Dockerfiles base image update CentOS EOL

Hi FDB Team,

I am opening this topic to bring some light to some existing conversations.

Current build and dev docker files for foundationdb are based on CentOS7 which is EOL. Making it harder to handle CVEs.
Also the Dockerfiles seem to include a number of packages that are intended for development or debugging increasing the attack surface.

packaging/docker/Dockerfile#L19

There are some open issues regarding this topic but they seem to be dormant:

foundationdb > issue #4124

fdb-build-support > Issue #25

A quick improvement would be moving to an active base image like AlmaLinux etc. As suggested in the issues. Are there any ongoing efforts to address this?

Additionally listing required and optional dependencies would be nice to allow custom builds.

For production environments it would be nice to have a minimal base image like distroless

Dev and Debug tooling could be added in a debug image or using Ephemeral Containers

Thank you very much for your time. We are looking for your feedback.

Happy coding :technologist:

1 Like

I’ve had this on my list for a while now. The current next step will (most likely) be the redhat/ubi9 images, but that remains to be proven empirically. I am targeting Q3 2023 to actively work on this.

If you’re looking for something more modern OS (Ubuntu, Fedora, etc.), or a pattern that can be followed for other OS’s, I’d be glad to provide feedback on PRs in fdb-build-support

As for the runtime images, I’m not familiar enough with the FDB tooling (the fdb-kubernetes-operator, etc.) to say whether a distroless image is viable. I do agree that there are more tools in the runtime image than are truly necessary for execution, I think removing the tools packages and adding a debug type layer to that image would be useful.

1 Like

I’ve had this on my list for a while now. The current next step will (most likely) be the redhat/ubi9 images, but that remains to be proven empirically. I am targeting Q3 2023 to actively work on this.

If you’re looking for something more modern OS (Ubuntu, Fedora, etc.), or a pattern that can be followed for other OS’s, I’d be glad to provide feedback on PRs in fdb-build-support

As for the runtime images, I’m not familiar enough with the FDB tooling (the fdb-kubernetes-operator, etc.) to say whether a distroless image is viable. I do agree that there are more tools in the runtime image than are truly necessary for execution, I think removing the tools packages and adding a debug type layer to that image would be useful.

The operator already has a distress version: https://github.com/FoundationDB/fdb-kubernetes-operator/blob/main/.github/workflows/release.yaml#L78. As the distroless images are based on Debian the operator uses Debian as a base image in the normal setup. It probably makes sense to test if we are able to provide “normal” and distroless images for FDB. Happy to chat about that and help if needed :slight_smile:

1 Like

Hi @ammolitor any updates on this?