Add API-Firewall official image #11100
Conversation
|
|
Documentation PR at docker-library/docs#2074 |
|
Hi Docker team! Could you please advise us on how to meet this requirement?
|
|
@tianon, could you please have a look? |
|
API firewall got 1B (!!!) docker pulls. But it's not an official image yet. |
|
Sorry for the delay 😩 🙇 I guess my first question is whether API Firewall is free/open source software (https://github.com/docker-library/official-images#what-are-official-images)? From what I can tell/find, it appears to be freely available, but not open source? |
|
Hi Tianon,
Thank you for your response!
API firewall is completely free software and we have a plan to release it
as an open-source next year.
…On Wed, Dec 8, 2021 at 1:51 PM Tianon Gravi ***@***.***> wrote:
Sorry for the delay 😩 🙇
I guess my first question is whether API Firewall is free/open source
software (
https://github.com/docker-library/official-images#what-are-official-images
)?
From what I can tell/find, it appears to be freely available, but not open
source?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#11100 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB5MMRV5VTK563T2MLMVEB3UP7HPZANCNFSM5F53IEVQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
--
Ivan Novikov
Wallarm, CEO
+1.650.454.9339
|
|
Happy New Year! Our pull request survived through 3 seasons on a Planet Earth in 3 months already. |
|
Indeed, apologies 🙇 Unfortunately, we've had to enforce a harder line on the Open Source qualification than we've done in the past, so in its current form, I don't think API Firewall is something we can accept in this program, but I think we should revisit as soon as you've got it open sourced! |
|
Does it mean that you will drop all the previously approved images from the registry? |
|
To be clear, I'm only talking about images that are part of the "Official Images" program, ala images accepted into https://github.com/docker-library/official-images -- this does not apply to images on Docker Hub at large. For existing images which have been accepted here already which don't meet that requirement (of which there are only a handful), that's going to be a conversation between the image maintainers and Docker Inc (and unfortunately I can't comment much further than that on those). |
|
But it was not there when we applied this request. It technically means that we are in the same position as other non-OSS projects approved before. We spent a lot of time on this project to drop the ball now after 3 months of the review. |
|
@tianon we released the API firewall to OSS completely https://github.com/wallarm/api-firewall. Please proceed with the official repository. |
|
@tianon please check our project. The PR became huge after releasing the source code and we fixed it by moving from Docker file to docker-entrypoint.sh The pipeline should be good now, please recheck manually. |
|
Unfortunately having the What we suggest instead is creating a separate repository to hold the "packaging", especially since you might have, for example, changes to make to the |
|
Do you have any examples of such projects with separate repositories for packaging? |
|
I would suggest that Conceptually, I would expect to see something like, If you want an example that's similar but much simpler than the |
Thank you! It seems like we got it. |
|
@tianon we passed all the checks. Please approve pull request |
|
Thanks for the update! Overall, this looks much better, and is really close. I've got two very minor comments -- the first is just a suggestion for improvement, but the second is something that'll need to be fixed before we merge: +ENV APIFIREWALL_VERSION v0.6.7
+
+ENV APIFW_PATH /opt/api-firewall
+ENV PATH $APIFW_PATH:$PATH
+
+RUN set -eux; \
+ adduser -u 1000 -H -h /opt -D -s /bin/sh api-firewallI would suggest swapping these for better utilization of the Docker build cache, ala: ENV APIFW_PATH /opt/api-firewall
ENV PATH $APIFW_PATH:$PATH
RUN set -eux; \
adduser -u 1000 -H -h /opt -D -s /bin/sh api-firewall
ENV APIFIREWALL_VERSION v0.6.7+# smoke test
+ api-firewall -v
+
+COPY docker-entrypoint.sh $APIFW_PATH/
+
+RUN chmod 755 $APIFW_PATH/api-firewall; \
+ chmod 755 $APIFW_PATH/docker-entrypoint.shThe The other half of this ( |
|
Oh! Just noticed one more (only suggestion) item that's worth considering: +if [ "$1" = 'api-firewall' ]; then
+ shift # "api-firewall"
+ set -- api-firewall "$@"
+fiThis entire (Again, happy to send a PR with all of these suggestions if that's helpful.) |
|
@tianon thank you for the suggestions. We have updated docs and docker repos. |
Diff for 4cdfb34:diff --git a/_bashbrew-cat b/_bashbrew-cat
