Skip to content

docker: switch base image from distroless/base to distroless/static:nonroot #224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mccutchen merged 6 commits into from
Nov 1, 2025
Merged

docker: switch base image from distroless/base to distroless/static:nonroot #224

mccutchen merged 6 commits into from
Nov 1, 2025

Conversation

@yosida95
Copy link
Contributor

@yosida95 yosida95 commented Oct 29, 2025

go-httpbin is built fully statically and does not depend on libc, so it can use the distroless/static image. This change reduces the resulting image size by about half.

$ docker image ls
REPOSITORY                     TAG       IMAGE ID       CREATED          SIZE
go-httpbin                     nonroot   9910daab0040   38 minutes ago   19.5MB
ghcr.io/mccutchen/go-httpbin   2.18.3    115573352e3d   4 months ago     38.1MB

Since go-httpbin's default listening port is 8080, an unprivileged port, it can run as non-root. While this may break setups that use privileged ports, running as non-root provides a clear security advantage. Such users can continue using their ports by adding the CAP_NET_BIND_SERVICE capability.

@yosida95
docker: switch base image from distroless/base to distroless/static:n…
16e52aa 
…onroot

go-httpbin is built fully statically and does not depend on libc, so it
can use the distroless/static image. This change reduces the resulting
image size by about half.

Since go-httpbin's default listening port is 8080, an unprivileged port,
it can run as non-root. While this may break setups that use privileged
ports, running as non-root provides a clear security advantage. Such
users can continue using their ports by adding the CAP_NET_BIND_SERVICE
capability.

Signed-off-by: Kohei YOSHIDA <kohei@yosida95.com>
@mccutchen
Copy link
Owner

mccutchen commented Oct 29, 2025

Oh I like this, thank you!

Such users can continue using their ports by adding the CAP_NET_BIND_SERVICE capability.

Would you mind adding this note to the README under the docker instructions?

Thanks!

@yosida95
update README.md to reflect container image change to run as non-root
8bc2d31 
Signed-off-by: Kohei YOSHIDA <kohei@yosida95.com>
@yosida95
set securityContext.runAsNonRoot explicitly in Kubernetes Deployment
f8c53ac 
Signed-off-by: Kohei YOSHIDA <kohei@yosida95.com>
@yosida95
Copy link
Contributor Author

yosida95 commented Oct 30, 2025

@mccutchen I've updated the README and the Kubernetes manifest as well. Could you please take a look? Thanks!

@mccutchen
Copy link
Owner

mccutchen commented Oct 31, 2025

This looks great, thanks!

I love the thoroughness of the README update, but I might actually push a small commit to link out to documentation on CAP_NET_BIND_SERVICE to keep it brief, given that this is unlikely — I assume — to be a common need.

(Also, I'll fix the test failure separately.)

@codecov
Copy link

codecov bot commented Oct 31, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.12%. Comparing base (d0da72b) to head (365c89b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #224   +/-   ##
=======================================
  Coverage   95.12%   95.12%           
=======================================
  Files          10       10           
  Lines        1827     1827           
=======================================
  Hits         1738     1738           
  Misses         52       52           
  Partials       37       37
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@mccutchen
Copy link
Owner

mccutchen commented Nov 1, 2025

I love the thoroughness of the README update, but I might actually push a small commit to link out to documentation on CAP_NET_BIND_SERVICE to keep it brief, given that this is unlikely — I assume — to be a common need.

On second thought, I kept the more detailed info but moved it down below. I hope you don't mind!

Thanks a lot for the contribution, this is a nice little improvement to both image size and out-of-the-box security posture.

@mccutchen mccutchen merged commit cab8b3d into mccutchen:main Nov 1, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yosida95 @mccutchen