deployment/docker/Makefile: switch base Docker image from Alpine to scratch

app/victoria-logs/multiarch/Dockerfile

@@ -1,8 +1,9 @@
 # See https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b
 ARG certs_image=non-existing
 ARG root_image=non-existing
-FROM $certs_image AS certs
-RUN apk update && apk upgrade && apk --update --no-cache add ca-certificates
+# Use $BUILDPLATFORM since ca-certificates are platform-independent,
+# and distroless does not support all target platforms (e.g. i386).
+FROM --platform=$BUILDPLATFORM $certs_image AS certs
 
 FROM $root_image
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

app/vlagent/multiarch/Dockerfile

@@ -1,8 +1,9 @@
 # See https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b
 ARG certs_image=non-existing
 ARG root_image=non-existing
-FROM $certs_image AS certs
-RUN apk update && apk upgrade && apk --update --no-cache add ca-certificates
+# Use $BUILDPLATFORM since ca-certificates are platform-independent,
+# and distroless does not support all target platforms (e.g. i386).
+FROM --platform=$BUILDPLATFORM $certs_image AS certs
 
 FROM $root_image
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

app/vlogscli/multiarch/Dockerfile

@@ -1,8 +1,9 @@
 # See https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b
 ARG certs_image=non-existing
 ARG root_image=non-existing
-FROM $certs_image AS certs
-RUN apk update && apk upgrade && apk --update --no-cache add ca-certificates
+# Use $BUILDPLATFORM since ca-certificates are platform-independent,
+# and distroless does not support all target platforms (e.g. i386).
+FROM --platform=$BUILDPLATFORM $certs_image AS certs
 
 FROM $root_image
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

deployment/docker/Makefile

@@ -3,13 +3,13 @@
 DOCKER_REGISTRIES ?= docker.io quay.io
 DOCKER_NAMESPACE ?= victoriametrics
 
-ROOT_IMAGE ?= alpine:3.23.3
-CERTS_IMAGE := alpine:3.23.3
+ROOT_IMAGE ?= scratch
+CERTS_IMAGE := gcr.io/distroless/static:latest@sha256:47b2d72ff90843eb8a768b5c2f89b40741843b639d065b9b937b07cd59b479c6
 
 GO_BUILDER_IMAGE := golang:1.26.2
 
 BUILDER_IMAGE := local/builder:2.0.0-$(shell echo $(GO_BUILDER_IMAGE) | tr :/ __)-1
-BASE_IMAGE := local/base:1.1.4-$(shell echo $(ROOT_IMAGE) | tr :/ __)-$(shell echo $(CERTS_IMAGE) | tr :/ __)
+BASE_IMAGE := local/base:1.1.4-$(shell echo $(ROOT_IMAGE) | tr :/@ __)-$(shell echo $(CERTS_IMAGE) | tr :/@ __)
 DOCKER ?= docker
 DOCKER_RUN ?= $(DOCKER) run
 DOCKER_BUILD ?= $(DOCKER) build

deployment/docker/base/Dockerfile

@@ -3,8 +3,6 @@ ARG certs_image=non-existing
 ARG root_image=non-existing
 FROM $certs_image AS certs
 
-RUN apk update && apk upgrade && apk --update --no-cache add ca-certificates
-
 FROM $root_image
 
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

docs/victorialogs/CHANGELOG.md

@@ -22,9 +22,12 @@ according to the following docs:
 
 ## tip
 
+**Update note 1:** the base Docker image has been changed from Alpine to `scratch`. If you relied on Alpine-specific tools or shell access inside the container, it is recommended to use Alpine-based image directly instead. For debugging in Kubernetes it is recommended to use `kubectl debug`.
+
 * FEATURE: [querying API](https://docs.victoriametrics.com/victorialogs/querying/): allow using [`limit`](https://docs.victoriametrics.com/victorialogs/logsql/#limit-pipe) and [`offset`](https://docs.victoriametrics.com/victorialogs/logsql/#offset-pipe) pipes after the [`stats` pipe](https://docs.victoriametrics.com/victorialogs/logsql/#stats-pipe) in queries to [`/select/logsql/stats_query`](https://docs.victoriametrics.com/victorialogs/querying/#querying-log-stats). This enables the usage for these pipes in [alerting and recording rules for VictoriaLogs](https://docs.victoriametrics.com/victorialogs/vmalert/). See [#1296](https://github.com/VictoriaMetrics/VictoriaLogs/issues/1296).
 * FEATURE: [alerts](https://github.com/VictoriaMetrics/VictoriaLogs/blob/master/deployment/docker/rules): add new alerting rules `PersistentQueueRunsOutOfSpaceIn12Hours` and `PersistentQueueRunsOutOfSpaceIn4Hours` for `vlagent` persistent queue capacity. These alerts help users to take proactive actions before `vlagent` starts dropping logs due to insufficient persistent queue space. See [#10193](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/10193)
 * FEATURE: [web UI](https://docs.victoriametrics.com/victorialogs/querying/#web-ui): remove the `Date format` setting and always display timestamps with nanosecond precision. See [#1161](https://github.com/VictoriaMetrics/VictoriaLogs/issues/1161).
+* FEATURE: switch base Docker image from Alpine to `scratch` for VictoriaLogs, `vlagent` and `vlogscli`. The new images contain only CA certificates from `gcr.io/distroless/static`. This reduces the image size and attack surface.
 
 * BUGFIX: [web UI](https://docs.victoriametrics.com/victorialogs/querying/#web-ui): sanitize markdown URLs in logs rendered with `markdown parsing` enabled, allowing only `http`, `https`, `mailto`, and `tel` schemes for active links and images. See [#1313](https://github.com/VictoriaMetrics/VictoriaLogs/pull/1313).
 * BUGFIX: [web UI](https://docs.victoriametrics.com/victorialogs/querying/#web-ui): improve context view highlight visibility in dark theme. The selected log entry is now highlighted with a more visible blue tint instead of barely visible gray background. See [#1196](https://github.com/VictoriaMetrics/VictoriaLogs/issues/1196).