I'm excited about the concept of using minimal or distroless base images to greatly reduce CVEs, but I'm also feeling pretty anxious about moving away from the familiar ubuntu:latest setup that just works. My main worry is that without shell access, package managers, or basic utilities, troubleshooting could turn into a nightmare. I get that multi-stage builds can help, but they still feel quite fragile to me.
Cost is another concern; those minimal images from vendors seem pricey, and I'm already having budget discussions. Plus, our devs are used to running docker exec to investigate containers, so this would disrupt our workflow. I see the security benefits, but it feels like I'm stuck between bloated, debuggable options and minimal, but opaque choices. Has anyone on here transitioned to minimal images on a large scale without completely disrupting their development process? And do the costs of vendor images really make sense, or would it be better to enhance security scanning on our existing images instead?
4 Answers
We made the switch at my workplace, and it really wasn't as complicated as I feared since our devs don't have direct access to production containers. We maintain two types of images: the production distroless/minimal builds and slim versions for development. Also, we don't pay for vendor images—when there's a security issue, we rely on our contract with vendors to get patched containers at no additional cost.
Chainguard offers a minimal production image and a separate development image for debugging. Developing apps with good logging practices definitely helps, too.
A good way to handle this transition is to keep your logs and metrics in mind. They can be super helpful for troubleshooting when you can't access the container directly.
I typically use minimal images and then leverage Packer to add any necessary tools. I switched from Ubuntu to Debian and added only the utilities I really need, which gives us precise control over our dependencies.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures