Scratch docker images or distroless docker images can reduce attack surface area and decrease memory, etc… I’m wondering if Ghost’s official docker image is distroless, and if not, then why? It seems like a good candidate for distroless.
Thanks.
The Docker image is maintained by the community. Based on the repo, it looks like there is support for both alpine and debian.
Based on the Dockerfile files in DockerHub, base images for latest version 4.6.4 are :
- node:14-buster-slim (Debian)
- node:12-alpine3.12 (Alpine)
Looking at Alpine file briefly, it looks like it only installs su-exec and bash. Debian seems to install gosu, for that it needs gnupg as well.
One could theoritically build a Ghost docker image FROM Google Cloud console (or 14) and using the current Dockerfile as a reference. I’m not sure if distroless node images contain npm. If not, then you would need to do multi-stage build (using base node image just like how distroless example does it here distroless/Dockerfile at main · GoogleContainerTools/distroless · GitHub) .
If this is attempted, of course quite some testing is required to make sure this works properly.
1 Like