Hi,
we are currently researching if the distroless approach could fit rolling this out in a large organization, especially to reduce the noise of container vulnerability scanners.
We did a proof of concept for nodejs. The app has a dependency on `node-rdkafka`, a Node.js wrapper for Kafka C/C++ library. This lib depends on some linux binaries which are not present in the final image. Our workaround is to install the binaries in step and then copy them over to the final image in stage two.
**This seems to work, nevertheless it feels a little messy to us and we are a bit scared about more issues during runtime.**
Is this the common approach? Is there any documentation or best practises when dealing with native linux dependecies/shared libs which are not present in the distroless image?
Any help/links/resources would be highly appreciated!
Thank you!
Demo Dockerfile:
```Dockerfile
# stage 1
FROM node:16-bullseye AS base
# 1. install the needed binaries in stage 1
# They get installed into ./lib/x86_64-linux-gnu
RUN apt-get --yes install zlib1g
WORKDIR /base
COPY package.json ./
COPY package-lock.json ./
RUN npm ci
# stage 2
# 2. now copy over the missing binaries to distroless
COPY --from=base ./lib/x86_64-linux-gnu ./lib/x86_64-linux-gnu
WORKDIR /app
COPY src ./src
# copy dependencies installed in stage 1 into distroless
COPY --from=base /base/node_modules ./node_modules
EXPOSE 8000
CMD ["src/server.js"]
```