marco/plugin-barman-cloud
1
0
Fork 0
mirror of https://github.com/cloudnative-pg/plugin-barman-cloud.git synced 2026-03-09 20:22:20 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: use distroless base image to reduce size and attack surface

Browse Source 
Switch from python:3.13-slim-trixie to distroless/python3-debian13
for the sidecar container. The virtualenv approach now extracts
runtime libraries from Debian packages using dpkg, eliminating the
need for apt and package management tools in the final image.

The image is 44% smaller (260MB vs 463MB on main, or 31% vs 377MB
from the previous commit) with 70% fewer packages (35 vs 115) while
maintaining zero HIGH/CRITICAL vulnerabilities. There is no shell
or package manager in the final image, reducing the attack surface
significantly.

Based on Google's distroless best practices.

Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
This commit is contained in:
Marco Nenciarini 2026-01-29 12:25:41 +01:00
parent a9d8dbba6e
commit a29726e0ee
No known key found for this signature in database
GPG Key ID: 589F03F01BA55038
1 changed files with 52 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
containers/Dockerfile.sidecar
View File

@ -2,7 +2,7 @@
# The container needs to provide and build two components: # The container needs to provide and build two components:
# * barman-cloud # * barman-cloud
# * instance plugin # * instance plugin
# Both components are built before going into the final container # Both components are built before going into a distroless container
# Build the manager binary # Build the manager binary
FROM --platform=$BUILDPLATFORM golang:1.25.6 AS gobuilder FROM --platform=$BUILDPLATFORM golang:1.25.6 AS gobuilder
@ -33,17 +33,24 @@ COPY ../internal/ internal/
RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build \ RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build \
CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/manager/main.go CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/manager/main.go
# Build wheel files for Python dependencies # Build Python virtualenv with all dependencies
FROM python:3.13-slim-trixie AS pythonbuilder # Using virtualenv ensures bytecode is compiled with correct timestamps
FROM debian:trixie-slim AS pythonbuilder
WORKDIR /build WORKDIR /build
# Install postgresql-common and setup pgdg repository first
RUN apt-get update && \
apt-get install -y --no-install-recommends postgresql-common && \
/usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y
# Install build dependencies # Install build dependencies
# After pgdg repo setup, this ensures we get updated versions from apt.postgresql.org
RUN apt-get update && \ RUN apt-get update && \
apt-get install -y --no-install-recommends \ apt-get install -y --no-install-recommends \
postgresql-common \ python3 \
build-essential && \ python3-venv \
/usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \ python3-dev \
apt-get install -y --no-install-recommends \ build-essential \
libpq-dev \ libpq-dev \
liblz4-dev \ liblz4-dev \
libsnappy-dev libsnappy-dev
@ -51,15 +58,43 @@ RUN apt-get update && \
# Copy requirements # Copy requirements
COPY containers/sidecar-requirements.txt . COPY containers/sidecar-requirements.txt .
# Build wheels with pip cache mount # Create virtualenv and install dependencies
RUN --mount=type=cache,target=/root/.cache/pip \ # Compileall ensures all bytecode is freshly compiled with correct timestamps
pip wheel --wheel-dir=/wheels -r sidecar-requirements.txt RUN python3 -m venv /venv && \
/venv/bin/pip install --upgrade pip setuptools wheel && \
/venv/bin/pip install --no-cache-dir -r sidecar-requirements.txt && \
/venv/bin/python -m compileall -q /venv
# Download and extract runtime library packages
# Using apt-get download + dpkg -x ensures we get all files from packages
# Note: libcrypto is part of libssl3t64, and liblber is part of libldap2
RUN mkdir -p /dependencies /build/downloads && \
cd /build/downloads && \
apt-get download \
libpq5 \
liblz4-1 \
libsnappy1v5 \
libssl3t64 \
libgssapi-krb5-2 \
libkrb5-3 \
libk5crypto3 \
libcom-err2 \
libkrb5support0 \
libldap2 \
libsasl2-2 \
libkeyutils1 \
libzstd1 && \
for deb in *.deb; do \
dpkg -x "$deb" /dependencies; \
done
# Final sidecar image # Final sidecar image
FROM python:3.13-slim-trixie # Using distroless base for minimal attack surface (no shell, no package manager)
FROM gcr.io/distroless/python3-debian13:nonroot
ENV SUMMARY="CloudNativePG Barman plugin" \ ENV SUMMARY="CloudNativePG Barman plugin" \
DESCRIPTION="Container image that provides the barman-cloud sidecar" DESCRIPTION="Container image that provides the barman-cloud sidecar" \
PATH="/venv/bin:$PATH"
LABEL summary="$SUMMARY" \ LABEL summary="$SUMMARY" \
description="$DESCRIPTION" \ description="$DESCRIPTION" \
@ -71,23 +106,12 @@ LABEL summary="$SUMMARY" \
version="" \ version="" \
release="1" release="1"
# Install runtime dependencies # Copy virtualenv with pre-compiled bytecode
RUN apt-get update && \ COPY --from=pythonbuilder /venv /venv
apt-get install -y --no-install-recommends \
postgresql-common && \
/usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \
apt-get install -y --no-install-recommends \
libpq5 \
liblz4-1 \
libsnappy1v5 && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# Install wheels using bind mount (wheels not included in final layers) # Copy runtime libraries from extracted packages
# and ensure all Python bytecode is freshly compiled with correct timestamps # All libraries are in /usr/lib/x86_64-linux-gnu
RUN --mount=type=bind,from=pythonbuilder,source=/wheels,target=/wheels \ COPY --from=pythonbuilder /dependencies/usr/lib /usr/lib
pip install --no-cache-dir /wheels/*.whl && \
python -m compileall -q
# Copy Go manager binary # Copy Go manager binary
COPY --from=gobuilder /workspace/manager /manager COPY --from=gobuilder /workspace/manager /manager