Move Container Image to Distroless

[leecalcote]

Copy approach from meshery-istio adapter

[siddhant94]

hey @leecalcote , if it's still up for grabs, I would like to submit a PR.

[leecalcote]

Hi @siddhant94, yes, it is. That would be great. Thank you.

[siddhant94]

hey @leecalcote , couple of points,

1. Do we need kubectl binary for linkerd adapter to work? It was added via this PR in the dockerfile (below snippet).

# Install kubectl
RUN curl -LO "https://storage.googleapis.com/kubernetes-release/release/v1.18.0/bin/linux/amd64/kubectl" && \
	chmod +x ./kubectl && \
	mv ./kubectl /usr/local/bin/kubectl

2. Currently, dockerfile has instructions to create a user appuser (USER appuser ). For this I justwanted to confirm that there is no dependency on username "appuser", because then we can use the nonroot images for distroless(basically these images run by default "nonroot" user).

And lastly, can you point me to docs where I can set up and validate the changes by testing?

[Aisuko]

@siddhant94 I believe maybe we need the kubectl binary. And second, we may not need a root user. @kumarabd @mgfeller Could you please help us with this, others adapters have the same situation

[kumarabd]

@siddhant94 @Aisuko kubectl is not required and it can run as a root user. Don't have to create a separate one, u can stick to exactly the istio adapter's dockerfile

[siddhant94]

@kumarabd @Aisuko Have created a PR which updates the dockerfile. Couple of things different from istio adapter.

• ENV DISTRO="debian"
  ENV GOARCH="amd64"
  

  I have not added these environment variables as I could not find which part of code was dependent on these.

• Same with linker flags -X main.environment & -X main.provider, since I did not find these variables in main package I omitted it from Dockerfile.

Let me know if these should stay, i'll update the PR

[kumarabd]

@siddhant94 linker flags cool, the envs however are needed by other binaries that we will using during runtime. Do add them if you would. Good to go after that!

[siddhant94]

@kumarabd I have added the env variables. PR.

[mgfeller]

@kumarabd @siddhant94 nice work. I wonder about the root user. shouldn't a non-root user be used? if not, why not?

[kumarabd]

@mgfeller it's not critical to use a root user, or there is no difference in our case because our container is distroless, thus no shell program is available for exploitation. Do advice if I'm missing something here.

[mgfeller]

@kumarabd, what about compromised tools that are downloaded by the adapter, or compromised third-party libraries (supply chain)?

[kumarabd]

Makes sense, let's add the user back. Thanks for highlighting @mgfeller

[kumarabd]

Makes sense, let's add the user back. Thanks for highlighting @mgfeller

Can you help @siddhant94 on this @mgfeller ?

[siddhant94]

@mgfeller @kumarabd For running as non root user we can leverage the nonroot-amd64 tag of distroless/base. This image provides running processes as nonroot user by default (reference)

[kumarabd]

@siddhant94 go for it. And do test out the image once locally if all the functionalities work.

[siddhant94]

Sure @kumarabd. Lastly, can you point me to doc with how to setup testing locally?

[mgfeller]

BATS tests would have been nice to have now 😄

[kumarabd]

I'm afraid if there is one currently, do follow the below steps to get it tested:

1. docker build -t local/meshery-linkerd:latest . On the adapter.
2. Run docker-compose file in the meshery repository by modifying the image name for linkerd.
3. docker-compose up, and try installing linkerd and sample apps

[siddhant94]

I'm afraid if there is one currently, do follow the below steps to get it tested:

1. docker build -t local/meshery-linkerd:latest . On the adapter.
2. Run docker-compose file in the meshery repository by modifying the image name for linkerd.
3. docker-compose up, and try installing linkerd and sample apps

I'll follow these,thanks. I am offline for now, will update it in sometime.

[siddhant94]

hey @kumarabd , I tried but I am unable to get the set-up. It's showing error

unable to read client-key /home/sid/.minikube/profiles/minikube/client.key for minikube due to open /home/sid/.minikube/profiles/minikube/client.key: no such file or directory

But those files are present on host.

➜ cat /home/sid/.minikube/profiles/minikube/client.key                                               
-----BEGIN RSA PRIVATE KEY-----

Any directions on how to solve this? I tried getting started with mesheryctl just to explore but there also it failed to connect to the minikube cluster.