Che dockerfiles extended with security in mind.
This repo is divided into two directories:
./recipes/context
contains a shared build context for all docker images (e.g. theentrypoint.sh
script, and helpful scripts that are used in building dependencies within images)./recipes/dockerfiles
contains subdirectories for each docker image.
As a result, to build an image locally, it is necessary to set the build context to ./recipes
and explicitly specify the dockerfile being built. E.g. from the root of the repo
docker build \
-t spring-boot:local \
-f ./recipes/dockerfiles/spring-boot/Dockerfile \
./recipes/
The scripts in ./recipes/context
are, in short:
entrypoint.sh
is a shared entrypoint for most of the dockerfilesgeneral-deps.install <OPENSHIFT_VERSION> [<JAVA_VERSION>]
is a script that stores dependencies for running on osio and is generally run in every (applicable) docker image. All non-temporary dependencies should be included here.grant-access-arbitirary-UID.sh
allows arbitrary users to access the/home/user
,/etc/passwd
,/etc/group
, and/projects
directoriesnodejs.install
is responsible for installing nodejs.nss_wrapper.install
is responsible for installing nss_wrapper.
The CI build pushes artifacts to dockerhub and quay.io. For automatic builds to succeed, repositories should be created on quay.io beforehand, one for each dockerfile.
Repository names come directly from folder names in ./recipes/dockerfiles
, with che-
prepended (e.g. che-centos_jdk8
). The process for creating new repos on quay.io is documented here and must be done for any new dockerimages added to this repo.