🥑 Language focused docker images, minus the operating system.

"Distroless" Docker Images

CI Build Status

"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.

For more information, see this talk (video).

Why should I use distroless images?

Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.

Distroless images are very small. The smallest distroless image, gcr.io/distroless/static-debian11, is around 2 MiB. That's about 50% of the size of alpine (~5 MiB), and less than 2% of the size of debian (124 MiB).

How do I use distroless images?

These images are built using bazel, but they can also be used through other Docker image build tooling.

How do I verify distroless images?

All distroless images are signed by cosign. We recommend verifying any distroless image you use before building your image.

Once you've installed cosign, you can use the distroless public key to verify any distroless image with:

cat cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZzVzkb8A+DbgDpaJId/bOmV8n7Q
OqxYbK0Iro6GzSmOzxkn+N2AKawLyXi84WSwJQBK//psATakCgAQKkNTAA==
-----END PUBLIC KEY-----


cosign verify --key cosign.pub $IMAGE_NAME

Entrypoints

Note that distroless images by default do not contain a shell. That means the Dockerfile ENTRYPOINT command, when defined, must be specified in vector form, to avoid the container runtime prefixing with a shell.

This works:

ENTRYPOINT ["myapp"]

But this does not work:

ENTRYPOINT "myapp"

For the same reasons, if the entrypoint is left to the default empty vector, the CMD command should be specified in vector form (see examples below).

Docker

Docker multi-stage builds make using distroless images easy. Follow these steps to get started:

Examples with Docker

Here's a quick example for go:

# Start by building the application.
FROM golang:1.17-bullseye as build

WORKDIR /go/src/app
ADD . /go/src/app

RUN go get -d -v ./...

RUN go build -o /go/bin/app

# Now copy it into our base image.
FROM gcr.io/distroless/base-debian11
COPY --from=build /go/bin/app /
CMD ["/app"]

You can find other examples here:

To run any example, go to the directory for the language and run

docker build -t myapp .
docker run -t myapp

To run the Node.js Express app node-express and expose the container's ports:

npm install # Install express and its transitive dependencies
docker build -t myexpressapp . # Normal build command
docker run -p 3000:3000 -t myexpressapp

This should expose the Express application to your localhost:3000

Bazel

For full documentation on how to use bazel to generate Docker images, see the bazelbuild/rules_docker repository.

For documentation and examples on how to use the bazel package manager rules, see ./package_manager

Examples can be found in this repository in the examples directory.

Examples with Bazel

We have some examples on how to run some common application stacks in the /examples directory. See here for:

See here for examples on how to complete some common tasks in your image:

See here for more information on how these images are built and released.

Jib

For full documentation on how to use Jib to generate Docker images from Maven and Gradle, see the GoogleContainerTools/jib repository.

Base Operating System

Distroless images are based on Debian 11 (bullseye). Images are explicitly tagged with Debian version suffixes (e.g. -debian10 or -debian11). Specifying an image without the distribution will currently select -debian11 images, but that will change in the future to a newer version of Debian. It can be useful to reference the distribution explicitly, to prevent breaking builds when the next Debian version is released.

Operating System Updates for Security Fixes and CVEs

Distroless tracks the upstream Debian releases, using Github actions to automatically generate a pull request when there are updates.

Debug Images

Distroless images are minimal and lack shell access. The :debug image set for each language provides a busybox shell to enter.

For example:

cd examples/python3/

edit the Dockerfile to change the final image to :debug:

FROM gcr.io/distroless/python3-debian11:debug
COPY . /app
WORKDIR /app
CMD ["hello.py", "/etc"]

then build and launch with an shell entrypoint:

$ docker build -t my_debug_image .

$ docker run --entrypoint=sh -ti my_debug_image

/app # ls
BUILD       Dockerfile  hello.py

Note: If the image you are using already has a tag, for example gcr.io/distroless/java17-debian11:nonroot, use the tag <existing tag>-debug instead, for example gcr.io/distroless/java17-debian11:nonroot-debug.

