You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ko is a container image builder for Go programs that simplifies the process of building minimal and secure images. It uses distroless images as base, embeds SBOMs, and builds multi-platform images.
Currently Disco's images are built by Earthly, and use Ubuntu 24.04 as base. Moving to distroless would be more secure, simplify the build process, and reduce the image size considerably from the current ~140MB. SBOMs would be good to have as well.
I tried using distroless images in Earthly, but there's a blocking issue. There might be a workaround for it.
A potential blocker for adopting ko is that it also builds the Go binaries, which I would like to avoid, since the current build.sh script is simple and does what I need. It doesn't seem possible to use existing binaries and just building images with ko.
There are some alternatives:
Abandon the build.sh script, build images with ko, extract the binaries from the images, and build the packages using the same binaries. It's a bit hacky, but could work.
Use GoReleaser instead. I'm not a fan of it, and would rather not. It does support building images, and even supports ko, but has the same drawback of ko re-building the binaries. So this doesn't seem like an option.
The text was updated successfully, but these errors were encountered:
I managed to workaround building a distroless image with Earthly, and
this produces a slim 20MB image. :)
It also adds a volume for Disco data. I'll document a recommended workflow
with Podman shortly.
Part of #9
I managed to workaround building a distroless image with Earthly, and
this produces a slim 20MB image. :)
It also adds a volume for Disco data. I'll document a recommended workflow
with Podman shortly.
Part of #9
Since v0.1.1, images now use distroless/static-debian12 as base, so there's less of an urgency to switch to ko. If we can also embed SBOMs manually, we can close this issue as unplanned, but I'll leave it open in the meantime.
ko is a container image builder for Go programs that simplifies the process of building minimal and secure images. It uses distroless images as base, embeds SBOMs, and builds multi-platform images.
Currently Disco's images are built by Earthly, and use Ubuntu 24.04 as base. Moving to distroless would be more secure, simplify the build process, and reduce the image size considerably from the current ~140MB. SBOMs would be good to have as well.
I tried using distroless images in Earthly, but there's a blocking issue. There might be a workaround for it.
A potential blocker for adopting ko is that it also builds the Go binaries, which I would like to avoid, since the current
build.sh
script is simple and does what I need. It doesn't seem possible to use existing binaries and just building images with ko.There are some alternatives:
build.sh
script, build images with ko, extract the binaries from the images, and build the packages using the same binaries. It's a bit hacky, but could work.The text was updated successfully, but these errors were encountered: