1
00:00:02,610 --> 00:00:05,549
‫What do you think about distroless images?

2
00:00:05,610 --> 00:00:08,460
‫Is it a good trade off between size and security?

3
00:00:09,060 --> 00:00:12,030
‫I would say if you can do

4
00:00:12,810 --> 00:00:15,929
‫distroless images, and what we mean by this, the term

5
00:00:16,830 --> 00:00:18,680
‫is in flux.

6
00:00:18,720 --> 00:00:21,269
‫I feel like distroless images

7
00:00:21,710 --> 00:00:24,540
‫is complicated. I feel like just saying scratch images

8
00:00:25,200 --> 00:00:28,230
‫might be an easier way to say it. But, it is correct to say

9
00:00:28,680 --> 00:00:31,860
‫distroless image, meaning there is no base package

10
00:00:31,950 --> 00:00:33,929
‫system. There's no apt. There's no Yum.

11
00:00:34,110 --> 00:00:36,179
‫There's not all those different commands that you would

12
00:00:36,240 --> 00:00:38,669
‫assume are in a container if you use one of the official

13
00:00:38,670 --> 00:00:41,549
‫images. The thing is, distroless images

14
00:00:42,000 --> 00:00:44,058
‫aren't very common because of two reasons.

15
00:00:44,670 --> 00:00:46,238
‫One, most programs need all that

16
00:00:47,670 --> 00:00:49,740
‫stuff in order to work.

17
00:00:49,770 --> 00:00:52,169
‫They need apt package dependencies.

18
00:00:52,440 --> 00:00:53,616
‫They need their own open

19
00:00:55,500 --> 00:00:58,799
‫SSL libraries. They need all sorts of stuff in addition

20
00:00:58,800 --> 00:00:59,800
‫to the program that's in there, right.

21
00:01:00,240 --> 00:01:01,799
‫That's most applications today.

22
00:01:02,760 --> 00:01:05,969
‫Golang, C, some other languages

23
00:01:06,000 --> 00:01:08,909
‫can build single binaries

24
00:01:09,210 --> 00:01:11,167
‫that basically have everything they need to run, other

25
00:01:12,540 --> 00:01:14,969
‫than the kernel. Those things

26
00:01:15,510 --> 00:01:18,009
‫are technically able to remove everything below it.

27
00:01:18,213 --> 00:01:21,090
‫All of the layers and your image could go away.

28
00:01:21,660 --> 00:01:24,551
‫I don't see them a lot in the wild yet because I don't work

29
00:01:24,930 --> 00:01:27,749
‫with Google, and Netflix, and

30
00:01:28,290 --> 00:01:30,750
‫huge teams of people that are super professional at this.

31
00:01:31,260 --> 00:01:33,149
‫The two reasons here is, one, you have to have a language

32
00:01:33,150 --> 00:01:35,429
‫that supports it, and you have to have a team that

33
00:01:35,430 --> 00:01:37,140
‫understands how to build these properly.

34
00:01:37,740 --> 00:01:40,829
‫Then, you have to really be good at troubleshooting and

35
00:01:40,830 --> 00:01:42,470
‫how containers in namespaces work.

36
00:01:42,476 --> 00:01:45,659
‫Because the minute that distroless image runs

37
00:01:45,660 --> 00:01:48,599
‫in a container and you have a problem, you can't even shell

38
00:01:48,600 --> 00:01:49,600
‫into it.

39
00:01:49,650 --> 00:01:51,599
‫There's no shell. You can't get into it.

40
00:01:51,600 --> 00:01:54,599
‫You can't look at it. So, now your tooling

41
00:01:54,660 --> 00:01:57,719
‫is limited, and you have to start looking at other ways

42
00:01:57,930 --> 00:02:00,330
‫to connect your tooling into those containers.

43
00:02:00,600 --> 00:02:03,179
‫That exists. There are those things out there that will do

44
00:02:03,180 --> 00:02:06,389
‫that for you, but it largely depends on your skill set

45
00:02:06,420 --> 00:02:08,304
‫in terms of how you deal with namespaces.

46
00:02:09,030 --> 00:02:11,333
‫How can you jump in as a sidecar into a running

47
00:02:12,240 --> 00:02:14,984
‫container in its namespace from the command line without

48
00:02:15,150 --> 00:02:16,150
‫using Docker?

49
00:02:16,710 --> 00:02:19,199
‫Those are the kind of problems that creep up when you're

50
00:02:19,200 --> 00:02:21,689
‫dealing with troubleshooting or system monitoring and

51
00:02:21,690 --> 00:02:24,150
‫maintenance when you have distroless images.

52
00:02:24,570 --> 00:02:26,609
‫For everyone that I work with that's starting out with

53
00:02:26,610 --> 00:02:28,496
‫containers, their first couple of projects in containers, I

54
00:02:29,400 --> 00:02:32,490
‫don't mention this stuff because size is just size.

55
00:02:33,450 --> 00:02:34,782
‫You can always add more disk space to a server, right.

56
00:02:35,760 --> 00:02:38,339
‫No reason to make a whole team run around learning all

57
00:02:38,340 --> 00:02:41,340
‫sorts of new tooling and stuff just so that

58
00:02:41,760 --> 00:02:43,611
‫you can have less disk space used on a server.