Note: ldd is not installed in the base image as it's a shell script, you can copy it in or download it.

Who uses Distroless?

If your project uses Distroless, send a PR to add your project here!

Community Discussion

Owner
null
https://github.com/GoogleContainerTools/distroless
Comments
  • uclibc BusyBox in Distroless debug images fails with

    uclibc BusyBox in Distroless debug images fails with "ls: Value too large for defined data type"

    UPDATE by @chanseokoh: this issue is specifically about the pre-built, buggy BusyBox binary compiled using uClibc embedded in the Distroless :debug Docker images (e.g., gcr.io/distroless/java:debug). The root cause is Bug 11651 in BusyBox.

    It seems like LargeFileSupport is disabled in the debug images.

    $ docker run --entrypoint=/busybox/sh --rm -it gcr.io/distroless/base:debug 
/ # ls /
ls: can't open '/': Value too large for defined data type

    According to the coreutils docs this error is caused by not enabling LargeFileSupport when compiling.

    The default docker image doesn't seem to have this problem

    $ docker run --entrypoint=/bin/sh --rm -it busybox
/ # ls
bin   dev   etc   home  proc  root  sys   tmp   usr   var
  • Add deb_packages rule

    Add deb_packages rule

    Split from #94, this PR only contains the (slightly updated) deb_loader ruleset.

    This will not work out of the box as-is, due to the fact that the binary for downloading files has to be served via HTTP (see deb_loader/deb_loader.bzl). It'll currently look on localhost instead of a publicly available location.

    It is very likely that 2 additional parameters (ignored by the deb_loader tool but necessary to auto-update deb_packages rules in a safe manner) will be added later: pgp_keyid and pgp_keyservers (or maybe pgp_keyurls?) - these will contain the keyid and a list of keyservers that might host the defined key which signed the Releases file on the mirror(s). These can't really be hardcoded to support internal mirrors and people that might not want to publish their internal signing keys.

    I hope this makes it easier to reason about the changes, the update_workspace helper tool will be the next thing to review/add in case you are willing to move forward with this. I can also add a container that will use the rules outlined here and/or convert currently existing rules to this new style in case you want to see how it looks like, though that can be deferred for later.

    Changes between this and #94:

    • Renamed architecture to arch to be more in line with existing ruleset
    • smaller scope of PR (only rule, no other changes)
    • documented adding packages manually and with the update_workspace tool
    • Mirror URLs now have to point to the root folder of the repository, /debian or /ubuntu will not be automatically assumed or added (this solves the same issue as #93 and makes it easier to use the snapshots mirror in deb_packages rules for example)

    I didn't split the attribute (packages and packages_sha256) since the only mention of Fileset I could find is on the bottom of https://www.bazel.build/support.html with the comment we do not intend to support them in Bazel, ever

    I also didn't build upon package_manager since the whole code for deb_loader is just a few dozen lines and I don't need most of the functionality in package_manager. This way it is also possible to have both rule sets side by side, in case you want to make both available.

  • Tracking java 17

    Tracking java 17

    Looks like there are a few builds of java 17 build 35 (ga) in sid https://packages.debian.org/sid/openjdk-17-jre-headless I'm assuming we're waiting for those builds to be available in bullseye https://packages.debian.org/bullseye/openjdk-17-jre-headless

  • ARM version?

    ARM version?

    I've switched all my images to use distroless as base image and realize distroless doesn't have ARM version. Would it be possible to provide an ARM version?

    I'm thinking about using my images on a RasPi3 so it would be great if ARMv7 (Debian armhf) is provided.

  • distroless/java missing libharfbuzz.so.0

    distroless/java missing libharfbuzz.so.0

    Description of the issue: The docker images build ok with Jib, but I get an exception thrown when the container runs. The application is a spring boot 2.4.x app that runs ok in the IDE against java 11.

    Started with the java:11 image a couple of days ago, older images works.

