Minimizing Attack Surface in Container Images via Chrooted Runtime Composition

With multi-stage Dockerfiles, commonly used for distroless container images, some interesting challenges arise in the process of building an image. Here is a typical example of a Dockerfile installing