Port Image Builder container image from Alpine to distroless Azure Linux #1060
Description
This would help to validate the benefits of distroless, and Mariner in general (a good dogfooding effort).
Originally, this was thought to have been blocked by not having a docker package in Mariner but I've now realized what we need is the moby-cli package. This allows us to run docker commands targeting the docker daemon on the host machine, connected by the docker socket.
My initial investigation into this has revealed a lot of changes necessary for this.
Tasks to complete:
- Update Image Builder container image to Azure Linux #1392
- Remove dependency on git CLI
Currently Image Builder has a dependency on git for a single operation: to get the commit SHA of a file. Removing the dependency on the git CLI is useful because of the image size impact of including thegitpackage in the image. It adds ~230 MB. The dependency on the git CLI can be replaced with equivalent logic that makes use of the libgit2sharp library which is already used. - Refactor pipeline to not rely on volume mounted artifacts directory
As a result of running the container as a non-root user, that user does not have permission to write to the artifacts directory that gets volume mounted into the container. This is a bit of tricky problem to solve that would add complexity to the system. Instead, it can be mitigated by removing the volume mount altogether. The use of volume mounting was only done as a convenience to get files out of the container, not to send files in. So the pipeline can be updated to just usedocker cpto get those artifact files out of the container. - Update Image Builder Dockerfile to be based on distroless Mariner
Related work:
- Remove dependency on /bin/sh for moby-cli dependency graph microsoft/azurelinux#3811
As a result of installing moby-cli, bash is also getting included. This issue was logged in hopes of being able to remove that since we don't want bash in a distroless container.