this post was submitted on 08 Nov 2023
4 points (61.1% liked)

Linux

48143 readers
760 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Title. Just wondering if I did something bad/terrible with it. Link is @ title. Check the image tag @ its repo to see how it was built. And before someone asks... the Docker lemmy community is really dead so I had to resort to you guys. Sorry, I guess.

And thanks in advance.

all 10 comments
sorted by: hot top controversial new old
[–] alt@lemmy.ml 3 points 1 year ago (1 children)

From a comment of yours;

Eh…just trying to learn some new things regarding common “dockerization”-related things, and improving its security.

If the end-goal is not learning but having an as secure container as possible, then consider Wolfi; this is a good read. If you're interested to know its current vulnerabilities, so that you can work on resolving those; then consider Trivy as it is -to my knowledge- the industry-standard for this specific use-case.

[–] GustavoM@lemmy.world 3 points 1 year ago

If the end-goal is not learning but having an as secure container as possible

It's actually both -- there is always something new to learn, after all. And thanks for these tips, I'll read em right now.

[–] dallen@programming.dev 2 points 1 year ago (1 children)

Am I understanding correctly that you are building the image by copying in key elements from the host machine’s functioning nginx installation?

This is creative but not common approach to docker.

Normally software is installed following the officially documented procedure (imagine installing using apt or a shell script via RUN). Sometimes software documentation has specific recommendations to follow for containerized installs.

It’s common to have the version defined as a variable where a change in value invalidates the docker layer cache. To me it’s unclear how caching would work with your dockerfile, for example, in the event of a upgrade. You could also see how a breaking change (such as one in the paths you are copying) could run into issues with your hardcoded approach.

In the case of software like nginx, I would use the official image, mount config/cert files instead of copying, and extend in my own dockerfile if needed.

[–] GustavoM@lemmy.world 2 points 1 year ago* (last edited 1 year ago) (1 children)

copying in key elements from the host machine

Not from the host machine, but from the official nginx image ( nginx:mainline-alpine3.18-slim ). And what it (basically) does is separate the essential commands/files inside a scratch image and gives every command a custom username tag.

Still, I appreciate your input.

[–] lidstah@lemmy.sdf.org 2 points 1 year ago* (last edited 1 year ago) (1 children)

A bit late but you might want to have a look at docker multi-stage build documentation which does exactly what you did (start from a base image then copying stuff from it to your own image), something like that:

FROM someimage:sometag AS build
[do stuff]
FROM minimalimage:someothertag
COPY --from=build /some/file /some/other/file
[and so on]
USER somebody
CMD ["/path/somecommand"]

Which will simplify building new images against newer "build" image newer tags easier.

btw, you were quite creative on this one! You also might want to have a look at the distroless image, the goal being to only have the bare minimum to run your application in the image: your executable and its runtime dependencies.

[–] GustavoM@lemmy.world 2 points 1 year ago (1 children)

Now you've confused me a little bit -- is there any difference between a scratch and a distroless image? Aren't they (technically) the same thing?

That aside, thank you for your input and compliment.

[–] lidstah@lemmy.sdf.org 2 points 1 year ago (1 children)

You're welcome! scratch and distroless are indeed basically the same thing, scratch being the 'official' docker minimal image while distroless is from google - as I'm more a Kubernetes user (at home and at work) than a Docker user, I tend to think about distroless first :) - my apologies if my comment was a bit confusing on this matter.

By the way, have fun experimenting with docker (or podman), it's interesting, widely used both in selfhosting and professional environments, and it's a great learning experience - and a good way to pass time during these long winter evenings :)

[–] GustavoM@lemmy.world 2 points 1 year ago

Oh, I see. Thanks for clarifying. And I've got to admit that "dockerizing" everything is a fun process indeed. :P