59
00:02:43,612 --> 00:02:45,539
‫I personally don't care about size.

60
00:02:46,500 --> 00:02:49,050
‫Security is a theoretical thing.

61
00:02:49,380 --> 00:02:52,289
‫In theory, all those things

62
00:02:52,860 --> 00:02:55,139
‫getting removed from a container image might make it more

63
00:02:55,140 --> 00:02:57,449
‫secure. Let's talk about out in the wild, though.

64
00:02:58,020 --> 00:03:01,169
‫How many opportunities does someone have to mess

65
00:03:01,170 --> 00:03:03,989
‫around with other tooling in your container outside of your

66
00:03:03,990 --> 00:03:07,139
‫app? Let's say that cURL has a vulnerability

67
00:03:07,140 --> 00:03:08,660
‫in it, but your app doesn't use cURL.

68
00:03:08,910 --> 00:03:10,440
‫It just happens to be in the image.

69
00:03:10,710 --> 00:03:12,499
‫How is someone going to get access to that, right?

70
00:03:13,350 --> 00:03:15,019
‫They're going to have to break through your app.

71
00:03:15,240 --> 00:03:16,800
‫So, your app has to have an exploit.

72
00:03:17,220 --> 00:03:19,866
‫Then in theory, they could run the cURL command in the

73
00:03:20,100 --> 00:03:22,610
‫container, right. So, that's really what this distroless

74
00:03:22,800 --> 00:03:26,310
‫stuff is about is the theoretical

75
00:03:26,340 --> 00:03:29,759
‫security bonuses of not including other applications.

76
00:03:30,030 --> 00:03:32,339
‫The reality is, though, once you build a static binary,

77
00:03:32,760 --> 00:03:35,406
‫you're already including a lot of those libraries that

78
00:03:35,430 --> 00:03:37,635
‫could be vulnerable like open SSL, which is a

79
00:03:38,430 --> 00:03:41,460
‫common way to connect applications with

80
00:03:41,580 --> 00:03:42,580
‫SSL security, right.

81
00:03:43,170 --> 00:03:46,199
‫Well, if that has a vulnerability and you statically build

82
00:03:46,200 --> 00:03:47,939
‫it into your app, it's still there.

83
00:03:48,240 --> 00:03:50,419
‫It's just not a separate file on the container.

84
00:03:50,430 --> 00:03:52,499
‫It's in your app in a single binary.

85
00:03:52,778 --> 00:03:55,529
‫In fact, it actually makes it harder to security scan that

86
00:03:55,530 --> 00:03:58,770
‫because now, every scanner that I know of won't

87
00:03:59,040 --> 00:04:01,620
‫catch that open SSL binary if it's

88
00:04:02,070 --> 00:04:04,550
‫built in. So, a lot of this stuff is theoretical.

89
00:04:06,330 --> 00:04:08,535
‫I don't tend to push teams toward theoretical

90
00:04:09,990 --> 00:04:12,600
‫security features. I look more at

91
00:04:14,280 --> 00:04:15,699
‫look what's happening in the wild, right.

92
00:04:15,900 --> 00:04:17,849
‫Docker daemons are getting exposed.

93
00:04:17,920 --> 00:04:20,713
‫Kubernetes doesn't have proper authentication, so it gets

94
00:04:21,029 --> 00:04:24,040
‫exposed. Those are the real problems that I see is, you

95
00:04:24,060 --> 00:04:26,902
‫know, the things that focus on are the things that we keep

96
00:04:27,060 --> 00:04:29,369
‫hearing about in the news that people are getting hacked

97
00:04:29,370 --> 00:04:32,609
‫with, right. This kind of stuff with theoretical security

98
00:04:32,610 --> 00:04:34,980
‫in removing files from images.

99
00:04:35,940 --> 00:04:38,980
‫That's just more in the theoretical realm.

100
00:04:39,000 --> 00:04:40,470
‫It's not a reason not to do it.

101
00:04:40,860 --> 00:04:43,949
‫Just like this list, everything in this list,

102
00:04:43,980 --> 00:04:46,949
‫I would do first before I would start going down

103
00:04:46,950 --> 00:04:48,239
‫that road of hard stuff.

104
00:04:48,360 --> 00:04:51,540
‫I do consider distroless images relatively hard.

105
00:04:51,600 --> 00:04:54,599
‫Unless you're already a Go programmer and already

106
00:04:54,660 --> 00:04:57,554
‫your whole team is really good at namespaces,

107
00:04:58,200 --> 00:05:00,084
‫and Docker commands and stuff like that.

108
00:05:00,510 --> 00:05:01,829
‫I don't just mean regular Docker commands.

109
00:05:01,860 --> 00:05:05,279
‫I mean complicated stuff that helps you troubleshoot

110
00:05:05,310 --> 00:05:08,010
‫containers that don't have shells in them, for example.

111
00:05:08,310 --> 00:05:09,689
‫So, it's a great question.

112
00:05:09,900 --> 00:05:11,279
‫It comes up all the time.

113
00:05:11,520 --> 00:05:14,219
‫Everyone asks me about it when we have security discussions

114
00:05:14,220 --> 00:05:17,062
‫because it's a popular topic. But, it's not even in my top

115
00:05:17,310 --> 00:05:18,310
‫ten.

116
00:05:18,680 --> 00:05:19,559
‫I hope that helps.