Common approach/best practices when dealing with linux binaries which an application depend on but are not present in the distroless image

[Michael Wager]

Hi,

we are currently researching if the distroless approach could fit rolling this out in a large organization, especially to reduce the noise of container vulnerability scanners.

We did a proof of concept for nodejs. The app has a dependency on `node-rdkafka`, a Node.js wrapper for Kafka C/C++ library. This lib depends on some linux binaries which are not present in the final image. Our workaround is to install the binaries in step and then copy them over to the final image in stage two.

**This seems to work, nevertheless it feels a little messy to us and we are a bit scared about more issues during runtime.**

Is this the common approach? Is there any documentation or best practises when dealing with native linux dependecies/shared libs which are not present in the distroless image?

Any help/links/resources would be highly appreciated!

Thank you!

Demo Dockerfile:

```Dockerfile

# stage 1

FROM node:16-bullseye AS base

# 1. install the needed binaries in stage 1

# They get installed into ./lib/x86_64-linux-gnu

RUN apt-get --yes install zlib1g

WORKDIR /base

COPY package.json ./

COPY package-lock.json ./

RUN npm ci

# stage 2

FROM gcr.io/distroless/nodejs:16

# 2. now copy over the missing binaries to distroless

COPY --from=base ./lib/x86_64-linux-gnu ./lib/x86_64-linux-gnu

WORKDIR /app

COPY src ./src

# copy dependencies installed in stage 1 into distroless

COPY --from=base /base/node_modules ./node_modules

EXPOSE 8000

CMD ["src/server.js"]

```

[Andrew Latham]

Michael

You are on track, this is normal and the mess you are working on is the surfacing of all the details that are normally hidden in systems. At first glance you have a lot of wins.

I saw `COPY --from=base ./lib/x86_64-linux-gnu ./lib/x86_64-linux-gnu` and got nervous. You may want to understand which binaries are needed instead of copying a full directory. You are likely safe-ish as there is no shell or base env to execute anything bad.

What you mention, ask, and have found is normal and good that you better understand the app. For example you now know that if a CVE for zlib shows up it would be good to read it.

--
You received this message because you are subscribed to the Google Groups "Distroless Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to distroless-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/distroless-users/e91539dc-8607-4735-8ed5-9494cea92931n%40googlegroups.com.

--

- Andrew "lathama" Latham -

[Evan Jones]

I have done something similar, except that I unpack the Debian packages in the first stage to a "temporary" directory, then only copy those over to the final image. For an example, see:

https://github.com/evanj/pprofweb/blob/aa0a1a2e87be02f1527f334620c4d45f6fb6ffd4/Dockerfile#L3-L7

To view this discussion on the web visit https://groups.google.com/d/msgid/distroless-users/CA%2Bqj4S8YmE0nADOZG6Qeu%3DyapE0wPQrRnoSingKPBtnpt0hsOw%40mail.gmail.com.

--

Evan Jones
https://www.evanjones.ca/

[Michael Wager]

Thanks so much guys!