Managed base images are base container images that are automatically patched by Google for security vulnerabilities, using the most recent patches available from the project upstream (for example, GitHub). These images are available for any GCP customer.
This document describes managed container images and how they're maintained.
For information about the license that applies to managed base images, refer to the managed base images LICENSE file.
Container images and operating systems
When you deploy a container, you choose two separate operating systems and images:
The operating system on which you run your container.
The operating system used for your container itself.
Your container image is built by taking an operating system base image, and adding the packages, libraries, and binaries needed for your application.
How managed base images are maintained
Google maintains base images for building its own applications, including Google Cloud services like Google App Engine.
Managed base images have security properties which can make them desirable for some uses:
They're regularly scanned for known vulnerabilities, from the CVE database.
This scan uses the same functionality as Container Registry Vulnerability Scanning. When a patch is available for a found vulnerability, Google applies that patch.
They're built reproducibly, so there is a verifiable path from the source code to the binary.
You can verify the image by comparing it to the GitHub source, ensuring that the build has not introduced any flaws.
They're stored on Google Cloud, so you can pull these directly from your environment without having to traverse networks.
You can pull these images using Private Google Access. You can of course still use them outside of Google Cloud.
Available container images
Managed base images are available in GCP Marketplace.
Managed base images are available for the following OS distributions:
|OS||Source||Repository path||GCP Marketplace listing|
|Debian 9 "Stretch"||GitHub||
|Debian 10 "Buster"||GitHub||
Operating system lifecycle and support policy
Support for managed base images is subject to the lifecycles of the corresponding OS distributions. Unless otherwise noted, Google publishes updated images at least monthly. Published updates include security updates and other updates installed for operating system versions that are in the mainstream support stage of their lifecycles.
When an operating system version enters its extended lifecycle stage, Google no longer provides updated images. Google generally does not backport new features to these versions in the extended lifecycle stage or past the extended lifecycle.
If managed base images aren't for you, there are suitable alternatives:
Distroless images are minimal, language-focused images.
Check them out on GitHub.
Cached images are frequently requested Docker Hub images stored on
mirror.gcr.io. If you configure your Docker daemon to use cached images, your client always checks for a cached copy of a Docker Hub image before attempting to pull it directly from Docker Hub.
Learn more about pulling cached images.
For more ways to protect your software supply chain, including image validation, see Help secure software supply chains on Google Kubernetes Engine.