    Expected behavior: No exception

    Steps to reproduce: Jib a spring boot 2.4.x app that uses apache poi and creates Excelfiles.

    Environment: Mac / Java 11 / Maven / Spring boot

    Log output:

    Caused by: java.lang.UnsatisfiedLinkError: /usr/lib/jvm/java-11-openjdk-amd64/lib/libfontmanager.so: libharfbuzz.so.0: cannot open shared object file: No such file or directory at java.base/java.lang.ClassLoader$NativeLibrary.load0(Native Method) at java.base/java.lang.ClassLoader$NativeLibrary.load(ClassLoader.java:2442) at java.base/java.lang.ClassLoader$NativeLibrary.loadLibrary(ClassLoader.java:2498) at java.base/java.lang.ClassLoader.loadLibrary0(ClassLoader.java:2694) at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2648) at java.base/java.lang.Runtime.loadLibrary0(Runtime.java:830) at java.base/java.lang.System.loadLibrary(System.java:1873) at java.desktop/sun.font.FontManagerNativeLibrary$1.run(FontManagerNativeLibrary.java:57) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.desktop/sun.font.FontManagerNativeLibrary.<clinit>(FontManagerNativeLibrary.java:32) at java.desktop/sun.font.SunFontManager$1.run(SunFontManager.java:279) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.desktop/sun.font.SunFontManager.<clinit>(SunFontManager.java:275) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:398) at java.desktop/sun.font.FontManagerFactory$1.run(FontManagerFactory.java:82) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.desktop/sun.font.FontManagerFactory.getInstance(FontManagerFactory.java:74) at java.desktop/java.awt.Font.getFont2D(Font.java:497) at java.desktop/java.awt.Font.canDisplayUpTo(Font.java:2250) at java.desktop/java.awt.font.TextLayout.singleFont(TextLayout.java:469) at java.desktop/java.awt.font.TextLayout.<init>(TextLayout.java:530) at org.apache.poi.ss.util.SheetUtil.getDefaultCharWidth(SheetUtil.java:285) at org.apache.poi.xssf.streaming.AutoSizeColumnTracker.<init>(AutoSizeColumnTracker.java:117) at org.apache.poi.xssf.streaming.SXSSFSheet.<init>(SXSSFSheet.java:89) at org.apache.poi.xssf.streaming.SXSSFWorkbook.createAndRegisterSXSSFSheet(SXSSFWorkbook.java:701) at org.apache.poi.xssf.streaming.SXSSFWorkbook.createSheet(SXSSFWorkbook.java:722)

  • distroless/java:11 missing libfreetype.so.6

    distroless/java:11 missing libfreetype.so.6

    Description of the issue: The docker images build ok with Jib, but I get an exception thrown when the container runs. The application is a spring boot 2.1.x app that runs ok in the IDE against java 11.

    Expected behavior: No exception

    Steps to reproduce: Jib a spring boot 2.1.x app that uses the autoSizeColumn feature of apache-poi and attempt to run the container on your local docker.

    Environment: Linux / Java 11 / Gradle / Spring boot 2.1.x

    jib-gradle-plugin Configuration:

    jib {
    from {
        image = 'gcr.io/distroless/java:11'
    }
    to {
        image = "theimage"
    }
    container {
        jvmFlags = ['-Djava.awt.headless=true']
    }
}

    Log output:

