Docker: Move to distroless Debian (#661)

Author: Proximyst

.dockerignore

@@ -11,7 +11,6 @@ scripts
 .prettierrc.json
 dev.json
 Dockerfile
-debian.Dockerfile
 Makefile
 plugin_start*
 tslint.json

CHANGELOG.md

@@ -1,4 +1,4 @@
-## Unreleased (4.0.0)
+## 4.0.0 (2025-07-22)
 
 - Build: Update all dependencies, [#663](https://github.com/grafana/grafana-image-renderer/pull/663), [Proximyst](https://github.com/Proximyst)
 - Docker: Update Chromium (CVE-2025-6558, CVE-2025-7656, CVE-2025-7657), [#667](https://github.com/grafana/grafana-image-renderer/pull/667), [Proximyst](https://github.com/Proximyst)
@@ -11,6 +11,9 @@ Breaking changes:
 - Plugin: Update minimum Grafana version to 11.3.8, [#663](https://github.com/grafana/grafana-image-renderer/pull/663), [Proximyst](https://github.com/Proximyst)
   - If you use any Grafana version newer than 11.3.8 (incl. 11.4.x, 11.5.x, 11.6.x, 12.x), you will not have to do anything.
   - If you are not in that group, you must update Grafana before updating.
+- Docker: Move to distroless Debian, [#661](https://github.com/grafana/grafana-image-renderer/pull/661), [Proximyst](https://github.com/Proximyst)
+  - In practice, this SHOULD come with no changes for most users.
+  - If you are building a new Docker image on top of us, you will have to adapt to distroless Debian instead of Alpine.
 
 ## 3.12.9 (2025-07-01)
 

Dockerfile

@@ -1,70 +1,59 @@
-# Base stage
-FROM node:22-alpine AS base
+FROM debian:12-slim AS debian-updated
 
-ENV CHROME_BIN="/usr/bin/chromium-browser"
-ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD="true"
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
+# If we ever need to bust the cache, just change the date here.
+# While we don't cache anything in Drone, that might not be true when we migrate to GitHub Actions where some action might automatically enable layer caching.
+# This is fine, but is terrible in situations where we want to _force_ an update of a package.
+RUN echo 'cachebuster 2025-07-16' && apt-get update
 
-# Folder used by puppeteer to write temporal files
-ENV XDG_CONFIG_HOME=/tmp/.chromium
-ENV XDG_CACHE_HOME=/tmp/.chromium
+FROM debian-updated AS debs
 
-WORKDIR /usr/src/app
+RUN apt-cache depends chromium chromium-driver chromium-shell chromium-sandbox font-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-khmeros fonts-kacst fonts-freefont-ttf libxss1 unifont fonts-open-sans fonts-roboto fonts-inter bash busybox util-linux openssl \
+    --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
+RUN mkdir /dpkg && \
+    find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
 
-# We use edge for Chromium to get the latest release.
-RUN apk --no-cache upgrade && \
-    apk add --no-cache udev ttf-opensans unifont ca-certificates dumb-init && \
-    apk add --no-cache 'chromium>=138.0.7204.157' 'chromium-swiftshader>=138.0.7204.157' --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community && \
-    # Remove NPM-related files and directories
-    rm -rf /usr/local/lib/node_modules/npm && \
-    rm -rf /usr/local/bin/npm && \
-    rm -rf /usr/local/bin/npx && \
-    rm -rf /root/.npm && \
-    rm -rf /root/.node-gyp && \
-    # Clean up
-    rm -rf /tmp/*
+FROM debian:testing-slim AS ca-certs
 
-# Build stage
-FROM base AS build
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates
+RUN update-ca-certificates --fresh
 
+FROM node:22-alpine AS build
+
+WORKDIR /src
 COPY . ./
 
 RUN yarn install --pure-lockfile
 RUN yarn run build
+RUN rm -rf node_modules/ && yarn install --pure-lockfile --production
 
-# Production dependencies stage
-FROM base AS prod-dependencies
-
-COPY package.json yarn.lock ./
-RUN yarn install --pure-lockfile --production
-
-# Final stage
-FROM base
+FROM gcr.io/distroless/nodejs22-debian12:nonroot
 
 LABEL maintainer="Grafana team <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/grafana/grafana-image-renderer/tree/master/Dockerfile"
 
-ARG GF_UID="472"
-ARG GF_GID="472"
-ENV GF_PATHS_HOME="/usr/src/app"
-
-WORKDIR $GF_PATHS_HOME
+COPY --from=debs /dpkg /
+COPY --from=ca-certs /etc/ssl/certs /etc/ssl/certs
 
