This ruleset designed to replace commands such as apt-get install
, passwd
, groupadd
, useradd
, update-ca-certificates
.
Note
rules_distroless is an beta software and doesn't have a stable Public API yet, however many are already using it in production.
See Adopters section to see who's already using it.
Our examples demonstrate how to accomplish typical tasks such as create a new user group or create a new home directory.
- groupadd
- passwd
- useradd --home
- update-ca-certificates
- keytool
- apt-get install from Debian repositories.
- apt-get install from Ubuntu repositories.
We also we have distroless-specific rules that could be useful
- flatten: flatten multiple
tar
archives. - os_release: create a
/etc/os-release
file - locale: strip
/usr/lib/locale
to be smaller. - dpkg_statusd: creates a package database at /var/lib/dpkg/status.d for scanners to discover installed packages.
- apt Repository rule for fetching/installing Debian/Ubuntu packages.
- linux Various rules for creating Linux specific files.
See the install instructions on the release notes: https://github.com/GoogleContainerTools/rules_distroless/releases
To use a commit rather than a release, you can point at any SHA of the repo.
With bzlmod, you can use archive_override
or git_override
. For WORKSPACE
, you modify the http_archive
call; for example to use commit abc123
with a WORKSPACE
file:
- Replace
url = "https://github.com/GoogleContainerTools/rules_distroless/releases/download/v0.1.0/rules_distroless-v0.1.0.tar.gz"
with a GitHub-provided source archive likeurl = "https://github.com/GoogleContainerTools/rules_distroless/archive/abc123.tar.gz"
- Replace
strip_prefix = "rules_distroless-0.1.0"
withstrip_prefix = "rules_distroless-abc123"
- Update the
sha256
. The easiest way to do this is to comment out the line, then Bazel will print a message with the correct value.
Note that GitHub source archives don't have a strong guarantee on the sha256 stability, see https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes
This ruleset is primarily funded to support distroless. We may not work on feature requests that do not support this mission. We will however accept fully tested contributions via pull requests if they align with the project goals (ex. a different compression format) and may reject requests that do not (ex. supporting a non deb
based packaging format).
An adopter? Add your company here by sending us a Pull Request.