Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build/contrib: Improve docker support. #2740

Merged
merged 1 commit into from Sep 18, 2021
Merged

build/contrib: Improve docker support. #2740

merged 1 commit into from Sep 18, 2021

Conversation

davecgh
Copy link
Member

@davecgh davecgh commented Sep 8, 2021
edited

This significantly reworks the docker support to provide build a lightweight non-root distroless container image based on scratch. It employs a multi-stage build that downloads and builds the latest source code, compresses the resulting binaries, and then produces the final image based on scratch that only includes the Decred-specific binaries.

It must be noted that there are some still remaining TODO items in the documentation as well as the Dockerfile that will need to be handled by a future commit, but the changes are being submitted now to serve as a solid base for another contributor to finish up those aspects.

The new final image is only 10.2MB as compared to the existing version which is nearly 1GB.

The following is an overview of the changes:

  • Removes existing Dockerfile and Dockerfile.alpine
  • Introduces a new Dockerfile under contrib/docker with the following properties:
    • Runs as a non-root user
    • Uses a static UID:GID of 10000:10000
      • Note that using UIDs/GIDs below 10000 for container users is a security risk on several systems since a hypothetical attack which allows escalation outside of the container might otherwise coincide with an existing user's UID or existing group's GID which has additional permissions
    • The image is based on scratch image (aka completely empty) and only includes the Decred-specific binaries which means there is no shell or any other binaries available if an attacker were to somehow manage to find a remote execution vulnerability exploit in a Decred binary
  • Introduces code to build an entrypoint for the image since it is based on scratch and thus has no shell for that purpose
  • Adds contrib/docker/README.md
  • Updates README.md in the main directory to account for changes
    • There is still outstanding work to be done here and thus has several TODOs
  • Updates contrib/README.md to call out the new addition

This is work towards #2737.

@davecgh davecgh mentioned this pull request Sep 8, 2021
Closed
jrick
jrick reviewed Sep 8, 2021
View reviewed changes
contrib/docker/Dockerfile Outdated Show resolved Hide resolved
davecgh
davecgh commented Sep 8, 2021
View reviewed changes
contrib/docker/Dockerfile Outdated Show resolved Hide resolved
@davecgh davecgh force-pushed the contrib_docker branch 2 times, most recently from efcd672 to a4d793c Compare September 10, 2021 06:46
@davecgh
Copy link
Member Author

davecgh commented Sep 10, 2021

Updated for go1.17.1.

JoeGruffins
JoeGruffins approved these changes Sep 16, 2021
View reviewed changes
contrib/docker/README.md Outdated Show resolved Hide resolved
@davecgh davecgh force-pushed the contrib_docker branch 2 times, most recently from a1daa6a to 0f4754d Compare September 17, 2021 16:48
@davecgh
build/contrib: Improve docker support.
563e890 
This significantly reworks the docker support to provide build a
lightweight non-root distroless container image based on scratch.  It
employs a multi-stage build that downloads and builds the latest source
code, compresses the resulting binaries, and then produces the final
image based on scratch that only includes the Decred-specific binaries.

It must be noted that there are some still remaining TODO items in the
documentation as well as the Dockerfile that will need to be handled by
a future commit, but the changes are being submitted now to allow
another contributor to finish up those aspects.

The following is an overview of the changes:

- Removes existing Dockerfile and Dockerfile.alpine
- Introduces a new Dockerfile under contrib/docker with the following
  properties:
  - Runs as a non-root user
  - Uses a static UID:GID of 10000:10000
    - Note that using UIDs/GIDs below 10000 for container users is a
      security risk on several systems since a hypothetical attack which
      allows escalation outside of the container might otherwise
      coincide with an existing user's UID or existing group's GID which
      has additional permissions
  - The image is based on scratch image (aka completely empty) and only
    includes the Decred-specific binaries which means there is no shell
    or any other binaries available if an attacker were to somehow
    manage to find a remote execution vulnerability exploit in a Decred
    binary
- Introduces code to build an entrypoint for the image since it is based
  on scratch and thus has no shell for that purpose
- Adds contrib/docker/README.md
- Updates README.md in the main directory to account for changes
  - There is still outstanding work to be done here and thus has several
    TODOs
- Updates contrib/README.md to call out the new addition
@davecgh davecgh added this to the 1.7.0 milestone Sep 18, 2021
@davecgh davecgh merged commit 563e890 into decred:master Sep 18, 2021
@davecgh davecgh deleted the contrib_docker branch September 18, 2021 18:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrick jrick jrick left review comments

@JoeGruffins JoeGruffins JoeGruffins approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.7.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@davecgh @jrick @JoeGruffins