+1 to the work and +1 to the use of a separate repo, given the framing that it is an optional variant that will have a sequence of releases in parallel to the primary containers.
But have to ask: should we / could we migrate the primary/default container to distroless? Is this an intermediate step toward that? Or is it necessary to maintain both and for how long? (for a reason other than Hyrum's Dead-end, please) Kenn On Tue, Nov 26, 2024 at 9:26 AM Danny McCormick via dev <dev@beam.apache.org> wrote: > Thanks - I'm +1 to both doing this work and the naming convention. The > main naming alternative I can think of is using tags for distroless, aka > apache/beam_python3.9_sdk:2.61.0-distroless (and probably also > apache/beam_python3.9_sdk:latest-distroless), but I think that having > separate repos is probably a little bit cleaner for vulnerability tooling > and vulnerability-based policies. Overall, I don't think there's a huge > difference (and I've seen both approaches used), but I like the repo > approach a bit more. > > Thanks, > Danny > > On Mon, Nov 25, 2024 at 5:31 PM Damon Douglas <damondoug...@apache.org> > wrote: > >> Hello everyone, >> >> Work is currently underway <https://github.com/apache/beam/issues/32815> >> to build support for distroless container images >> <https://github.com/GoogleContainerTools/distroless>. The purpose of >> this message is to query any concerns over their naming convention, where >> simply "_distroless" is added as a suffix. Currently, as an example, for >> the Apache Beam Python 3.12 SDK, we publish apache/beam_python3.12_sdk >> <https://hub.docker.com/r/apache/beam_python3.12_sdk> and for Java 17, >> we publish apache/beam_java17_sdk >> <https://hub.docker.com/r/apache/beam_java17_sdk>. The distroless >> variants of these aforementioned will be >> apache/beam_python3.12_sdk_distroless and >> apache/beam_java17_sdk_distroless, respectively. Please let me know if you >> have any concerns with the following proposed distroless variants. Note >> that not all versions of Python and Java will be supported. >> >> apache/beam_python3.9_sdk_distroless >> apache/beam_python3.10_sdk_distroless >> apache/beam_python3.11_sdk_distroless >> apache/beam_python3.12_sdk_distroless >> apache/beam_java17_sdk_distroless >> apache/beam_java21_sdk_distroless >> >> Best, >> >> Damon >> >