From a15dd7e7f848d2a99d74ba906c6b5cb5c8ffefa8 Mon Sep 17 00:00:00 2001 From: Robert Burke Date: Wed, 7 Feb 2024 14:43:56 -0800 Subject: [PATCH] [Go SDK] Use distroless:debian12 (no-ssl) as base image. (#30011) * [Go SDK] Use distroless:debian12 (no-ssl) as base image. * ws lint * Update changes * add space --------- Co-authored-by: lostluck <13907733+lostluck@users.noreply.github.com> --- CHANGES.md | 1 + sdks/go/container/Dockerfile | 15 +-------------- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index c63464a6e01e..bb1dd5a117a4 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -82,6 +82,7 @@ ## Security Fixes * Fixed (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Java/Python/Go) ([#X](https://github.com/apache/beam/issues/X)). +* Go SDK base container image moved to distroless/base-nossl-debian12, reducing vulnerable container surface to kernel and glibc ([#30011](https://github.com/apache/beam/pull/30011)). ## Known Issues diff --git a/sdks/go/container/Dockerfile b/sdks/go/container/Dockerfile index 7f1884cfb719..b3b2fbbec3a9 100644 --- a/sdks/go/container/Dockerfile +++ b/sdks/go/container/Dockerfile @@ -16,20 +16,12 @@ # limitations under the License. ############################################################################### -FROM debian:bookworm +FROM gcr.io/distroless/base-nossl-debian12:latest LABEL Author "Apache Beam " ARG TARGETOS ARG TARGETARCH -ARG pull_licenses - -RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y \ - ca-certificates \ - && \ - rm -rf /var/lib/apt/lists/* - ADD target/${TARGETOS}_${TARGETARCH}/boot /opt/apache/beam/ COPY target/LICENSE /opt/apache/beam/ @@ -37,9 +29,4 @@ COPY target/NOTICE /opt/apache/beam/ # Add Go licenses. COPY target/go-licenses/* /opt/apache/beam/third_party_licenses/golang/ -RUN if [ "$pull_licenses" = "false" ] ; then \ - # Remove above golang license and dir if pull licenses false - rm -rf /opt/apache/beam/third_party_licenses ; \ - fi - ENTRYPOINT ["/opt/apache/beam/boot"]