- Managed base images are base container images that are automatically patched by Google for security vulnerabilities, using the most recent patches available from the project upstream (for example, GitHub).
- Managed base images are available for any
- When a container is deployed, two separate operating systems and images are chosen.
- Node or host image is the operating system on which the container runs.
- Container image is the operating system used by the container itself.
container image is built by taking an operating system base image, and adding the packages, libraries, and binaries needed for the application.
- Google maintains base images for building its own applications, including Google Cloud services like Google
- Managed base images have security properties which can make them desirable for some uses.
- They're regularly scanned for known vulnerabilities, from the CVE database.
- Base image security scan uses the same functionality as Container
Registry Vulnerability Scanning.
- When a patch is available for a found vulnerability, Google applies that patch.
- Base images are built reproducibly, so there is a verifiable path from the source code to the binary.
- Base images can be verified
by comparing it to the GitHub source, ensuring that the build has not introduced any flaws.
- They're stored on Google Cloud, so can be pulled directly from the environment without having to traverse networks.
- Base images can be pulled using Private
- Base images can be used outside of Google Cloud.
- Managed base images are available in GCP Marketplace.
- Support for managed base images is subject to the lifecycles of the corresponding OS distributions.
- Unless otherwise
noted, Google publishes updated images at least monthly.
- Published updates include security updates and other updates installed for operating system versions that are in the mainstream support stage of their lifecycles.
- When an operating system
version enters its extended lifecycle stage, Google no longer provides updated images.
- Google generally does not backport new features to these versions in the extended lifecycle stage or past the extended lifecycle.
- Distroless images are
minimal, language-focused images.
- Container Registry's Docker Hub Mirror offers frequently requested Docker Hub images, including base images.