Skip to content

feat: migrate to distroless docker base images#3228

Closed
mchristopher wants to merge 12 commits intomasterfrom
secure-docker
Closed

feat: migrate to distroless docker base images#3228
mchristopher wants to merge 12 commits intomasterfrom
secure-docker

Conversation

@mchristopher
Copy link
Copy Markdown
Member

@mchristopher mchristopher commented Mar 11, 2026

Linked Issues/PRs

Description

  • Migrating from standard Debian slim base Docker images to GCR Distroless images. These images contain only the most basic GCC, CA certs and timezone data (no shell, curl, etc). This enhances runtime security and reduces attack surface.

Checklist

  • Breaking changes are clearly marked as such in the PR description and changelog
  • New behavior is reflected in tests
  • The specification matches the implemented behavior (link update PR if changes are needed)

Before requesting review

  • I have reviewed the code myself
  • I have created follow-up issues caused by this PR and linked them here

After merging, notify other teams

[Add or remove entries as needed]

@cursor
Copy link
Copy Markdown

cursor Bot commented Mar 11, 2026
edited
Loading

PR Summary

Medium Risk
Moderate risk because it changes the runtime container base image and startup behavior (no shell/OS packages), which can break env-var-based args, debugging, or expectations about bundled tools; CI build/publish flow is also materially altered.

Overview
Migrates deployment/Dockerfile and deployment/e2e-client.Dockerfile runtime stages from debian:bookworm-slim to GCR Distroless (cc-debian12:nonroot), switching to a non-root workdir and using ENTRYPOINT/CMD instead of shell-form CMD (and removing apt-get runtime package installs).

Refactors the Docker image publishing workflow to build and push a single multi-arch image via WarpBuild (Warpbuilds/build-push-action@v6) and updates runners/caching for the profiling and e2e image jobs. Includes a small dependency bump (quinn-proto 0.11.13 → 0.11.14) and Cargo.toml formatting/metadata cleanups plus a changelog entry.

Written by Cursor Bugbot for commit e3139e1. This will update automatically on new commits. Configure here.

cursor[bot]
cursor Bot reviewed Mar 11, 2026
View reviewed changes
Comment thread deployment/Dockerfile
Comment thread deployment/e2e-client.Dockerfile
@mchristopher mchristopher requested a review from a team as a code owner March 11, 2026 22:03
@MitchTurner
Copy link
Copy Markdown
Member

MitchTurner commented Mar 11, 2026
edited
Loading

Looks like we have a dep on
https://rustsec.org/advisories/RUSTSEC-2026-0037.html

So we can patch quinn-proto to >=0.11.14 or we can ignore and create an issue if that is too big of a change.

cursor[bot]
cursor Bot reviewed Mar 11, 2026
View reviewed changes
Comment thread Cargo.lock Outdated
cursor[bot]
cursor Bot reviewed Mar 11, 2026
View reviewed changes
Comment thread .github/workflows/docker-images.yml
cursor[bot]
cursor Bot reviewed Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment thread .github/workflows/docker-images.yml
@mchristopher mchristopher deleted the secure-docker branch March 31, 2026 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@xgreenx xgreenx Awaiting requested review from xgreenx xgreenx is a code owner

@Dentosal Dentosal Awaiting requested review from Dentosal Dentosal is a code owner

@MitchTurner MitchTurner Awaiting requested review from MitchTurner MitchTurner is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mchristopher @MitchTurner