Hacker News new | ask | show | jobs
by OptionOfT 4 hours ago
I always recommend to not have any dependencies outside of the code.

So we start at compiling the codebase (Rust) against MUSL. That way we can run it with FROM scratch images.

If we need more tooling available at runtime, then we look at alpine, but still using MUSL.

If MUSL itself is proving problematic, or if some of the libraries we use need glibc then we can look at using some locked down image.

The cool part about FROM scratch images is that you'll never have to update your base image to address CVEs. Only your software and its (compiled) dependencies.
1 comments
xmodem 4 hours ago
> The cool part about FROM scratch images is that you'll never have to update your base image to address CVEs. Only your software and its (compiled) dependencies.

What's the benefit really, though? If you still need to be able to rapidly deploy a new image in response to a dependency CVE, what have you gained?

link
regularfry 4 hours ago
You've gained that happening much less frequently. The tradeoff is making every other problem harder to diagnose.
link
NewJazz 2 hours ago
Debug containers are a thing.

Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.

https://kubernetes.io/docs/reference/kubectl/generated/kubec...

link
xmodem 1 hour ago
Yup! They are a good solution to the massive problem you caused for yourself by implementing a different "solution" to a non-problem.

And even that's only true if you assume kubernetes is the only place your container runs where you might want to also debug it.

link
NewJazz 1 hour ago
You want to ship every debug utility you will need in every image? Just seems wasteful. What about 3rd party images, you will respin images just to add your preferred toolset?
link
xmodem 1 hour ago
Nope, not my position at all. I want to have a minimal OS environment with rudimentary tools available with zero extra friction. FROM alpine:latest adds less than 10MB and covers 95% of use cases. Typically depending on the container I will often throw in curl and some other QoL tools too.

For the rare cases where you find yourself needing to attach a debugger to your pods running in staging/prod, a debug container is absolutely the right tool to reach for.

link
OptionOfT 3 hours ago
If the base image I use is based on Debian, it comes with more than 15 binaries that I don't use.

But when Docker scans my image and notices that there is a CVE in one of those binaries, my image is currently out of compliance.

FROM scratch just reduces the surface.

link
xmodem 3 hours ago
> FROM scratch just reduces the surface.

The actual attack surface of your application? Or the attack surface of you and your team's attention from a busybody security org.

It's important not to confuse the two.

link