In this blog post I’ll walk through the creation of a Python Docker image based on the Distroless container published by Google, but with an up-to-date version of Python and operating system updates - unlike their experimental (and unsupported) version. This image still has the same security and operational benefits - such as no shell or unnecessary OS libraries to reduce the security attack surface, and preserving the tiny image size.
Don’t need the background and just want to see how I built it? Jump to that section. The source code for all of what follows can be found on Github too.
A little bit like the term “serverless”, the term Distroless (in my opinion anyway!) is a trendy misnomer. The Linux distribution is still there - what we really mean here is a container image that contains as little of an Operating System as possible - just enough to run your application. In particular, there’s no shell.
Whilst distributions like Alpine Linux are excellent at helping with this too, you still have a shell to (ab)use. If you’re interested in more detail, here’s a great article by one of my former colleagues on this.