In high-stakes industries such as investment banking, nuclear energy and large-scale scientific computing, the reliable and secure execution of high-performance computing (HPC) workloads is essential. ArmoniK, a distributed task orchestrator, is designed to meet these demands by enabling scalable, fault-tolerant and secure execution of HPC tasks across diverse environments. Whether processing large datasets, managing complex computational workflows, or ensuring data integrity, ArmoniK provides the necessary tools and infrastructure to support these demanding applications.
To ensure the deployment of ArmoniK in a secure and efficient manner, ArmoniK leverages Docker containers, providing a consistent and isolated environment for running its components. However, the initial Docker images used for ArmoniK (Linux based) presented several challenges, including a large image size, security vulnerabilities including an operating system, and performance issues due to unnecessary components included in the images. To address these challenges, we have decided to migrate from traditional Linux based Docker image to lighter images such as Azure Linux Distroless images for .NET applications.
While exploring options to optimize our Docker images, we found out about the concept of "Chiseled" images, which are used to create minimalistic container images for .NET applications. Chiseled images are designed to be lightweight and secure due to the removal of many components that are typically included in standard Linux images. However, one significant challenge we faced with Chiseled images was the present persistent vulnerabilities (CVE). Despite their reduced size, Chiseled images contained CVE related to the underlying operating system components that were still present in the image. This posed a security risk, especially in sensitive environments like banking and nuclear industries. That is why we decided not to pick Chiseled images for our ArmoniK deployment.
Note: Chiseled images are built on top of Ubuntu base images, which means they inherit vulnerabilities from the underlying operating system. This can be a concern for security-conscious applications, as vulnerabilities in the base image can potentially be exploited. They also include the .NET runtime and critical dependencies. They present a smaller footprint compared to traditional images. Chiseled Ubuntu and .NET reduced 100MB off the official .NET containers, with base images for self-contained .NET applications weighing in at less than 6MB compressed. This achievement rivals Alpine, Busybox, and Distroless images while offering a rich-to-lean, seamless development-to-production experience. (source). For more information about dotnet chiseled images, you can refer to this documentation post.
Another solution was to use Azure Linux Distroless images. Azure Linux is a Linux distribution for Microsoft's cloud infrastructure and edge products and services, Azure Linux is designed to provide a consistent platform for these devices and services. Distroless containers contain only the minimal set of packages your application needs, with anything extra removed (i.e. package manager, libraries and shell). Both Qualys and Trivy support vulnerability scanning for Azure Linux distroless containers.
Due to their limited set of packages, distroless containers have a minimized security attack surface as well as reduced noise from vulnerability scanners. This generally translates to a reduced overhead of patching vulnerabilities, allowing developers to focus on building their application. Lastly, the smaller size provides higher performance. (source)
Distroless images are significantly smaller than traditional Linux images. Traditional images include a full operating system, while Distroless images only include the necessary components to run the application. This results in smaller image sizes, which leads to faster download times and reduced storage requirements. Here is a comparison of the sizes of a traditional .NET image and an Azure Linux Distroless image:
| Image | Size | Reduction |
|---|---|---|
| mcr.microsoft.com/dotnet/aspnet:8.0 | ~200 MB | - |
| mcr.microsoft.com/dotnet/aspnet:8.0-azurelinux3.0-distroless | ~50 MB | 75% |
There are three images available for Azure Linux Distroless:
Thus, by choosing the appropriate image, docker containers have been optimized for size while still providing the necessary functionality for running .NET applications. That also means that the deployment of ArmoniK for the bank industry or nuclear industry can be done more efficiently, with reduced bandwidth usage and faster startup times.
Distroless images have a smaller attack surface compared to traditional Linux images. By removing unnecessary components but also reducing the number of packages contained in the image as we've seen previously, there are fewer potential vulnerabilities that can be exploited by attackers. The absence of a package manager and shell also makes it more difficult for attackers to gain access to the container and execute malicious commands. They would not be able to type in any potentially harmful commands to exploit vulnerabilities in the container as there is no shell available.
In the context of the rise of cyber attacks especially in the banking industry, (source) using Distroless images helps reduce the risk of security breaches and can remove a potential access point for attackers.
Distroless images present a much better performance because they have been designed to be lightweight and optimized for running specific applications. By removing unnecessary components which were included in the previous Linux images, this results in:
Example: A host running 50 distroless containers (50 MB each) uses approximately 2.5 GB of disk space vs. approximately 10 GB for traditional images (200 MB each).
By migrating to Azure Linux Distroless images for .NET applications, ArmoniK has successfully optimized its Docker images for size and security. This transition not only enhances the efficiency of ArmoniK's deployment but also aligns with our commitment to providing secure and reliable solutions for high-performance computing workloads in sensitive industries.