New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add distroless debug image to published release #1106
Conversation
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Benchmark Test ResultsBenchmark results from the latest changes vs base branch
|
After reading #833 more in-depth it looks like this still does not add a shell which was the requested change. I'll revert this commit and add this via the image_template block with a separate file in |
Only the distroless debug images have a shell. Also for this reason I would strongly request there be a scratch & distroless debug image https://github.com/GoogleContainerTools/distroless#debug-images Or provide a simple dockerfile that can copy the binary from syft scratch container into distroless debug or alpine etc Also as a note, distroless static comes with ca-certs, so doesnt need them copied in, so is probably the best option for a static go bin https://github.com/GoogleContainerTools/distroless/tree/main/base#image-contents |
Thanks a million @06kellyjac! I'll update the goreleaser config so we have the scratch & distroless debug image. |
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
.goreleaser.yaml
Outdated
- image_templates: | ||
- anchore/syft:latest | ||
- ghcr.io/anchore/syft:latest | ||
- ghcr.io/anchore/syft:{{.Tag}}-amd64 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this -amd64
intentional. It looks to be covered in the manifests section (but we should double check this)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
^ Manifests pull from the dockers.image_templates
section
So if you did a make build
on your local and then docker manifest inspect anchore/syft:latest
you would see 2 distributions.
This line also existed on our previous build file in the diff at line 106. I don't think manifests should be able to "cover" anything that is happening in the dockers
section of this config.
See: https://goreleaser.com/customization/docker_manifest/#example-config for the example setup for manifests and why we specify amd64 here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense, thank for info / double checking 👍
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
I wouldn't personally call linux/arm64 m1 but maybe that's just me 😅 |
* main: add distroless debug image to published release (anchore#1106) update help formatting (anchore#1105) feat: implement haskell support (anchore#1096) Add the -r argument for gnu xargs (anchore#1103) fix: -o output option to include formats (anchore#1102) Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
add debug distroless image to published release Debian was chosen based on the fact that it is the smallest available distroless image The new tag is `anchore/syft:debug` Closes anchore#833
add debug distroless image to published release Debian was chosen based on the fact that it is the smallest available distroless image The new tag is `anchore/syft:debug` Closes anchore#833
Move base image from scratch to distroless as discussed during the community meeting.
Debian was chosen based on the fact that it is the smallest available distroless image.
The new tag is
anchore/syft:{{.Tag}}-debug
. Let me know if this should be changed or we want a different convention.Summary of images being built with this new configuration:
Closes #833
Signed-off-by: Christopher Phillips christopher.phillips@anchore.com