Does distroless contain linux programs?
512 views
Skip to first unread message
CHU XU
Jul 30, 2020, 10:43:21 PM7/30/20
to Distroless Users
Hi experts,
I'm using an image called 'elastic-operator' on kubernetes cluster, which is build from 'gcr.io/distroless/static:nonroot'.
Recently this image has been scanned and reported there's vulnerability, the exact one is 'bind' pack for centos7.
I'm wondering if it's a distroless image, why there's still linux program existing.
And I exec into running container, I found there also is a /bin/bash in the container and I could run `yun upgrade` to upgrade the vulnerable pack.
But when I tried to run the image with `docker run -it --entrypoint /bin/bash {image}`, it gave me a error with '/bin/bash' not found.
Any idea about this?
Thanks
Chu
Evan Jones
Jul 31, 2020, 9:07:24 AM7/31/20
to distrole...@googlegroups.com
This is a confusing error message:
* Distroless is based on Debian packages, not on Fedora/Redhat/Centos packages, so there is not a 1-to-1 correspondence between the packages.
* The "static" image contains NO shared libraries or executable binaries of any kind, if I recall correctly. It just contains some configuration files, root public key certificates, and timezone information.
I suspect likely the issue is whatever is being installed on TOP of this base image. Can you provide any more details about what exactly this security scanner is reporting as an issue?
You may also want to try "gcr.io/distroless/static-debian10:nonroot" which at least contains slightly newer versions of some of those configuration files, although again I would be surprised if this could matter.
Good luck,
Evan
--
You received this message because you are subscribed to the Google Groups "Distroless Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to distroless-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/distroless-users/28827dfc-2c67-47b5-bb09-e56479a8966ao%40googlegroups.com.
Evan Jones
https://www.evanjones.ca/
https://www.evanjones.ca/
Chanseok Oh
Jul 31, 2020, 9:58:00 AM7/31/20
to Distroless Users
It's not a Distroless image. "/bin" is completely empty in "gcr.io/distroless/static:nonroot". Any executable binaries you see (bind, yum, bash, or whatever) must be what "elastic-operator" added on top of Distroless.
CHU XU
Aug 2, 2020, 10:01:41 PM8/2/20
to Distroless Users
Thanks all, turned out I made mistakes, the '/bin' is added, it's not about distroless. This topic may be closed.
Reply all
Reply to author
Forward
0 new messages