Use distroless image as the base build for pi-hole

[Gontier-Julien]

Distroless images are super tiny (like very very tiny) and only contain the necessary stuff to run an app.
I don't know if this would be super necessary, but i guess it would be great.
For sure it will need a hell test before to make sure it doesn't break pi-hole, since it while be quite different.

But (from what i've read) the following stuff would be improved:

• security of the docker images
• smaller docker images
• fewer stuff that could go wrong because of dependencies
• improved performance (not sure about this one but i think i've heard it in the video)

This is a: Feature Request (i guess?)

Details

(picked up from GoogleContainer github):

"Distroless" Container Images

"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.

For more information, see this talk (video).
Why should I use distroless images?

Restricting what's in your runtime container to precisely what's necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.

Distroless images are very small. The smallest distroless image, gcr.io/distroless/static-debian11, is around 2 MiB. That's about 50% of the size of alpine (~5 MiB), and less than 2% of the size of debian (124 MiB).

More here or here and here (alpine vs buster-slim vs distroless image)

Related Issues

• I have searched this repository/Pi-hole forums for existing issues and pull requests that look similar

[PromoFaux]

Thanks for the links - I will take a look into this at some point in the near future

[Gontier-Julien]

Thanks for the links - I will take a look into this at some point in the near future

No problem!

[Gontier-Julien]

One thing that would be impossible tho, is any short of customization for the docker container for a user.
But it could be resolved with just using the debug image which provides a busybox shell.

[Gontier-Julien]

Here is the size comparison :

debian stable-slim = 80.5MB
gcr.io/distroless/base-debian11 latest = 20.3MB
gcr.io/distroless/base-debian11 debug = 21.5MB
gcr.io/distroless/static-debian11 latest = 2.34MB
gcr.io/distroless/static-debian11 debug = 3.49MB

[Gontier-Julien]

So, i've been tinkering trying to get pi-hole into distroless, it nearly working.

Here is the current modification:
I've made a paste bin link because it long xD

And here is the current size comparison (as of the tag 2022.12.1):

pihole-distroless latest = 119MB
pihole/pihole latest = 320MB

And if this is too much of a maintenance hell (which is relatable), i could always help trying to get it to alpine #980

[PromoFaux]

Please feel free to submit a PR that builds a distroless image (though I cannot promise it will be merged), as I would like to see how it may fit into the build process.

Alpine would be a good target - but for that to work we either need to:

• install bash - seems like a workaround
• Make all of the scripts in the main repo posix compliant - but this this a big task that may end up going to waste because of some changes planned for v6 (no ETA/real roadmap just yet) that will probably end up doing away with a lot of stuff we've relied on over the years, so that may be a good time to start looking at streamlining the docker container again, too.

Pre-pre-pre alpha versions of v6.0 exist, I am going to start looking creating a container version in the next few weeks.

[Gontier-Julien]

Sure no problem, when i will got it working at 100% i'll make a PR!
Edit: i hope i get it working this week it would be nice xD

Bash would be a easier option for sure

And awesome i'll be happy to help test it out or help if you need! ^^

Also, on what will pihole v6 be based on ?

[Gontier-Julien]

Hey @PromoFaux maybe you could help me on this one, because i'm kinda stalling on it ^^"

Here is the current start of the container rn

issues rn:

• Critical error - immediate abort idk what critical error
• [i] Installing /etc/dnsmasq.d/01-pihole.conf...install: unrecognized option: T probably need to be fixed

• /bin/sh: 1: /usr/share/lighttpd/use-ipv6.pl: not found
  2023-01-09 17:05:21: configfile.c.2113) command "/usr/share/lighttpd/use-ipv6.pl 80" exited non-zero: 127
  2023-01-09 17:05:21: configfile.c.1970) source: /etc/lighttpd/lighttpd.conf line: 79 pos: 14 parser failed somehow near here: (EOL)
  Stopping lighttpd

This seems to be related to IPV6, but even tho use-ipv6.pl is included inside it seems to prevent lighttpd to run.

[Gontier-Julien]

I could make a draft pull request in the current state

[Gontier-Julien]

Little update: i've decided to take another approach to it, i'll try to see how it goes tomorrow.

[Gontier-Julien]

Alright i'm closing this...
Trying to have pi-hole inside a distroless container is a huge burden and will be a maintenance nightmare...

I'll work my way to take pi-hole on alpine #980

[PromoFaux]

Hey, thanks for giving it a shot anyway - maybe we get a bit more mature in the v6 development process it can be something we look at again

[Gontier-Julien]

Hey, thanks for giving it a shot anyway - maybe we get a bit more mature in the v6 development process it can be something we look at again

Maybe we could, but to be honest i think distrolless is more targeted to software who are just a whole binary (like go apps), and with debian having 4000x dependency linked every (thank libc), it would just add a massive burden to keep it maintained.
I guess that alpine would be more appropriate on how pi-hole operate in this case and would have less burden to maintain.
Maybe pi-hole V6 could be based on alpine, as it is a big milestone it would make sense

[Gontier-Julien]

Btw could you maybe create a alpine branch on the docker-base-images, docker-pihole and the pi-hole repo please?
So i can push it to there to work on it?
I can add all alpine arch to it that way to build pihole
Currently it stop at the enabling of lighttpd but idk why

[SamTV12345]

I don't think that your plan will work. I created a working Dockerfile for alpine a while ago only failing one week later on lighttpd. It's quite hard to maintain. I guess the only solution is to rewrite the basic script. Maybe one could simplify the install process.