Skip to content

Use distroless base image for runtime container images#7637

Open
CharlieTLe wants to merge 1 commit into
cortexproject:masterfrom
CharlieTLe:distroless-base-images
Open

Use distroless base image for runtime container images#7637
CharlieTLe wants to merge 1 commit into
cortexproject:masterfrom
CharlieTLe:distroless-base-images

Conversation

@CharlieTLe

@CharlieTLe CharlieTLe commented Jun 23, 2026

Copy link
Copy Markdown
Member

What this PR does

Switches the runtime container images from alpine:3.23 to gcr.io/distroless/static-debian12 for all four runtime binaries:

  • cmd/cortex/Dockerfile
  • cmd/query-tee/Dockerfile
  • cmd/thanosconvert/Dockerfile
  • cmd/test-exporter/Dockerfile

The Cortex binaries are already built fully static and CGO-free (CGO_ENABLED=0, -extldflags "-static" -tags "netgo slicelabels"), so they have no shell or libc dependency at runtime — a clean fit for distroless. This reduces image size and attack surface (no shell, no package manager, no busybox).

Notes

  • CA certificates are bundled in gcr.io/distroless/static-debian12 (/etc/ssl/certs/ca-certificates.crt), so the apk add --no-cache ca-certificates step is dropped. TLS to object storage (S3/GCS/etc.) continues to work.
  • tzdata is also included in distroless static (alpine did not ship it by default — minor improvement).
  • The image continues to run as root (uid 0), not the :nonroot variant. Cortex's default server.http-listen-port is 80, a privileged port; staying root keeps the default config and the integration tests (which bind port 80) working with no breaking change. The base image is exposed as an overridable BASEIMG ARG so CI can pin to an immutable digest.
  • No shell is needed inside the cortex image — every Cortex e2e service uses an HTTP /ready readiness probe.

Checklist

  • CHANGELOG entry added

@dosubot dosubot Bot added component/build type/chore Something that needs to be done; not a bug or a feature labels Jun 23, 2026
@CharlieTLe
Use distroless base image for runtime container images
05bb32d 
Switch the cortex, query-tee, thanosconvert, and test-exporter runtime
images from alpine:3.23 to gcr.io/distroless/static-debian12. The binaries
are fully static (CGO_ENABLED=0, netgo), so they have no shell or libc
dependency at runtime. CA certificates are bundled in the distroless image,
so the apk ca-certificates install is dropped. The image continues to run as
root (uid 0) so the default HTTP listen port 80 keeps binding.

Signed-off-by: Charlie Le <charlie_le@apple.com>
@CharlieTLe CharlieTLe force-pushed the distroless-base-images branch from ed2b204 to 05bb32d Compare June 23, 2026 00:06
SungJin1212
SungJin1212 approved these changes Jun 23, 2026
View reviewed changes

@SungJin1212 SungJin1212 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SungJin1212 SungJin1212 SungJin1212 approved these changes

Assignees

No one assigned

Labels

component/build lgtm This PR has been approved by a maintainer size/S type/chore Something that needs to be done; not a bug or a feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CharlieTLe @SungJin1212