I'm really frustrated with the fact that container images often come packed with a full operating system and loads of utilities that I'll never actually use. For example, a simple Go binary ends up including things like Bash, cURL, and a bunch of other tools, which just adds clutter and increases my vulnerability alerts. I've got a backlog of issues purely from wasteful base image bloat.
Has anyone transitioned to using distroless or minimal images in production? If so, how did you convince your team to make the switch? I keep hearing complaints from developers unable to shell into containers for debugging, but honestly, I think that's more of a feature than a downside. I'd love to get some practical advice on how to make this transition without causing any major disruptions.
2 Answers
If you're using Go, you can simplify things even more by starting from a scratch container after building your Go binaries. It keeps your image size minimal, but yeah, debugging does get tricky since there’s no shell available.
Using distroless images is definitely the way to go! You really shouldn't need to SSH into temporary containers. They serve their purpose well without the extra baggage.
To be fair, you shouldn't need to SSH in at all.
But wouldn't you still need Go or its libraries in a scratch container?