From 3567639f78881791842c6675909aacf52257abd9 Mon Sep 17 00:00:00 2001
From: Vadim Alekseev <vadimaleksv@gmail.com>
Date: Thu, 23 Apr 2026 16:49:24 +0400
Subject: [PATCH] deployment/docker/Makefile: switch base Docker image from
 Alpine to scratch

The new images contain only CA certificates from gcr.io/distroless/static

The new images do not copy /etc/passwd and /etc/group, since VictoriaMetrics/VictoriaLogs/VictoriaTraces projects do not import the os/user package

The new images do not copy `/usr/share/zoneinfo`, since we inject the timezone data into binary:
https://github.com/VictoriaMetrics/VictoriaMetrics/blob/cf23dc6480f77b79de500f145135a8f7be0ac065/lib/logger/tzdata.go#L8
---
 app/victoria-logs/multiarch/Dockerfile | 5 +++--
 app/vlagent/multiarch/Dockerfile       | 5 +++--
 app/vlogscli/multiarch/Dockerfile      | 5 +++--
 deployment/docker/Makefile             | 6 +++---
 deployment/docker/base/Dockerfile      | 2 --
 docs/victorialogs/CHANGELOG.md         | 3 +++
 6 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/app/victoria-logs/multiarch/Dockerfile b/app/victoria-logs/multiarch/Dockerfile
index f27828d81d..8634eea06e 100644
--- a/app/victoria-logs/multiarch/Dockerfile
+++ b/app/victoria-logs/multiarch/Dockerfile
@@ -1,8 +1,9 @@
 # See https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b
 ARG certs_image=non-existing
 ARG root_image=non-existing
-FROM $certs_image AS certs
-RUN apk update && apk upgrade && apk --update --no-cache add ca-certificates
+# Use $BUILDPLATFORM since ca-certificates are platform-independent,
+# and distroless does not support all target platforms (e.g. i386).
+FROM --platform=$BUILDPLATFORM $certs_image AS certs
 
 FROM $root_image
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
diff --git a/app/vlagent/multiarch/Dockerfile b/app/vlagent/multiarch/Dockerfile
index 289a0ab018..6caf52444c 100644
--- a/app/vlagent/multiarch/Dockerfile
+++ b/app/vlagent/multiarch/Dockerfile
@@ -1,8 +1,9 @@
 # See https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b
 ARG certs_image=non-existing
 ARG root_image=non-existing
-FROM $certs_image AS certs
-RUN apk update && apk upgrade && apk --update --no-cache add ca-certificates
+# Use $BUILDPLATFORM since ca-certificates are platform-independent,
+# and distroless does not support all target platforms (e.g. i386).
+FROM --platform=$BUILDPLATFORM $certs_image AS certs
 
 FROM $root_image
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
diff --git a/app/vlogscli/multiarch/Dockerfile b/app/vlogscli/multiarch/Dockerfile
index e3592e0ba0..9508b47ea1 100644
--- a/app/vlogscli/multiarch/Dockerfile
+++ b/app/vlogscli/multiarch/Dockerfile
@@ -1,8 +1,9 @@
 # See https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b
 ARG certs_image=non-existing
 ARG root_image=non-existing
-FROM $certs_image AS certs
-RUN apk update && apk upgrade && apk --update --no-cache add ca-certificates
+# Use $BUILDPLATFORM since ca-certificates are platform-independent,
+# and distroless does not support all target platforms (e.g. i386).
+FROM --platform=$BUILDPLATFORM $certs_image AS certs
 
 FROM $root_image
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
diff --git a/deployment/docker/Makefile b/deployment/docker/Makefile
index 73488989a2..2c7a0b654a 100644
--- a/deployment/docker/Makefile
+++ b/deployment/docker/Makefile
@@ -3,13 +3,13 @@
 DOCKER_REGISTRIES ?= docker.io quay.io
 DOCKER_NAMESPACE ?= victoriametrics
 
-ROOT_IMAGE ?= alpine:3.23.3
-CERTS_IMAGE := alpine:3.23.3
+ROOT_IMAGE ?= scratch
+CERTS_IMAGE := gcr.io/distroless/static:latest@sha256:47b2d72ff90843eb8a768b5c2f89b40741843b639d065b9b937b07cd59b479c6
 