index bdfae4a..300e853 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1 +1,8 @@
-Maintainers: New Image! :D (@docker-library-bot)
+Maintainers: Ivan Novikov <in@wallarm.com> (@d0znpp), Nikolay Tkachenko (@afr1ka)
+GitRepo: https://github.com/wallarm/api-firewall-docker.git
+
+Tags: 0.6.7, latest
+Architectures: amd64, arm64v8, i386
+GitFetch: refs/heads/main
+GitCommit: 5cd07f115f16d10095a385a73568a4e60caf278b
+Directory: 0.6.7
diff --git a/_bashbrew-list b/_bashbrew-list
index e69de29..93f9600 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -0,0 +1,2 @@
+api-firewall:0.6.7
+api-firewall:latest
diff --git a/api-firewall_latest/Dockerfile b/api-firewall_latest/Dockerfile
new file mode 100644
index 0000000..db8e014
--- /dev/null
+++ b/api-firewall_latest/Dockerfile
@@ -0,0 +1,51 @@
+FROM alpine:3.15
+
+ENV APIFW_PATH /opt/api-firewall
+ENV PATH $APIFW_PATH:$PATH
+
+RUN set -eux; \
+ adduser -u 1000 -H -h /opt -D -s /bin/sh api-firewall
+
+ENV APIFIREWALL_VERSION v0.6.7
+
+RUN set -eux; \
+ \
+ apk add --no-cache wget; \
+ \
+ arch="$(apk --print-arch)"; \
+ case "$arch" in \
+ 'x86_64') \
+ url="https://github.com/wallarm/api-firewall/releases/download/${APIFIREWALL_VERSION}/api-firewall-amd64-musl.tar.gz"; \
+ sha256='fb61a3ca620340a76f97856ec30190de8422535c31d17ddc89019e87825d60b9'; \
+ ;; \
+ 'aarch64') \
+ url="https://github.com/wallarm/api-firewall/releases/download/${APIFIREWALL_VERSION}/api-firewall-arm64-musl.tar.gz"; \
+ sha256='cdcd6679536e3e0fa0d5cdd8f422ef58f31f65c2d279228150c269c32641dd1d'; \
+ ;; \
+ 'x86') \
+ url="https://github.com/wallarm/api-firewall/releases/download/${APIFIREWALL_VERSION}/api-firewall-386-musl.tar.gz"; \
+ sha256='0850d87b52624085265554605f46df5cda2a006d7b9dc9a7d369cdb9c9c88305'; \
+ ;; \
+ *) \
+ echo >&2 "error: current architecture ($arch) does not have a corresponding API-Firewall binary release"; \
+ exit 1; \
+ ;; \
+ esac; \
+ \
+ wget -O api-firewall.tar.gz "$url"; \
+ echo "$sha256 *api-firewall.tar.gz" | sha256sum -c; \
+ \
+ mkdir -p "$APIFW_PATH"; \
+ tar -xzf api-firewall.tar.gz -C "$APIFW_PATH" --strip-components 1; \
+ rm api-firewall.tar.gz; \
+ \
+ chmod 755 $APIFW_PATH/api-firewall; \
+ \
+# smoke test
+ api-firewall -v
+
+COPY docker-entrypoint.sh $APIFW_PATH/
+
+USER api-firewall
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["api-firewall"]
diff --git a/api-firewall_latest/docker-entrypoint.sh b/api-firewall_latest/docker-entrypoint.sh
new file mode 100755
index 0000000..9e57b4b
--- /dev/null
+++ b/api-firewall_latest/docker-entrypoint.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+# this if will check if the first argument is a flag
+# but only works if all arguments require a hyphenated flag
+# -v; -SL; -f arg; etc will work, but not arg1 arg2
+if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
+ set -- api-firewall "$@"
+fi
+
+exec "$@" |
This comment has been minimized.
This comment has been minimized.
|
Hello @tianon , can you please advise us on what to do with the initial repository https://hub.docker.com/r/wallarm/api-firewall? Should we close it? How to move stats from there to an official one? |
|
Regarding whether to close it -- that's up to you. Generally, we suggest that you add some kind of deprecation notice to it and maybe even update it with a copy of the built official image copy for a short time so that users can have some kind of transition period, but even that's up to you. Some maintainers like to use a repository like that for pre-releases or for letting users test changes before they push them into the official image. Regarding the stats, unfortunately that's not something we have access to / visibility of / control over. If you already have a contact at Docker Inc, I'd suggest asking them whether copying the stats is possible (I think other maintainers have tried in the past and there were technical limitations to doing so, but I might be misremembering or that might no longer be the case). |
Hello,
We would like to add the API-Firewall to the official image repository.
Thanks.
Checklist for Review
NOTE: This checklist is intended for the use of the Official Images maintainers both to track the status of your PR and to help inform you and others of where we're at. As such, please leave the "checking" of items to the repository maintainers. If there is a point below for which you would like to provide additional information or note completion, please do so by commenting on the PR. Thanks! (and thanks for staying patient with us ❤️)
foobarneeds Node.js, hasFROM node:...instead of grabbingnodevia other means been considered?)ifFROM scratch, tarballs only exist in a single commit within the associated history?