-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Go SDK] Use distroless:debian12 (no-ssl) as base image. #30011
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #30011 +/- ##
==========================================
- Coverage 38.45% 38.45% -0.01%
==========================================
Files 697 697
Lines 102216 102216
==========================================
- Hits 39306 39304 -2
+ Misses 61284 61282 -2
- Partials 1626 1630 +4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
0b3b795
to
29dc861
Compare
Assigning reviewers. If you would like to opt out of this review, comment R: @riteshghorse for label go. Available commands:
The PR bot will only process comments in the main thread (not review comments). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
Move Go SDK image to use distroless as the base image, instead of the docker debian image.
Technically, the same version of debian, but with everything but glibc stripped out of it.
Go binaries (Go SDK binaries in particular) don't need external deps or most other parts of the OS toolchains, so this reduces the vulnerabilities to largely intractable to fix glibc issues.
We could remove glibc as by default the SDK doesn't need to compile with C-go enabled (the only reason to link in glibc for go running binaries) but it is handy for users who would depend on it.
distroless has the ca-certificates pre-installed, and as long as we build against latest, it remains relatively up to date. It's not clear to me why we chose to remove the licenses except when configured, but it's harder to remove things conditionally when the shell tools and bash aren't present.
Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:
addresses #123
), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, commentfixes #<ISSUE NUMBER>
instead.CHANGES.md
with noteworthy changes.See the Contributor Guide for more tips on how to make review process smoother.
To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md
GitHub Actions Tests Status (on master branch)
See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.