    Caused by: java.lang.UnsatisfiedLinkError: /usr/lib/jvm/java-11-openjdk-amd64/lib/libfontmanager.so: libfreetype.so.6: cannot open shared object file: No such file or directory
	at java.base/java.lang.ClassLoader$NativeLibrary.load0(Native Method) ~[na:na]
	at java.base/java.lang.ClassLoader$NativeLibrary.load(ClassLoader.java:2430) ~[na:na]
	at java.base/java.lang.ClassLoader$NativeLibrary.loadLibrary(ClassLoader.java:2487) ~[na:na]
	at java.base/java.lang.ClassLoader.loadLibrary0(ClassLoader.java:2684) ~[na:na]
	at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2638) ~[na:na]
	at java.base/java.lang.Runtime.loadLibrary0(Runtime.java:829) ~[na:na]
	at java.base/java.lang.System.loadLibrary(System.java:1867) ~[na:na]
	at java.desktop/sun.font.FontManagerNativeLibrary$1.run(FontManagerNativeLibrary.java:57) ~[na:na]
	at java.base/java.security.AccessController.doPrivileged(Native Method) ~[na:na]
	at java.desktop/sun.font.FontManagerNativeLibrary.<clinit>(FontManagerNativeLibrary.java:32) ~[na:na]
	at java.desktop/sun.font.SunFontManager$1.run(SunFontManager.java:270) ~[na:na]
	at java.base/java.security.AccessController.doPrivileged(Native Method) ~[na:na]
	at java.desktop/sun.font.SunFontManager.<clinit>(SunFontManager.java:266) ~[na:na]
	at java.base/java.lang.Class.forName0(Native Method) ~[na:na]
	at java.base/java.lang.Class.forName(Class.java:398) ~[na:na]
	at java.desktop/sun.font.FontManagerFactory$1.run(FontManagerFactory.java:82) ~[na:na]
	at java.base/java.security.AccessController.doPrivileged(Native Method) ~[na:na]
	at java.desktop/sun.font.FontManagerFactory.getInstance(FontManagerFactory.java:74) ~[na:na]
	at java.desktop/java.awt.Font.getFont2D(Font.java:497) ~[na:na]
	at java.desktop/java.awt.Font.canDisplayUpTo(Font.java:2246) ~[na:na]
	at java.desktop/java.awt.font.TextLayout.singleFont(TextLayout.java:469) ~[na:na]
	at java.desktop/java.awt.font.TextLayout.<init>(TextLayout.java:530) ~[na:na]
	at org.apache.poi.ss.util.SheetUtil.getDefaultCharWidth(SheetUtil.java:273) ~[poi-4.0.1.jar:4.0.1]
	at org.apache.poi.ss.util.SheetUtil.getColumnWidth(SheetUtil.java:248) ~[poi-4.0.1.jar:4.0.1]
	at org.apache.poi.ss.util.SheetUtil.getColumnWidth(SheetUtil.java:233) ~[poi-4.0.1.jar:4.0.1]
	at org.apache.poi.hssf.usermodel.HSSFSheet.autoSizeColumn(HSSFSheet.java:2215) ~[poi-4.0.1.jar:4.0.1]

    I can create a minimal application with the issue if needed.

  • CVE-2022-1292: Openssl vulnerability

    CVE-2022-1292: Openssl vulnerability

    Hi Team,

    aquasec is detecting this vulnerability in gcr.io/distroless/java11:latest: CVE-2022-1292. Normally it's fixed in the new available openssl version: OpenSSL 1.1.1o

  • Building Error: Wrong checksum for package openjdk-11-jdk-headless

    Building Error: Wrong checksum for package openjdk-11-jdk-headless

    I am trying the following commands as CONTRIBUTING.md says to create PR for this issue. But the following error happens. How can I work around this issue?

