Distroless: Container image technology
Google created Distroless recently, as a container image technology. Security issues are actually the third most commonly mentioned difficulty with container management. as per Gartner’s view. Due to the increased use of container technology by enterprises, there is a requirement for security solutions tailored specifically for containers. Therefore, it is anticipated that the opportunity for container information security will double over the following 6 years. Would you mind knowing insights about this tech? So, this article “Distroless: Container image technology” is just for you.
Let’s get started.
What is container technology?
Container technology is a technique for packaging a program so it may operate with separate dependencies.
What exactly do containers provide for?
- Quick scaling up and down, in seconds, not in minutes like on VMs( Virtual Machines)
- Complete environments for ad hoc, one-time usages, such as automated integration testing
- Share infrastructure with multiple domains, tenants, or applications while maintaining some level of isolation between them. However, there is an “App container standard” which, if adopted, would provide docker some healthy competition despite the fact that the separation and security are not very good.
- Immutable platform: having a whole self-contained image with each service version and all necessary dependencies, with the possible exception of storage. and deploying in a more reliable, trackable, versioned, and quick manner.
- Improve portability as you are only reliant on a recent enough version of Linux as the host OS
What is Distroless?
Distritoless images don’t include the operating system; instead, they just provide the runtime requirements for a user’s application.
Did you understand?
this is a specific kind of image that simply contains the runtime requirements and the user’s application.
If you are new to this topic, I will clarify what the
“ Runtime Requirement” is…
Well, further, it’s something like this; Runtime requirements refer to the iOS version required to install the program using that specific technique or feature.
Definition. The term “runtime” refers to a system largely used in application development to define the duration of a program’s execution.
Therefore, these pictures resemble conventional Docker images, however, there is a significant difference.
In other words, with this technology, Only your program and its runtime requirements include in “distroless” images. They lack package managers, shells, and any other software you may anticipate seeing in a typical Linux distribution.
As the base image, use a distroless image.
Although the volume of the final photo decreases by using multistage builds, 459 MB is still too much. We conclude after a thorough investigation that the base image openjdk:8-jre is 443 MB in size, which is excessive. So, reducing the size of the basic picture is the next stage in optimization.
Meanwhile, Google created Distroless as an open-source project to address this issue. Only the program and its runtime requirements are included in distroless images. They lack package managers, shells, and any other software you may anticipate seeing in a typical Linux distribution. Currently, Distroless offers base images for programs that operate in Java, Python, Node.js, and.NET environments.
How does image optimization happen?
You can understand in 3 main solutions mentioned below.
- The Java application’s image size is possible to decrease through a number of optimizations from 719 MB to around 100 MB. Similar concepts may use to enhance your program if it operates in different settings.
- For Java pictures, jib, a different Google product, can automatically manage the challenging image creation process and provide you with a streamlined Java image. It eliminates the requirement for writing dockerfiles. and the installation even requires Docker.
- You may store logs for containers like distro-less, which are difficult to diagnose, centrally to make problem tracing and troubleshooting simpler. See the article Technical recommended standards for container log management for more details.
When we execute the operation, we’ll see these 2 benefits. to clarify, for instance,
- a very reduced picture size of Less than 2% of “gcr.io/distroless/static-debian11” is more significant than the typical “Debian” container image. As a result, CI/CD pipelines can do much faster testing.
- Less time disappears on false positives in container vulnerability scanning. Your security personnel will be grateful.
Why is Distroless: image container technology good for digital business?
The number of attack vectors that is possible to use by hackers. it certainly, decreased in this “stripped down” version by doing away with the operating system. 30% of enterprises presently employ container technology.
On the Internet, therefore,
“Nothing is 100% safe”
Is it safe to use Distroless?
Well, a good question. above all, In this discussion, we try to solve this case in depth. almost we know the situation here. a lot of businesses are still hesitant to employ this technology due to security worries.
Is Distroless technology ready to face security issues?
Yes, looks like it is. however,
- this tech has the capability to reduce cyber threats. developers assume this.
- As you notice here, the interactive shells perform vulnerability. Interactive shells won’t run anymore. It’s a great sign.
- And lastly, the cosign process is possible to verify.
To sum up, You may take use of all of Google’s Container-Optimized OS’s advantages by executing distroless containers on it. These operational and security capabilities are fundamental for contemporary cloud-native apps.
Read more on related articles here: Blazor-free software project. Qiskit- SDK insights, Type dream- no code website builder