Container Registry

2. Images

  • Managed base images are base container images that are automatically patched by Google for security vulnerabilities, using the most recent patches available from the project upstream (for example, GitHub).
  • Managed base images are available for any GCP customer.
  • When a container is deployed, two separate operating systems and images are chosen.
  • Node or host image is the operating system on which the container runs.
  • Container image is the operating system used by the container itself.
  • The container image is built by taking an operating system base image, and adding the packages, libraries, and binaries needed for the application.
  • Google maintains base images for building its own applications, including Google Cloud services like Google App Engine.
  • Managed base images have security properties which can make them desirable for some uses.
  • They're regularly scanned for known vulnerabilities, from the CVE database.
  • Base image security scan uses the same functionality as Container Registry Vulnerability Scanning. 
  • When a patch is available for a found vulnerability, Google applies that patch.
  • Base images are built reproducibly, so there is a verifiable path from the source code to the binary.
  • Base images can be verified by comparing it to the GitHub source, ensuring that the build has not introduced any flaws.
  • They're stored on Google Cloud, so can be pulled directly from the environment without having to traverse networks.
  • Base images can be pulled using Private Google Access. 
  • Base images can be used outside of Google Cloud.
  • Managed base images are available in GCP Marketplace.
  • Support for managed base images is subject to the lifecycles of the corresponding OS distributions. 
  • Unless otherwise noted, Google publishes updated images at least monthly. 
  • Published updates include security updates and other updates installed for operating system versions that are in the mainstream support stage of their lifecycles.
  • When an operating system version enters its extended lifecycle stage, Google no longer provides updated images. 
  • Google generally does not backport new features to these versions in the extended lifecycle stage or past the extended lifecycle.
  • Distroless images are minimal, language-focused images.
  • Container Registry's Docker Hub Mirror offers frequently requested Docker Hub images, including base images.