    $ bazel clean --host_force_python=PY2 --curses=no
$ bazel build --host_force_python=PY2 --curses=no //package_manager:dpkg_parser.par
:
INFO: 2 processes: 2 linux-sandbox.
INFO: Build completed successfully, 15 total actions
INFO: Build completed successfully, 15 total actions
$ bazel build --host_force_python=PY2 //experimental/python3:python3_debian10
INFO: Repository package_bundle_debian10 instantiated at:
  no stack (--record_rule_instantiation_callstack not enabled)
Repository rule _dpkg_list defined at:
  /home/yoshiki/develop/distroless/package_manager/dpkg.bzl:23:14: in <toplevel>
ERROR: An error occurred during the fetch of repository 'package_bundle_debian10':
   dpkg_parser command failed: Traceback (most recent call last):
  File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/home/yoshiki/develop/distroless/bazel-bin/package_manager/dpkg_parser.par/__main__.py", line 196, in <module>
  File "/home/yoshiki/develop/distroless/bazel-bin/package_manager/dpkg_parser.par/__main__.py", line 80, in main
  File "/home/yoshiki/develop/distroless/bazel-bin/package_manager/dpkg_parser.par/__main__.py", line 118, in download_dpkg
Exception: Wrong checksum for package openjdk-11-jdk-headless.  Expected: a3c04c7f67bd377704e64c7cac9ba14b623e1016489904bd2d64c5e288f2a028, Actual: 864d1df61900a364c8a1cb69c7407ee416e6e40acd3bbb0316a4c414b0475b98
 (/home/yoshiki/develop/distroless/bazel-bin/package_manager/dpkg_parser.par --package-files /home/yoshiki/.cache/bazel/_bazel_yoshiki/341ae8492058161a7bc59a3774bb3b8a/external/debian10_security/file/Packages.json,/home/yoshiki/.cache/bazel/_bazel_yoshiki/341ae8492058161a7bc59a3774bb3b8a/external/debian10/file/Packages.json --packages libc6,base-files,ca-certificates,openssl,libssl1.1,libbz2-1.0,libdb5.3,libffi6,liblzma5,libexpat1,libreadline7,libsqlite3-0,mime-support,netbase,readline-common,tzdata,libgcc1,libgomp1,libstdc++6,zlib1g,libjpeg62-turbo,libpng16-16,liblcms2-2,libfreetype6,fonts-dejavu-core,fontconfig-config,libfontconfig1,libuuid1,openjdk-11-jre-headless,openjdk-11-jdk-headless,dash,libc-bin,libpython2.7-minimal,libpython2.7-stdlib,python2.7-minimal,libmpdec2,libpython3.7-minimal,libpython3.7-stdlib,libtinfo6,libuuid1,libncursesw6,python3-distutils,python3.7-minimal,libcurl4,libgssapi-krb5-2,libicu63,liblttng-ust0,libssl1.1,libunwind8,libuuid1,zlib1g,curl,libcomerr2,libidn2-0,libk5crypto3,libkrb5-3,libldap-2.4-2,libldap-common,libsasl2-2,libnghttp2-14,libpsl5,librtmp1,libssh2-1,libkeyutils1,libkrb5support0,libunistring2,libgnutls30,libgmp10,libhogweed4,libidn11,libnettle6,libp11-kit0,libffi6,libtasn1-6,libsasl2-modules-db,libgcrypt20,libgpg-error0,libacl1,libattr1,libselinux1,libpcre3,libbz2-1.0,liblzma5 --workspace-name package_bundle_debian10)

    Same error happens even if the command in test.sh:

    $ bazel build --host_force_python=PY2 --curses=no //...

    My envirnment is Linux terminal on ChromeOS (Debian 9 on HP Chromebook x360 14 Core i5). Bezel version is the latest 3.1.0.

  • NodeJS image : web server not accessible

    NodeJS image : web server not accessible

    Hello,

    I have successfully created a docker image containing flood (a web interface for rtorrent). But if I start this image without exposing publicly the port 3000, the web server is not accessible by the reverse proxy (traefik) nor from the host by using the container IP (ERR_CONNECTION_REFUSED).

    If I expose it publicly, then the web server is still only accessible from internet, not from traefik nor localhost.

    I try to create another container for TryGhost/Ghost, same problem. The web server is started and is waiting for connections on 0.0.0.0, but the connection is refused from the docker host or the proxy container.

