Use distroless for runtime images? #19
Comments
|
We have a PR for the docs for the official image where we document how to use a |
|
We're already using
PS Nice job getting the runtime dependencies tidily arranged in the build image :) |
|
Thanks! So I think we could probably provide an example in the distro repo, but that's really all we'd be providing there, similar to the Dockerfile example for Go. Even without a published example, you can do something like this example (which can probably be improved upon): FROM dart:stable AS build
# Resolve app dependencies.
WORKDIR /app
COPY pubspec.* ./
RUN dart pub get
# Copy app source code and AOT compile it.
COPY . .
# Ensure packages are still up-to-date if anything has changed
RUN dart pub get --offline
RUN dart compile exe bin/server.dart -o bin/server
# Build minimal serving image from AOT-compiled `/server` and required system
# libraries and configuration files stored in `/runtime/` from the build stage.
FROM gcr.io/distroless/base
COPY --from=build /app/bin/server /app/bin/
# Start server.
EXPOSE 8080
CMD ["/app/bin/server"]Note that you can attach a debugging container, like in shown for this redis example in the Docker docs: If you really want a shell in the container, you would have to add it to the image or use a different base image, but I don't think we want to maintain another image right now. If you're trying to debug containers and you want to exec a shell in it, or you want more sophisticated remote debugging support, then we recommend using the full development tools image from either I'm not exactly sure what you mean about image signing and what that has to do with distroless. Are you saying you want us to maintain a signed distroless image? |
GoogleContainerTools/distroless
The main benefit would seem to be image signing with cosign, though BusyBox might come in handy at times.
The text was updated successfully, but these errors were encountered: