Earlier I wrote about the 'elastic-prune' a simple cron-job that lived in Kubernetes to clean up an Elasticsearch database. When I wrote it, I decided to give 'distroless' a whirl. Why distroless? Some will say its because of size, they are searching for the last byte of free space (and thus speed of launching). But, I think this is about moot. The Ubuntu 18.04 image and the Alpine image are pretty close in size, the last couple of MB doesn't matter.
'distroless' is all the code none of the cruft. No /etc directory. The side affect is its small, but the rationale is its secure. Its (more) secure because there are no extra tools laying around for things to 'live off the land'. This limits the 'blast-radius'. If something wiggles its way into a 'distroless' container it has less tools available to go onward and do more damage.
No shell, no awk, no netcat, no busybox. The only executable is yours. And this is what your build looks like. You can see we use a normal 'fat old alpine' source to build. We run 'pip' in there. Then we create a new container, copying from the 'build' only the files we need. We are done.
Doing the below I ended up with a 'mere' 3726 files. Yup, that is the list, see if your favourite tool made the cut.
Going 'distroless' saved me 33MB (from 86.3MB to 53.3MB). Was this worth it?
FROM python:3-alpine as build LABEL maintainer="firstname.lastname@example.org" COPY . /elastic-prune WORKDIR /elastic-prune RUN pip install --target=./ -r requirements.txt FROM gcr.io/distroless/python3 COPY --from=build /elastic-prune /elastic-prune WORKDIR /elastic-prune ENTRYPOINT ["/usr/bin/python3", "./elastic-prune.py"]