    Any help about it? Thanks 😄

  • gcr.io/distroless/cc:debug fails with Rust app: line 1: syntax error: unexpected

    gcr.io/distroless/cc:debug fails with Rust app: line 1: syntax error: unexpected ")" 

    # You can override this `--build-arg BASE_IMAGE=...` to use different
# version of Rust or OpenSSL.
ARG BASE_IMAGE=rust

# docker build --build-arg http_proxy=$http_proxy --build-arg https_proxy=$https_proxy -t exporter_distroless .
# Our first FROM statement declares the build environment.
FROM ${BASE_IMAGE} AS builder
WORKDIR /build
COPY . /build

# Create empty app dirs that will be copied to distroless
RUN mkdir -p /app/config

# Test
RUN cargo test --release

# Build our application.
RUN cargo build --release

FROM gcr.io/distroless/cc:debug
USER nonroot

# Place for config files
COPY --from=builder --chown=nonroot:nonroot /app /
COPY --from=builder --chown=nonroot:nonroot /build/target/release/my-app /app/
WORKDIR /app
EXPOSE 8080
ENTRYPOINT ["/app/my-app"]

    Building the Docker file locally on Windows 10 leads to no problems. Building the Docker image on my CICD env with BMW_Ubuntu_20.04_Server and running it on Kubernetes makes the Container fail on startup with: /app/my-app: line 1: syntax error: unexpected ")"

    I can reproduce the error message by executing sh /app/my-app. Just running /app/my-app as in the entrypoint command works fine.

  • Critical CVE in distroless/java17 update to openjdk 17.0.3

    Critical CVE in distroless/java17 update to openjdk 17.0.3

    Java 17.0.2 has a severe flaw in signature verification for elliptic curve signatures. 17.0.3 was released to the public on April 19, 2022: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449

    See also https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

  • Fix: Use `SOURCE_DATE_EPOCH` for the distroless images.

    Fix: Use `SOURCE_DATE_EPOCH` for the distroless images.

    :bug: This uses SOURCE_DATE_EPOCH so that instead of the Unix epoch, distroless images use the timestamp of the git commit from which they are built.

    /kind bug

  • refactor: migrate to rules_oci

    refactor: migrate to rules_oci

    Remaining work here;

    • [ ] Update root BUILD file to use rules_oci oci_index oci_push oci_cosign
    • [x] http_archive_sbom implementation is not complete yet.
    • [ ] Update cloudbuild to use bazel rules for signing and publishing
    • [ ] Remove cloudbuild_*.sh scripts as not needed anymore
    • [ ] Some cleanup work
  • nobody vs nonroot user

    nobody vs nonroot user

    I'm trying to understand when I'm supposed to be using nobody versus nonroot user in my docker images.

    I cannot find a simple explanation out there and I feel like they are just interchangeable. Is that right ? If not, what are the differences ?

  • distroless/python3-debian11 and distroless/python3-debian11:nonroot contain shell

    distroless/python3-debian11 and distroless/python3-debian11:nonroot contain shell

    Describe the bug The images distroless/python3-debian11 and distroless/python3-debian11:nonroot contain the sh shell, contrary to what the documentation says.

    To Reproduce

    $ docker run --rm -it --entrypoint sh gcr.io/distroless/python3-debian11:latest
Unable to find image 'gcr.io/distroless/python3-debian11:latest' locally
latest: Pulling from distroless/python3-debian11
8fdb1fc20e24: Already exists 
fda4ba87f6fb: Already exists 
a1f1879bb7de: Already exists 
456b1c818ab2: Pull complete 
Digest: sha256:d78a749034380426dd6cec6a0db139459ca701630533ffce112adbcdd996fddd
Status: Downloaded newer image for gcr.io/distroless/python3-debian11:latest
# exit

$ docker run --rm -it --entrypoint sh gcr.io/distroless/python3-debian11:nonroot
Unable to find image 'gcr.io/distroless/python3-debian11:nonroot' locally
nonroot: Pulling from distroless/python3-debian11
8fdb1fc20e24: Already exists 
fda4ba87f6fb: Already exists 
a1f1879bb7de: Already exists 
456b1c818ab2: Already exists 
3c2cba919283: Pull complete 
Digest: sha256:16a3e673c2138d1896a20664659c5d0d225be429fe374bb1d38a2a8a94a9b260
Status: Downloaded newer image for gcr.io/distroless/python3-debian11:nonroot
$

