this potential change. We'd greatly appreciate your input!

cwaldren-ld avatar Feb 21 '23 22:02 cwaldren-ld

Being a Go service, this just makes sense to me. Distroless is a good choice.

fzipi360 avatar Apr 30 '23 13:04 fzipi360

We are now publishing "distroless" Docker tags, in addition to the existing Alpine tags. They follow the same scheme versioning scheme as the Alpine tags, but have a new suffix.

You may choose from:

  • -static-debian12-nonroot (based on gcr.io/distroless/static-debian12:nonroot)
  • -static-debian12-debug-nonroot (based on gcr.io/distroless/static-debian12:debug-nonroot).

They are about 50% of the size and are available on amd64, armv7, and arm64.

Check it out!

cwaldren-ld avatar Jun 11 '24 00:06 cwaldren-ld