Optimizing containers with distroless images
Distroless containers are one of the latest trends in the container world. They are promising because they consider all the aspects of optimizing containers for the Enterprise environment. You should consider three important things while optimizing containers – performance, security, and cost.
Performance
You don’t make containers out of thin air. You must download images from your container registry and then run the container out of the image. Each step uses network and disk I/O. The bigger the image, the more resources it consumes and the less performance you get from it. Therefore, a smaller Docker image naturally performs better.
Security
Security is one of the most important aspects of the current IT landscape. Companies usually focus on this aspect and invest a lot of money and time. Since containers are a relatively new technology, they are vulnerable to hacking, so appropriately securing your containers is important. Standard Linux distributions have a lot of stuff that can allow hackers to access more than they could have if you secured your container properly. Therefore, you must ensure you only have what you need within the container.
Cost
A smaller image also results in a lower cost. The lower your container footprint, the more containers you can pack within a machine, so there are fewer machines you would need to run your applications. This means you save a lot of money that would accumulate over time.
As a modern DevOps engineer, you must ensure your images are optimized for all these aspects. Distroless images help take care of all of them. Therefore, let’s understand what distroless images are and how to use them.
Distroless images are the most minimal images and only contain your application, dependencies, and the necessary files for your container process to run. Most of the time, you do not need package managers such as apt or a shell such as bash. Not having a shell has its advantages. For one, it will help you avoid any outside party gaining access to your container while it is running. Your container has a small attack surface and won’t have many security vulnerabilities.
Google provides distroless images in their official GCR registry, available on their GitHub page at https://github.com/GoogleContainerTools/distroless. Let’s get hands-on and see what we can do with them.
The required resources for this exercise are in ch4/go-hello-world/distroless in this book’s GitHub repository.