feat(docker): add distroless-based Docker image variant

[davinkevin]

Summary

• Add a new pgsty/minio:<tag>-distroless image using gcr.io/distroless/static-debian13 for minimal attack surface (no shell, no package manager, no glibc)
• Publishes multi-arch (amd64/arm64) images via GoReleaser alongside the existing UBI-micro images
• New tags: pgsty/minio:<tag>-distroless and pgsty/minio:latest-distroless

Changes

• Dockerfile.distroless — new multi-stage Dockerfile based on distroless/static-debian13
• .github/goreleaser.yml — add distroless docker builds and manifests
• .github/workflows/test-release.yml — trigger on Dockerfile.distroless changes

[11notes]

Just as a friendly input as someone who maintains a rootless/distroless minio image. The distroless image should be the default, not an additional tag. Give users the best option from the start, not as an option they might miss.

[teian]

really good input and I would also like to have the abillity to use alpine based images. that would be a awesome addition!

[11notes]

@teian consider this article why distroless is better.

[teian]

I agree distroless is awesome but there are use cases which differ and therefore if it is not too much of a hassle it is still nice to have. Didn't want to discredit your effort/input :)

[11notes]

... but there are use cases ...

I’ve never come across such a use case, can you make an example where you need an image with a shell for MinIO?

[teian]

Sure I can but I think my usecase does not align with your security vision therefore it does not make sense to further discuss this here. As I said before I like your proposal so I'm all for merging this :)

[shishantbiswas]

... but there are use cases ...

I’ve never come across such a use case, can you make an example where you need an image with a shell for MinIO?

Not a good example by any means but in platforms like coolify/dokploy/etc heathchecks are done using wget and curl. In distroless images getting healthcheck working is not as easy as something like alpine or debian based images

In such cases healthcheck was done by checking the port, like so in docker-compose.yml

healthcheck:
  test: ["CMD", "bash", "-c", "exec 3<>/dev/tcp/localhost/8108 && printf 'GET /health HTTP/1.1\\r\\nConnection: close\\r\\n\\r\\n' >&3 && head -n1 <&3 | grep '200' && exec 3>&-"]
  interval: 10s
  timeout: 1s

One example I encountered a while ago where I faced this problem in typesense which also uses distroless as default

I’m sure your intension of making the default image distroless is great from a security point of view but there are good reasons to use apline/debian as default

[11notes]

@shishantbiswas A distroless image has a health check baked in like any other image. You can check my example distroless minio image with a health check. No need to specify your own health check. No need to use base OS layers to do a health check.

[shishantbiswas]

This is my first time seeing a embedded heathcheck in a Dockerfile itself, I’m honestly speechless

edit: My apologies my lack of knowledge lead me to believe that there no way to do healthchecks in distroless images, I’ve never seen a heathcheck like the one you mentioned in all my dev life and even the typesense example lead me to believe it’s not possible

It seems I’m was wrong about my assumption, I’m sorry about that

[11notes]

No need for apologies, no harm done. It is of my professional opinion that any image provider or creator should ship their image with a default and good health check that works for most app cases, not just does port exist but actually check the health of the app behind it.