deployment/docker/Makefile: switch base Docker image from Alpine to scratch#1353
Open
vadimalekseev wants to merge 1 commit into
Open
deployment/docker/Makefile: switch base Docker image from Alpine to scratch#1353vadimalekseev wants to merge 1 commit into
vadimalekseev wants to merge 1 commit into
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 6 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="docs/victorialogs/CHANGELOG.md">
<violation number="1" location="docs/victorialogs/CHANGELOG.md:30">
P3: The changelog inaccurately states that timezone data comes from `gcr.io/distroless/static`; according to this PR, timezone data is injected into the binary, while only CA certificates are taken from that image.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
vadimalekseev
commented
Apr 23, 2026
| ROOT_IMAGE ?= alpine:3.23.3 | ||
| CERTS_IMAGE := alpine:3.23.3 | ||
| ROOT_IMAGE ?= scratch | ||
| CERTS_IMAGE := gcr.io/distroless/static:latest@sha256:47b2d72ff90843eb8a768b5c2f89b40741843b639d065b9b937b07cd59b479c6 |
Member
Author
There was a problem hiding this comment.
We pin the version because distroless does not support versioning. We use the image hash to ensure we use actual certificates. The downside is that we must update the hash manually. Probably an update bot cat do it once a week.
An alternative solution is to pull the latest gcr.io/distroless/static:latest image just before the build.
vadimalekseev
commented
Apr 23, 2026
|
|
||
| ## tip | ||
|
|
||
| **Update note 1:** the base Docker image has been changed from Alpine to `scratch`. If you relied on Alpine-specific tools or shell access inside the container, it is recommended to use Alpine-based image directly instead. For debugging in Kubernetes use `kubectl debug`. |
Member
Author
There was a problem hiding this comment.
A case where users can use the knowledge that VictoriaLogs is an Alpine-based image: #1228 (comment)
vadimalekseev
force-pushed
the
scratch
branch
2 times, most recently
from
ab88308 to
3c501c1
Compare
…cratch The new images contain only CA certificates from gcr.io/distroless/static The new images do not copy /etc/passwd and /etc/group, since VictoriaMetrics/VictoriaLogs/VictoriaTraces projects do not import the os/user package The new images do not copy `/usr/share/zoneinfo`, since we inject the timezone data into binary: https://github.com/VictoriaMetrics/VictoriaMetrics/blob/cf23dc6480f77b79de500f145135a8f7be0ac065/lib/logger/tzdata.go#L8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The new images contain only CA certificates from
gcr.io/distroless/static.The new images do not copy
/etc/passwdand/etc/group, since VictoriaMetrics/VictoriaLogs/VictoriaTraces projects do not import theos/userpackage.The new images do not copy
/usr/share/zoneinfo, since we inject the timezone data into binary:https://github.com/VictoriaMetrics/VictoriaMetrics/blob/cf23dc6480f77b79de500f145135a8f7be0ac065/lib/logger/tzdata.go
We do not use distroless because it is incompatible with the
linux/386platform.Closes #1228
Examples of what the new images look like:
https://hub.docker.com/layers/victoriametrics/victoria-logs/heads-master-0-g251d406df-dirty-3ee74bd4/images/sha256-74cfe686d0d6dffadb711a0d8e5ba17e5f1f83485f4a432f77402c6cbfe9b52c
https://hub.docker.com/layers/victoriametrics/vlagent/heads-master-0-g251d406df-dirty-3ee74bd4/images/sha256-0c8c3cd94bff87da93a1649f7e8b6c87a6c64ccf14f4e2b14966a85c4e840c34