    Expected behavior The expected behavior is displayed when running this command:

    $ docker run --rm -it --entrypoint sh gcr.io/distroless/java17-debian11
Unable to find image 'gcr.io/distroless/java17-debian11:latest' locally
latest: Pulling from distroless/java17-debian11
8fdb1fc20e24: Already exists 
fda4ba87f6fb: Already exists 
a1f1879bb7de: Already exists 
407f249037ea: Already exists 
8a4811140f89: Already exists 
Digest: sha256:61c05080a2fbf2f6fcb2eb11b936e30ebc7eb5cad474056e5e356b5b1b94d200
Status: Downloaded newer image for gcr.io/distroless/java17-debian11:latest
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown.
  • distroless/python3-debian11:debug is not signed with cosign

    distroless/python3-debian11:debug is not signed with cosign

    Describe the bug The distroless image gcr.io/distroless/python3-debian11:debug is not signed with cosign.

    To Reproduce I ran this script:

    #!/bin/bash

GOOGLE_COSIGN_PUB_KEY=google_cosign.pub
rm -rf cosign.pub
wget https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub
mv cosign.pub $GOOGLE_COSIGN_PUB_KEY

GOOGLE_DISTROLESS_IMAGES='
gcr.io/distroless/python3-debian11'

TAGS='
latest
nonroot
debug
debug-nonroot'

for IMAGE in $GOOGLE_DISTROLESS_IMAGES; do
	for TAG in $TAGS; do
		echo Verifying $IMAGE:$TAG
		cosign verify --key $GOOGLE_COSIGN_PUB_KEY $IMAGE:$TAG
		echo
	done
done

    And this was the output:

    --2022-11-13 17:12:17--  https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178 [text/plain]
Saving to: ‘cosign.pub’

cosign.pub                             100%[===========================================================================>]     178  --.-KB/s    in 0s      

2022-11-13 17:12:17 (11.1 MB/s) - ‘cosign.pub’ saved [178/178]

Verifying gcr.io/distroless/python3-debian11:latest

Verification for gcr.io/distroless/python3-debian11:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"gcr.io/distroless/python3-debian11"},"image":{"docker-manifest-digest":"sha256:d78a749034380426dd6cec6a0db139459ca701630533ffce112adbcdd996fddd"},"type":"cosign container image signature"},"optional":null}]

Verifying gcr.io/distroless/python3-debian11:nonroot

Verification for gcr.io/distroless/python3-debian11:nonroot --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"gcr.io/distroless/python3-debian11"},"image":{"docker-manifest-digest":"sha256:16a3e673c2138d1896a20664659c5d0d225be429fe374bb1d38a2a8a94a9b260"},"type":"cosign container image signature"},"optional":null}]

Verifying gcr.io/distroless/python3-debian11:debug
Error: no matching signatures:

main.go:62: error during command execution: no matching signatures:

Verifying gcr.io/distroless/python3-debian11:debug-nonroot

Verification for gcr.io/distroless/python3-debian11:debug-nonroot --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"gcr.io/distroless/python3-debian11"},"image":{"docker-manifest-digest":"sha256:fa3db2ffa927c8ef3a71e91dcf2d0905cb38106167bace3bcba11c80f61405a3"},"type":"cosign container image signature"},"optional":null}]

    Expected behavior The signature for distroless/python3-debian11:debug should have been verified successfully.

