fix: migrate runtime base images from distroless/minimal to distroless/base#4369
Open
behzad-mir wants to merge 1 commit intomasterfrom
Open
fix: migrate runtime base images from distroless/minimal to distroless/base#4369behzad-mir wants to merge 1 commit intomasterfrom
behzad-mir wants to merge 1 commit intomasterfrom
Conversation
4 tasks
jpayne3506
previously approved these changes
Apr 23, 2026
Contributor
jpayne3506
left a comment
jpayne3506
left a comment
There was a problem hiding this comment.
resolve merge conflicts and get this merged. Images will increase minimally in size, but 0 functionality changes.
…s/base Go 1.26 enforces FIPS-compliant system crypto, which requires crypto libraries to be present at runtime. distroless/minimal lacks these libraries and will cause pod startup failures. This change migrates all runtime base images to distroless/base:3.0, which includes the required crypto libraries while remaining minimal. Changes: - build/images.mk: MARINER_DISTROLESS_IMG minimal → base - bpf-prog/ipv6-hp-bpf/linux.Dockerfile: cbl-mariner/distroless/minimal:2.0 → azurelinux/distroless/base:3.0 - .pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile: minimal → base - Regenerated all template Dockerfiles via make dockerfiles Resolves #4364 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
behzad-mir
force-pushed
the
behzadm/fips-base-image-migration
branch
from
d5e33a7 to
f10c036
Compare
behzad-mir
requested review from
a team,
QxBytes,
camrynl and
santhoshmprabhu
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the project’s Linux runtime base images from Azure Linux distroless minimal to distroless base (3.0) to ensure required system crypto libraries are present ahead of a future Go 1.26 FIPS-compliance effort.
Changes:
- Switched the distroless runtime base image reference in the build “source of truth” (
build/images.mk) todistroless/base:3.0. - Regenerated/updated service Dockerfiles (and pipeline copies) to use
mcr.microsoft.com/azurelinux/distroless/base:3.0(digest-pinned where templated). - Updated the ipv6-hp-bpf runtime Dockerfiles to use the new distroless base image.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| cns/Dockerfile | Autogenerated Dockerfile updated to use Azure Linux distroless base (3.0) digest for the runtime stage. |
| build/images.mk | Updates MARINER_DISTROLESS_IMG to distroless/base:3.0 so regenerated Dockerfiles resolve the new pinned digest. |
| bpf-prog/ipv6-hp-bpf/linux.Dockerfile | Updates the ipv6-hp-bpf runtime stage to Azure Linux distroless base (3.0). |
| azure-iptables-monitor/Dockerfile | Autogenerated Dockerfile updated to use Azure Linux distroless base (3.0) digest for the runtime stage. |
| .pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile | Updates pipeline ipv6-hp-bpf runtime base image tag to distroless base (3.0). |
| .pipelines/build/dockerfiles/cns.Dockerfile | Updates pipeline CNS runtime base image to distroless base (3.0) digest. |
| .pipelines/build/dockerfiles/azure-iptables-monitor.Dockerfile | Updates pipeline azure-iptables-monitor runtime base image to distroless base (3.0) digest. |
| RUN GOOS=$OS CGO_ENABLED=0 go build -a -o /go/bin/ipv6-hp-bpf -trimpath -ldflags "-s -w -X main.version="$VERSION"" -gcflags="-dwarflocationlists=true" . | ||
|
|
||
| FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 AS linux | ||
| FROM mcr.microsoft.com/azurelinux/distroless/base:3.0 AS linux |
|
|
||
|
|
||
| FROM --platform=linux/${ARCH} mcr.microsoft.com/azurelinux/distroless/minimal:3.0 AS linux | ||
| FROM --platform=linux/${ARCH} mcr.microsoft.com/azurelinux/distroless/base:3.0 AS linux |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates runtime base images from
distroless/minimal:3.0todistroless/base:3.0to prepare for Go 1.26 FIPS compliance.Motivation
Go 1.26 enforces system crypto for FIPS compliance. Runtime images must include crypto libraries —
distroless/minimallacks these and causes pod startup failures. This lays the groundwork before the actual Go 1.26 version bump.Changes
Source of truth
build/images.mk:MARINER_DISTROLESS_IMGfromdistroless/minimal:3.0→distroless/base:3.0Manual (non-template) files
bpf-prog/ipv6-hp-bpf/linux.Dockerfile:cbl-mariner/distroless/minimal:2.0→azurelinux/distroless/base:3.0.pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile:distroless/minimal:3.0→distroless/base:3.0Auto-regenerated via
make dockerfilescns/Dockerfile,cni/Dockerfile,azure-ipam/Dockerfile,azure-ip-masq-merger/Dockerfile,azure-iptables-monitor/Dockerfile,cilium-log-collector/Dockerfile.pipelines/build/dockerfiles/Testing
Resolves #4364