I am opening this topic to bring some light to some existing conversations.
Current build and dev docker files for foundationdb are based on CentOS7 which is EOL. Making it harder to handle CVEs.
Also the Dockerfiles seem to include a number of packages that are intended for development or debugging increasing the attack surface.
A quick improvement would be moving to an active base image like AlmaLinux etc. As suggested in the issues. Are there any ongoing efforts to address this?
Additionally listing required and optional dependencies would be nice to allow custom builds.
For production environments it would be nice to have a minimal base image like distroless
Dev and Debug tooling could be added in a debug image or using Ephemeral Containers
Thank you very much for your time. We are looking for your feedback.
I’ve had this on my list for a while now. The current next step will (most likely) be the redhat/ubi9 images, but that remains to be proven empirically. I am targeting Q3 2023 to actively work on this.
If you’re looking for something more modern OS (Ubuntu, Fedora, etc.), or a pattern that can be followed for other OS’s, I’d be glad to provide feedback on PRs in fdb-build-support
As for the runtime images, I’m not familiar enough with the FDB tooling (the fdb-kubernetes-operator, etc.) to say whether a distroless image is viable. I do agree that there are more tools in the runtime image than are truly necessary for execution, I think removing the tools packages and adding a debug type layer to that image would be useful.
I’ve had this on my list for a while now. The current next step will (most likely) be the redhat/ubi9 images, but that remains to be proven empirically. I am targeting Q3 2023 to actively work on this.
If you’re looking for something more modern OS (Ubuntu, Fedora, etc.), or a pattern that can be followed for other OS’s, I’d be glad to provide feedback on PRs in fdb-build-support
As for the runtime images, I’m not familiar enough with the FDB tooling (the fdb-kubernetes-operator, etc.) to say whether a distroless image is viable. I do agree that there are more tools in the runtime image than are truly necessary for execution, I think removing the tools packages and adding a debug type layer to that image would be useful.