pixie icon indicating copy to clipboard operation
pixie copied to clipboard
verified publisher icon pixie-io

Use non-Alpine images for Vizier components?

Open oppegard opened this issue 2 years ago • 4 comments

Describe the Task

We're checking on the feasibility of switching to non-Alpine images for Vizier components: nats, curl, and maybe(?) etcd.

Background on why we want this: we're planning to package Pixie Vizier for installation onto customer K8s clusters. As part of this, we have to get sign-off from our open source compliance and legal team. All of the core Vizier components are based on Debian and are approved. But the third-party images based on Alpine are blockers (specifically, nats and curl).

There's an official NATS image of nats:2.8.4-scratch that may be a drop-in replacement, and I imagine there's a Debian-based curl alternative for the initContainers.

I'm not sure if the etcd image is based on Alpine – it's not a present concern since we deploy Vizier without etcd for the metadata store.

Subtasks

  • [ ] Switch gcr.io/pixie-oss/pixie-prod/vizier-deps/nats:multiarch-2.8.4-alpine3.15 to nats:2.8.4-scratch.
  • [ ] Replace gcr.io/pixie-oss/pixie-dev-public/curl:multiarch-7.87.0 with a Debian, Ubuntu or scratch alternative.

oppegard avatar May 23 '23 19:05 oppegard

Hey @oppegard ! Just wanted to check in and see if https://github.com/chainguard-images/images/tree/main/images/curl for curl works as a good alternative for you all.

aimichelle avatar Jun 01 '23 23:06 aimichelle

Thank you for looking into this @aimichelle. I've run our compliance scanner against cgr.dev/chainguard/curl, and am asking the internal Open Source team to review the results. 🤞

I'm surprised there isn't a minimal and maintained curl image out there based on debian, ubuntu, or rhel. But I haven't found anything promising yet. If there isn't anything, perhaps there's a curl alternative we can find to serve the same purpose in the initContainers.

oppegard avatar Jun 02 '23 23:06 oppegard

Thank you for looking into this @aimichelle. I've run our compliance scanner against cgr.dev/chainguard/curl, and have asked the internal Open Source team for their thoughts. They replied that it would require a fair bit of time for them to fully vet the underlying OS (Wolfi).

An alternative was given: https://hub.docker.com/r/bitnami/bitnami-shell. It's based on Debian, is maintained, has curl (7.74.0), and specifically calls out a use-case of initContainers:

Bitnami Shell is a general-purpose image based on minideb. It is a minimal image well-suited to helper tasks, such as running initialization tasks in initContainers from Helm charts.

What do you think?

oppegard avatar Jun 05 '23 17:06 oppegard

Hi folks, just checking if it's feasible to replace gcr.io/pixie-oss/pixie-dev-public/curl:multiarch-7.87.0 with the image at https://hub.docker.com/r/bitnami/bitnami-shell? If so, then I think this issue could be resolved.

oppegard avatar Jun 21 '23 15:06 oppegard