I’ve been playing with OpenFaas ever since I learned about Minikube a few years ago, so when one of my colleagues mentioned Google’s Distroless project I obviously needed to see if my Go projects could work using those images too.
“Distroless” images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution. Restricting what’s in your runtime container to precisely what’s necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.
Source: Google Container Tools
OpenFaaS allows you to package anything as a serverless function - Binaries, Node.js or, as in my case, Go!
So what do I do
When you’re starting with OpenFaaS the first command you run is
faas-cli template pull
This downloads all the templates that are curated by the OpenFaaS team and puts them in a
./template folder. For the
go template, you can replace the second container (OpenFaaS uses a multistage Dockerfile) in
./template/go/Dockerfile with the below snippet
# Let's see if we can do distroless FROM gcr.io/distroless/base COPY --from=builder /usr/bin/fwatchdog / COPY --from=builder /go/src/handler/function/ / COPY --from=builder /go/src/handler/handler / ENV fprocess="./handler" EXPOSE 8080 HEALTHCHECK --interval=2s CMD [ -e /fwatchdog ] || exit 1 CMD ["/fwatchdog"]
This will do exactly the same, just with a Distroless base image to run your apps!