Distroless Containers

[00:00:00]
>> Brian Holt: Let's pop into Distroless. So we are here in Distroless. You may not wanna use Alpine. And here is a blog post that is very interesting of why you may not wanna read Alpine. I'm gonna give you the TDLR for this person actually experienced this pain, whereas I've only read about this pain I've ever actually experienced it, which is why I'm not telling anyone to not use Alpine, by the way.

[00:00:31]
And I will say if you don't use Kubernetes, there's, as far as I know, zero reason to not use Alpine. There is some extreme, and when I say extreme, I mean extreme edge cases with Alpine that will make it have some weird issues with stuff like Kubernetes when you're churning through tons and tons and tons of containers at a rapid rate over a long period of time.

[00:00:55]
You can run into some edge cases where Alpine doesn't handle some of that stuff as well, it's something like DB and docs. This arises from the fact that almost every distribution of Linux, has something called glibc in it. And they replace it with, in Alpine with this other thing called muscle, it's what I hear people call that out loud.

[00:01:22]
It's just a smaller version, if I'm not mistaken, of the C-core library. And generally it's battle-tested, it's been run trillions of hours in production. You and I generally do not have to care about what the difference is there. But if you go into the blog post, you'll read this person has hit some very strange long-tail edge cases and now swears off using Alpine forever.

[00:01:51]
So that is a reason, but probably the more compelling reason of why you might not wanna use Alpine, it's not the only option anymore. It used to be the only option, it is now, no longer the only option. So the one that we're gonna talk about today is Distroless.

[00:02:09]
But there's Wolfi, which I have no experience with, just know that I've heard people talk about it. The Red Hat publishes their base image and they have one called the micro image. And I don't know why I'm not talking about it, but but there's one called Debian Slim as well.

[00:02:23]
I don't know how big Debian Slim is. We could probably, should we just find out? We can just find out.
>> Brian Holt: I wonder if I can just say from debian: bullseye-slim, sure.
>> Brian Holt: And run this I know we'll call this my alpine, but name is hard.
>> Brian Holt: Already looking a bit bigger.

[00:02:59]
That's wants to do all the APK stuff.
>> Speaker 2: It's just a docker pull.
>> Brian Holt: What's that?
>> Speaker 2: Docker pull to just pull the image without building it.
>> Brian Holt: debian:bullseye-slim and then I guess I can just look at it here. Do I have it in here? Debian, bullseye-slim, 75 megabytes.

[00:03:26]
Okay, so definitely very viable as well in terms of how big it is. It's on my computer from nine days ago, so there you go. So I'll go back and add that to the nodes as well. Very valuable and I have used Slim many times, myself as well, so Slim is also very great.

[00:03:46]
We are gonna be talking specifically today about Distroless, because that has ended up becoming a pretty popular project. The first thing that I'm gonna say is Distroless is not Distroless. The name implies that it's just pure Linux. It's the pure manifestation, it's the sneeze of Linux or Linus Torvalds, right?

[00:04:10]
It's none of those things. It is still Debian, right? At the end of the day, they went into Debian, they hack and slash everything out of it. So, granted, it's not very Debianly anymore, but it's still, they built Debian and they took a bunch of stuff out of it, right?

[00:04:27]
So, it is small, it is very, very, very focused on running something in production, it is not useful for anything else, I think that's fair to say. But let's get wild. Let's see what happens. So I'm gonna just copy and paste this. Node: 20, node-builder, that shouldn't surprise you.

[00:04:54]
Working directory, package-locked, npm ci. And then GCR, that's Google Container Registry. And we're gonna pull Distroless nodejs20. We're gonna copy all of our stuff over from app. Notice that we don't have to do any of the stuff of adding a user or telling them, this is so locked down, you can't run it as node, as far as I know., right?

[00:05:18]
It's literally just hyper-focused on that. We were talking about entry point earlier. You can't do anything besides run node from this, right? You can't connect to it. You can't exec stuff, anything like that. It has its entry point as, index.js and that's what you're gonna use. So let's go ahead and try and run that.

[00:05:43]
We'll call this distroless.
>> Brian Holt: Okay, and then now we will try and run it
>> Brian Holt: Make sure that we are still working. Still running our node app, no problem. All the logins working and let's see more come distroless, 137 megabytes, so it's not smaller than what we were doing before.

[00:06:15]
But at this point, just go read a bunch of blog posts of why I would choose this one over the other one. I'll just say that distroless has gotten very, very popular which is why we're now talking about it. It is Debian-derived, we talked about that. Because you are now on Debian and not on Alpine, you are back into glibc land as opposed to muscle land.

[00:06:41]
So you have eliminated that extremely rare use case that you were very likely not to hit anyway. And I guess at this point, if you have strong opinions of why you need to use Alpine over distress or vice-versa, you've probably surpassed my knowledge on this cuz to me, they're essentially the same.

[00:07:00]
>> Brian Holt: For my practical applied use cases, it is the same. So by the way, you could totally go try and do this with Wolfi, with Red Hat, with Slim. Honestly, Slim's a really good choice. It's nice in the fact that you're kind of staying all within Debian, and Slim is maintained by the Debian team itself.

[00:07:22]
I mean, do you wanna trust the Alpine open-source project? Do you wanna trust the Debian organization? Or do you wanna trust Google? The answer is really any of them are fine, if you're asking me. But that's really kind of one of the questions you're going to come down to.