Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Improve Docker build #3682

Merged
merged 4 commits into from
Mar 2, 2024
Merged

feat: Improve Docker build #3682

merged 4 commits into from
Mar 2, 2024

Conversation

reneleonhardt
Copy link
Contributor

@reneleonhardt reneleonhardt commented Oct 29, 2023
edited
Loading

  • Run binaries as unprivileged user to improve security
  • Copy whole timezone database to allow setting TZ env variable
  • docker run kevinwan/goctl --help instead of docker run kevinwan/goctl goctl --help
  • Remove files from Docker build context not needed for the resulting image
  • Let Dependabot update Docker images and GitHub Actions

@kevwan kevwan self-assigned this Oct 30, 2023
@kevwan kevwan added the area/goctl Categorizes issue or PR as related to goctl. label Oct 30, 2023
@kevwan
Copy link
Contributor

kevwan commented Nov 3, 2023

It's in a docker image, not requiring the root privillege on the host. I don't think there are problems. Would you please explain more on this?

@reneleonhardt
Copy link
Contributor Author

If it's not needed, why run as root with all it's special permissions and widen your attack surface intentionally? 😉
Maybe looking at Kubernetes makes it clearer, for example in my current project we are not allowed anymore to run root images on AWS, starting from static linters like hadolint and kube-linter to in-cluster linters like kyverno:
https://www.atatus.com/blog/rootless-containers-guide/
https://github.com/moby/buildkit/blob/master/examples/kubernetes/pod.rootless.yaml
hadolint/hadolint#184
https://github.com/hadolint/hadolint/wiki/DL3002
https://github.com/stackrox/kube-linter
https://docs.kubelinter.io/#/generated/checks?id=run-as-non-root
https://kyverno.io/policies/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot/
https://kyverno.io/policies/other/rec-req/require-non-root-groups/require-non-root-groups/

@reneleonhardt @kevwan
feat: Improve Docker build
d2eac2e
@reneleonhardt @kevwan
feat: Improve Docker build
a3cb5f9
@reneleonhardt @kevwan
feat: Start goctl automatically on docker run
2392141 
Calling goctl was "duplicated" for Docker users.
Old:
docker run kevinwan/goctl goctl --help
New:
docker run kevinwan/goctl --help

The image contains only a single tool from the user's point of view, so a Docker user expects to just run the image, and not call a binary in addition.
@reneleonhardt @kevwan
* Improve test Dockerfile
cb5932f 
* Avoid running into YAML issues before upgrading from go1.19 to 1.20 (must be quoted, otherwise it would become 1.2)
* Let Dependabot update Docker images and GitHub Actions
@kevwan kevwan added this pull request to the merge queue Mar 2, 2024
Merged via the queue into zeromicro:master with commit b53ba76 Mar 2, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevwan kevwan kevwan approved these changes

Assignees

@kevwan kevwan

Labels
area/goctl Categorizes issue or PR as related to goctl.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@reneleonhardt @kevwan