Related tags
DevOps Tools docker bazel
List, find and inspect operating system processes in Go

ps Package ps provides functionality to find, list and inspect operating system processes, without using cgo or external binaries. Supported operating

Nov 9, 2022
An image server which automatically optimize non webp and avif images to webp and avif images

go-imageserver go-imageserver is an image server which automatically optimize no

Apr 18, 2022
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.
 Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Dec 6, 2022
ghcr images - Fetched from docker-library

ghcri ghcri is the repo for Github Container Registry Images. Just like docker-library for Docker Registry. Usage Replace all docker library from dock

Aug 15, 2022
CLI based tools to find the secrets in docker Images
 CLI based tools to find the secrets in docker Images

docker-secrets CLI based tools to find the secrets in docker Images This tool use detect-secrets to find the secrets in the docker Image file system P

Mar 22, 2022
run regular Docker images in KVM/Qemu

runq runq is a hypervisor-based Docker runtime based on runc to run regular Docker images as a lightweight KVM/Qemu virtual machine. The focus is on s

Jan 6, 2023
Woodpecker CI plugin to build multiarch Docker images with buildx

plugin-docker-buildx Woodpecker CI plugin to build multiarch Docker images with buildx Woodpecker CI plugin to build multiarch Docker images with buil

Nov 5, 2022
A tool to check whether docker images exist in the remote registry.

Check Docker Image A tool to check whether docker images exist in the remote registry. Build project: go build -o check-image . Example usage: REGISTR

Jul 26, 2022
Show dependency graph of docker images/containers
 Show dependency graph of docker images/containers

docker-graph Show dependency graph of docker images/containers like this: Orange is images and green is containers. Features Collect docker images, co

Feb 7, 2022
APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging.
 APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging.

APKrash APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging. Features Able to analyze pu

Nov 8, 2022
Docker-based remote code runner / 基于 Docker 的远程代码运行器
 Docker-based remote code runner / 基于 Docker 的远程代码运行器

Docker-based remote code runner / 基于 Docker 的远程代码运行器

Nov 9, 2022
ecsk is a CLI tool to interactively use frequently used functions of docker command in Amazon ECS. (docker run, exec, cp, logs, stop)
 ecsk is a CLI tool to interactively use frequently used functions of docker command in Amazon ECS. (docker run, exec, cp, logs, stop)

English / 日本語 ecsk ECS + Task = ecsk ?? ecsk is a CLI tool to interactively use frequently used functions of docker command in Amazon ECS. (docker run

Dec 13, 2022
Hassle-free minimal CI/CD for git repositories with docker or docker-compose projects.
 Hassle-free minimal CI/CD for git repositories with docker or docker-compose projects.

GIT-PIPE Hassle-free minimal CI/CD for git repos for docker-based projects. Features: zero configuration for repos by default automatic encrypted back

Sep 23, 2022
Tool to convert docker-compose files to set of simple docker commands

docker-decompose Tool to convert docker-compose files to set of simple docker commands. Install Use go get to install the latest version of the librar

Apr 12, 2022
Go-http-server-docker - Simple sample server using docker and go

go-http-server-docker Simple sample webserver using docker and go.

Jan 8, 2022
Docker-hub-rate-limit - Show pulling rate status of Docker-hub

Docker-Hub Pull Rate Status This tool shows current status of docker hub pull ra

Jan 28, 2022
Dotnet-appsettings-env - Convert .NET appsettings.json file to Kubernetes, Docker and Docker-Compose environment variables

dotnet-appsettings-env Convert .NET appsettings.json file to Kubernetes, Docker

Dec 30, 2022
Dotnet-appsettings-env - Convert .NET appsettings.json file to Kubernetes, Docker and Docker-Compose environment variables

dotnet-appsettings-env Convert .NET appsettings.json file to Kubernetes, Docker

Feb 16, 2022
Nebula Operator manages NebulaGraph clusters on Kubernetes and automates tasks related to operating a NebulaGraph cluster

Nebula Operator manages NebulaGraph clusters on Kubernetes and automates tasks related to operating a NebulaGraph cluster. It evolved from NebulaGraph Cloud Service, makes NebulaGraph a truly cloud-native database.

Dec 31, 2022