Simple, rootless, "FROM scratch" OCI image builder

zeroimage

zeroimage some-program is like building the following Docker image:

FROM scratch
COPY some-program /some-program
ENTRYPOINT ["/some-program"]

…without actually using Docker.

Assuming that some-program is a statically linked executable, zeroimage effectively produces the most minimal image that a container runtime could use to launch it. In spite of the many caveats listed below, this can help drive down startup times on serverless container platforms like AWS Lambda. Since zeroimage simply writes a tar archive without ever talking to a container runtime, it's great for cross-platform image builds.

Caveats

Yeah, but your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should.

— Dr. Ian Malcolm, Jurassic Park

Please be warned: There are a significant number of caveats associated with this kind of approach, and if you are not careful about the fact that your application is arguably running in a broken environment, things are probably not going to go well.

Most notably, the entrypoint binary must be completely statically linked. Even languages that are capable of producing such binaries do not usually do this by default. For example, you might need to set CGO_ENABLED=0 in your environment while building a Go binary, or switch to a musl-based target while building a Rust binary.

Other notable caveats include, but are not limited to:

  • There are no user or group databases (/etc/passwd or /etc/group) in the image.
  • There is no timezone database in the image. (In Go 1.15+, you can work around this with the timetzdata build tag.)
  • There are no TLS root certificates in the image.

Usage

zeroimage produces tar archive files compliant with the OCI Image Format Specification. You can use Skopeo to work with these files:

# Write a container image archive to some-program.tar.
# You can pass the -output flag to write to a different path.
# You can also use -os and -arch to override the target platform of the image.
# Run "zeroimage -help" for usage.
zeroimage some-program

# Upload the image directly to a container registry.
skopeo copy oci-archive:some-program.tar docker://registry.example.com/some-program:latest

# Load the image into Docker (with a tag).
# Note that "docker load" does NOT support the OCI archive format!
# "skopeo copy" will convert the image to Docker's proprietary format.
skopeo copy oci-archive:some-program.tar docker-daemon:registry.example.com/some-program:latest

Future Work

  • Support starting from a base image instead of nothing at all, to enable building more "proper" distroless containers.
Owner
Alex Hamlin
he / him
Alex Hamlin
https://github.com/ahamlinman/zeroimage
Similar Resources

This action prints "true" if image is required to update based on the base image update.

container-image-updater This action prints "true" if image is required to update based on the base image update. Inputs Name Type Description base-ima

Apr 15, 2022

Highly configurable prompt builder for Bash, ZSH and PowerShell written in Go.

Highly configurable prompt builder for Bash, ZSH and PowerShell written in Go.

Go Bullet Train (GBT) Highly configurable prompt builder for Bash, ZSH and PowerShell written in Go. It's inspired by the Oh My ZSH Bullet Train theme

Dec 17, 2022

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

BuildKit BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Key features: Automati

Dec 31, 2022

Kevi: a kubernetes appliance builder/deployer

kevi kevi is a kubernetes appliance builder/deployer (syskeví = Greek for "appli

May 3, 2022

Demo of skaffold's port-forwarding with ko builder (does not work)

skaffold port-forwarding : Ko builder vs docker builder When using ko builder (see folder ko/), port forwarding does not work (skaffold debug or skaff

Jan 6, 2022

Imaginarium - A simple golang image storage engine

Imaginarium A simple golang image storage engine. Used to create and store diffe

Jan 10, 2022

Fast docker image distribution plugin for containerd, based on CRFS/stargz

Fast docker image distribution plugin for containerd, based on CRFS/stargz

[ ⬇️ Download] [ 📔 Browse images] [ ☸ Quick Start (Kubernetes)] [ 🤓 Quick Start (nerdctl)] Stargz Snapshotter Read also introductory blog: Startup C

Dec 29, 2022

A tool to restart a Docker container with a newer version of the image

repull A tool to restart a Docker container with a newer version of an image used by the container Often you may need to pull a newer version of an im

Nov 28, 2022

Triggers an update to a Koyeb app service to re-deploy the latest docker image

Triggers an update to a Koyeb app service to re-deploy the latest docker image

May 5, 2021
Related tags
DevOps Tools zeroimage
An Oracle Cloud (OCI) Pulumi resource package, providing multi-language access to OCI

Oracle Cloud Infrastructure Resource Provider The Oracle Cloud Infrastructure (OCI) Resource Provider lets you manage OCI resources. Installing This p

Dec 2, 2022
OCI Image Encryption Package

imgcrypt image encryption library and command line tool Project imgcrypt is a non-core subproject of containerd. The imgcrypt library provides API exe

Jan 5, 2023
Executes an OCI image using firecracker.

oci-image-executor Executes an OCI image using Firecracker. Logs from the executed process (both stdout and stderr) are sent to stdout. Logs from the

Dec 28, 2022
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.
 Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Dec 6, 2022
OCI transport plugin for apt-get (i.e., apt-get over ghcr.io)

apt-transport-oci: OCI transport plugin for apt-get (i.e., apt-get over ghcr.io) apt-transport-oci is an apt-get plugin to support distributing *.deb

Nov 1, 2022
OCI drive, available from home

OCI Drive ... use your storage with Oracle Object Store Quick Start Make sure you have the Object Storage, bucket and you know the compartment id wher

Nov 10, 2021
Docker for Your ML/DL Models Based on OCI Artifacts
 Docker for Your ML/DL Models Based on OCI Artifacts

English | 中文 ORMB is an open-source model registry to manage machine learning model. ORMB helps you manage your Machine Learning/Deep Learning models

Dec 30, 2022
Web gateway for OCI artifacts
 Web gateway for OCI artifacts

Containerbay Web gateway for OCI artifacts Container images gateway browser and indexer Website static server - Reverse Container image browser Contai

Jan 10, 2022
oci-ccm custom build for both arm64 and amd64

OCI Cloud Controller Manager (CCM) oci-cloud-controller-manager is a Kubernetes Cloud Controller Manager implementation (or out-of-tree cloud-provider

Jan 18, 2022
k8s-image-swapper Mirror images into your own registry and swap image references automatically.
 k8s-image-swapper Mirror images into your own registry and swap image references automatically.

k8s-image-swapper Mirror images into your own registry and swap image references automatically. k8s-image-swapper is a mutating webhook for Kubernetes

Dec 27, 2022