-RUN addgroup -S -g $GF_GID grafana && \
-    adduser -S -u $GF_UID -G grafana grafana && \
-    mkdir -p "$GF_PATHS_HOME" && \
-    chown -R grafana:grafana "$GF_PATHS_HOME"
+USER root
+SHELL ["/bin/busybox", "sh", "-c"]
+RUN /bin/busybox --install
+# Verify that the browser was actually installed.
+RUN /usr/bin/chromium --version
+RUN fc-cache -fr
+USER nonroot
 
+ENV CHROME_BIN="/usr/bin/chromium"
+ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD="true"
 ENV NODE_ENV=production
 
-COPY --from=prod-dependencies /usr/src/app/node_modules node_modules
-COPY --from=build /usr/src/app/build build
-COPY --from=build /usr/src/app/proto proto
-COPY --from=build /usr/src/app/default.json config.json
-COPY --from=build /usr/src/app/plugin.json plugin.json
+COPY --from=build /src/node_modules node_modules
+COPY --from=build /src/build build
+COPY --from=build /src/proto proto
+COPY --from=build /src/default.json config.json
+COPY --from=build /src/plugin.json plugin.json
 
 EXPOSE 8081
 
-USER grafana
-
-ENTRYPOINT ["dumb-init", "--"]
-CMD ["node", "build/app.js", "server", "--config=config.json"]
+CMD ["build/app.js", "server", "--config=config.json"]

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all clean deps build clean_package package archive build_package docker-alpine docker-debian
+.PHONY: all clean deps build clean_package package archive build_package docker
 
 ARCH = darwin-x64-unknown
 SKIP_CHROMIUM =
@@ -30,12 +30,9 @@ archive:
 
 build_package: clean clean_package build package archive
 
-docker-alpine:
+docker:
 	docker build -t grafana/grafana-image-renderer:${DOCKER_TAG} .
 
-docker-debian:
-	docker build -t grafana/grafana-image-renderer:${DOCKER_TAG}-debian -f debian.Dockerfile .
-
 # This repository's configuration is protected (https://readme.drone.io/signature/).
 # Use this make target to regenerate the configuration YAML files when
 # you modify starlark files.

README.md

@@ -33,9 +33,11 @@ You can install the plugin using Grafana CLI (recommended way) or with Grafana D
 ### Grafana CLI (recommended)
 
 ```bash
-grafana-cli plugins install grafana-image-renderer
+grafana cli plugins install grafana-image-renderer
 ```
 
+Please run this as the same user that Grafana runs as.
+
 ### Grafana Docker image
 
 This plugin is not compatible with the current Grafana Docker image and requires additional system-level dependencies. We recommend setting up another Docker container for rendering and using remote rendering instead. For instruction, refer to [Run in Docker](#run-in-docker).
@@ -134,4 +136,4 @@ For available configuration settings, please refer to [Grafana Image Rendering d
 ## Troubleshooting
 
 For troubleshooting help, refer to
-[Grafana Image Rendering troubleshooting documentation](https://grafana.com/docs/grafana/latest/image-rendering/troubleshooting/).
+[Grafana Image Rendering troubleshooting documentation](https://grafana.com/docs/grafana/latest/image-rendering/troubleshooting/).

debian.Dockerfile

@@ -0,0 +1,18 @@
+services:
+  grafana:
+    image: grafana/grafana-enterprise:latest
+    ports:
+      - 3000:3000
+    environment:
+      GF_RENDERING_SERVER_URL: http://renderer:8081/render
+      GF_RENDERING_CALLBACK_URL: http://grafana:3000/
+      GF_LOG_FILTERS: rendering:debug
+
+  renderer:
+    build:
+      context: ../../../
+      dockerfile: Dockerfile
+    ports:
+      - 8081
+    environment:
+      ENABLE_METRICS: 'true'

devenv/docker/enterprise-build/docker-compose.yaml

@@ -25,7 +25,7 @@
       }
     ],
     "version": "4.0.0",
-    "updated": "2025-07-01"
+    "updated": "2025-07-22"
   },
   "dependencies": {
     "grafanaDependency": ">=11.3.8"

plugin.json

@@ -131,6 +131,7 @@ export class HttpServer {
 
       try {
         const browserVersion = await this.browser.getBrowserVersion();
+        this.log.info('Browser version', 'version', browserVersion);
         browserInfo.labels(browserVersion).set(1);
       } catch {
         this.log.error('Failed to get browser version');

src/service/http-server.ts

@@ -1,6 +1,6 @@
 import promBundle from 'express-prom-bundle';
 import * as promClient from 'prom-client';
-import * as onFinished from 'on-finished';
+import onFinished from 'on-finished';
 import { Express } from 'express';
 
 import { MetricsConfig } from './config';