Skip to content

chore: FIPS-ready base image migration (distroless/minimal → distroless/base) #4364

@behzad-mir

Description

@behzad-mir

Summary

Migrate runtime base images from distroless/minimal:3.0 to distroless/base:3.0 to prepare for Go 1.26 FIPS compliance.

Motivation

Go 1.26 enforces system crypto for FIPS compliance. Runtime images must include crypto librariesdistroless/minimal lacks these and will cause pod startup failures. This PR lays the groundwork before the actual Go 1.26 version bump.

Changes Required

Template-managed (auto via make dockerfiles)

  • Update build/images.mk: MARINER_DISTROLESS_IMG from distroless/minimal:3.0distroless/base:3.0
  • Regenerate Dockerfiles: make dockerfiles
    • cns/Dockerfile (+ pipeline copy)
    • azure-iptables-monitor/Dockerfile (+ pipeline copy)

Manual updates

  • bpf-prog/ipv6-hp-bpf/linux.Dockerfile: cbl-mariner/distroless/minimal:2.0 → appropriate base image
  • .pipelines/build/dockerfiles/ipv6-hp-bpf.Dockerfile: distroless/minimal:3.0distroless/base:3.0

Build settings

  • Add GOEXPERIMENT env var to Dockerfile templates (.tmpl files)
  • Add GOEXPERIMENT export to pipeline build scripts (.pipelines/build/scripts/*.sh)
  • Review MS_GO_NOSYSTEMCRYPTO=1 in npm/linux.Dockerfile and npm/windows.Dockerfile

Verification

  • Verify Copacetic version is updated (ARM/AMD build correctness)
  • Pipeline builds pass
  • No runtime regressions

Context

  • Base images without crypto libraries cause: build-time CGO errors, pod crashes at startup
  • distroless/base includes the required crypto libraries while remaining minimal
  • This change is safe on Go 1.24 and prepares for Go 1.26

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions