You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@beam.apache.org by lo...@apache.org on 2024/02/07 22:44:02 UTC

(beam) branch master updated: [Go SDK] Use distroless:debian12 (no-ssl) as base image. (#30011)

This is an automated email from the ASF dual-hosted git repository.

lostluck pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git


The following commit(s) were added to refs/heads/master by this push:
     new a15dd7e7f84 [Go SDK] Use distroless:debian12 (no-ssl) as base image. (#30011)
a15dd7e7f84 is described below

commit a15dd7e7f848d2a99d74ba906c6b5cb5c8ffefa8
Author: Robert Burke <lo...@users.noreply.github.com>
AuthorDate: Wed Feb 7 14:43:56 2024 -0800

    [Go SDK] Use distroless:debian12 (no-ssl) as base image. (#30011)
    
    * [Go SDK] Use distroless:debian12 (no-ssl) as base image.
    
    * ws lint
    
    * Update changes
    
    * add space
    
    ---------
    
    Co-authored-by: lostluck <13...@users.noreply.github.com>
---
 CHANGES.md                   |  1 +
 sdks/go/container/Dockerfile | 15 +--------------
 2 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index c63464a6e01..bb1dd5a117a 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -82,6 +82,7 @@
 
 ## Security Fixes
 * Fixed (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Java/Python/Go) ([#X](https://github.com/apache/beam/issues/X)).
+* Go SDK base container image moved to distroless/base-nossl-debian12, reducing vulnerable container surface to kernel and glibc ([#30011](https://github.com/apache/beam/pull/30011)).
 
 ## Known Issues
 
diff --git a/sdks/go/container/Dockerfile b/sdks/go/container/Dockerfile
index 7f1884cfb71..b3b2fbbec3a 100644
--- a/sdks/go/container/Dockerfile
+++ b/sdks/go/container/Dockerfile
@@ -16,20 +16,12 @@
 # limitations under the License.
 ###############################################################################
 
-FROM debian:bookworm
+FROM gcr.io/distroless/base-nossl-debian12:latest
 LABEL Author "Apache Beam <de...@beam.apache.org>"
 
 ARG TARGETOS
 ARG TARGETARCH
 
-ARG pull_licenses
-
-RUN apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get install -y \
-        ca-certificates \
-        && \
-    rm -rf /var/lib/apt/lists/*
-
 ADD target/${TARGETOS}_${TARGETARCH}/boot /opt/apache/beam/
 
 COPY target/LICENSE /opt/apache/beam/
@@ -37,9 +29,4 @@ COPY target/NOTICE /opt/apache/beam/
 
 # Add Go licenses.
 COPY target/go-licenses/* /opt/apache/beam/third_party_licenses/golang/
-RUN if [ "$pull_licenses" = "false" ] ; then \
-    # Remove above golang license and dir if pull licenses false
-    rm -rf /opt/apache/beam/third_party_licenses ; \
-   fi
-
 ENTRYPOINT ["/opt/apache/beam/boot"]