How bad/terrible is this docker image? (Click here to see it.)
How bad/terrible is this docker image? (Click here to see it.)
Title. Just wondering if I did something bad/terrible with it. Link is @ title. Check the image tag @ its repo to see how it was built. And before someone asks... the Docker lemmy community is really dead so I had to resort to you guys. Sorry, I guess.
And thanks in advance.
From a comment of yours;
Eh…just trying to learn some new things regarding common “dockerization”-related things, and improving its security.
If the end-goal is not learning but having an as secure container as possible, then consider Wolfi; this is a good read. If you're interested to know its current vulnerabilities, so that you can work on resolving those; then consider Trivy as it is -to my knowledge- the industry-standard for this specific use-case.
If the end-goal is not learning but having an as secure container as possible
It's actually both -- there is always something new to learn, after all. And thanks for these tips, I'll read em right now.
Am I understanding correctly that you are building the image by copying in key elements from the host machine’s functioning nginx installation?
This is creative but not common approach to docker.
Normally software is installed following the officially documented procedure (imagine installing using apt or a shell script via RUN). Sometimes software documentation has specific recommendations to follow for containerized installs.
It’s common to have the version defined as a variable where a change in value invalidates the docker layer cache. To me it’s unclear how caching would work with your dockerfile, for example, in the event of a upgrade. You could also see how a breaking change (such as one in the paths you are copying) could run into issues with your hardcoded approach.
In the case of software like nginx, I would use the official image, mount config/cert files instead of copying, and extend in my own dockerfile if needed.
copying in key elements from the host machine
Not from the host machine, but from the official nginx image ( nginx:mainline-alpine3.18-slim ). And what it (basically) does is separate the essential commands/files inside a scratch image and gives every command a custom username tag.
Still, I appreciate your input.
A bit late but you might want to have a look at docker multi-stage build documentation which does exactly what you did (start from a base image then copying stuff from it to your own image), something like that:
FROM someimage:sometag AS build [do stuff] FROM minimalimage:someothertag COPY --from=build /some/file /some/other/file [and so on] USER somebody CMD ["/path/somecommand"]Which will simplify building new images against newer "build" image newer tags easier.
btw, you were quite creative on this one! You also might want to have a look at the distroless image, the goal being to only have the bare minimum to run your application in the image: your executable and its runtime dependencies.
Permanently Deleted
Eh...just trying to learn some new things regarding common "dockerization"-related things, and improving its security.