 GO_BUILDER_IMAGE := golang:1.26.2
 
 BUILDER_IMAGE := local/builder:2.0.0-$(shell echo $(GO_BUILDER_IMAGE) | tr :/ __)-1
-BASE_IMAGE := local/base:1.1.4-$(shell echo $(ROOT_IMAGE) | tr :/ __)-$(shell echo $(CERTS_IMAGE) | tr :/ __)
+BASE_IMAGE := local/base:1.1.4-$(shell echo $(ROOT_IMAGE) | tr :/@ __)-$(shell echo $(CERTS_IMAGE) | tr :/@ __)
 DOCKER ?= docker
 DOCKER_RUN ?= $(DOCKER) run
 DOCKER_BUILD ?= $(DOCKER) build
diff --git a/deployment/docker/base/Dockerfile b/deployment/docker/base/Dockerfile
index 59f3a20ef6..23abc4ad7a 100644
--- a/deployment/docker/base/Dockerfile
+++ b/deployment/docker/base/Dockerfile
@@ -3,8 +3,6 @@ ARG certs_image=non-existing
 ARG root_image=non-existing
 FROM $certs_image AS certs
 
-RUN apk update && apk upgrade && apk --update --no-cache add ca-certificates
-
 FROM $root_image
 
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
diff --git a/docs/victorialogs/CHANGELOG.md b/docs/victorialogs/CHANGELOG.md
index b6ada3a195..da90ffcf84 100644
--- a/docs/victorialogs/CHANGELOG.md
+++ b/docs/victorialogs/CHANGELOG.md
@@ -22,9 +22,12 @@ according to the following docs:
 
 ## tip
 
+**Update note 1:** the base Docker image has been changed from Alpine to `scratch`. If you relied on Alpine-specific tools or shell access inside the container, it is recommended to use Alpine-based image directly instead. For debugging in Kubernetes it is recommended to use `kubectl debug`.
+
 * FEATURE: [querying API](https://docs.victoriametrics.com/victorialogs/querying/): allow using [`limit`](https://docs.victoriametrics.com/victorialogs/logsql/#limit-pipe) and [`offset`](https://docs.victoriametrics.com/victorialogs/logsql/#offset-pipe) pipes after the [`stats` pipe](https://docs.victoriametrics.com/victorialogs/logsql/#stats-pipe) in queries to [`/select/logsql/stats_query`](https://docs.victoriametrics.com/victorialogs/querying/#querying-log-stats). This enables the usage for these pipes in [alerting and recording rules for VictoriaLogs](https://docs.victoriametrics.com/victorialogs/vmalert/). See [#1296](https://github.com/VictoriaMetrics/VictoriaLogs/issues/1296).
 * FEATURE: [alerts](https://github.com/VictoriaMetrics/VictoriaLogs/blob/master/deployment/docker/rules): add new alerting rules `PersistentQueueRunsOutOfSpaceIn12Hours` and `PersistentQueueRunsOutOfSpaceIn4Hours` for `vlagent` persistent queue capacity. These alerts help users to take proactive actions before `vlagent` starts dropping logs due to insufficient persistent queue space. See [#10193](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10193)
 * FEATURE: [web UI](https://docs.victoriametrics.com/victorialogs/querying/#web-ui): remove the `Date format` setting and always display timestamps with nanosecond precision. See [#1161](https://github.com/VictoriaMetrics/VictoriaLogs/issues/1161).
+* FEATURE: switch base Docker image from Alpine to `scratch` for VictoriaLogs, `vlagent` and `vlogscli`. The new images contain only CA certificates from `gcr.io/distroless/static`. This reduces the image size and attack surface.
 
 * BUGFIX: [web UI](https://docs.victoriametrics.com/victorialogs/querying/#web-ui): sanitize markdown URLs in logs rendered with `markdown parsing` enabled, allowing only `http`, `https`, `mailto`, and `tel` schemes for active links and images. See [#1313](https://github.com/VictoriaMetrics/VictoriaLogs/pull/1313).
 * BUGFIX: [web UI](https://docs.victoriametrics.com/victorialogs/querying/#web-ui): improve context view highlight visibility in dark theme. The selected log entry is now highlighted with a more visible blue tint instead of barely visible gray background. See [#1196](https://github.com/VictoriaMetrics/VictoriaLogs/issues/1196).