Distroless based image about corretto-docker HOT 3 OPEN

For what it's worth, we'd also be interested in this. We also need glibc and generally prefer images without any additional software for increased security.

from corretto-docker.

@anuraaga Thanks for the idea. This is something that's come up in conversations but we don't have a roadmap item for it (yet). Does the image you have work as expected? Any problems you've observed?

If you can share, we'd also like to know what influences your choice to use distroless vs e.g. Alpine Linux for deployments. That also helps us to choose and prioritize upcoming features.

from corretto-docker.

@davecurrie Thanks! Yeah I have used that image in some sample apps and have not run into any issues. Using the :debug variant feels very much like Alpine since it provides busybox for troubleshooting scenarios.

A very similar image, which uses zulu instead of corretto but otherwise set up in almost the same way, has also worked great in production across Zipkin and its various storage backends (cassandra, kafka, elasticsearch). I think in general, this approach doesn't have gotchas (at the risk of speaking too soon :P)

https://github.com/openzipkin/docker-jre-full/blob/master/Dockerfile#L7

As for distroless vs Alpine Linux, most of my apps use gRPC or some other Netty-based framework. I have found Netty's TCNative-BoringSSL to perform at least as well as Java 11+ TLS, the bigger difference tends to be on apps with larger payloads. So it's a goto library for me and that requires a base image that includes glibc, meaning it doesn't work with Alpine. This is the #1 deciding factor for me and unfortunately is a hard yes / no, as opposed to e.g., comparing the image size itself. Other than that, less apps, such as Alpine's apk, means less chance of container security scanners triggering for the image - I think this is nice too but not a dealbreaker since Alpine is already quite small.

Hope this helps, let me know if you need anything more from me.

from corretto-docker.