New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parameterise runtime image #1478
Parameterise runtime image #1478
Conversation
I am unfamiliar what Name Service Switch does, and if it works as intended in a distroless image. Another thing I noticed when doing this PoC, is the line |
There are a couple of things we could do here, either we can add more files to the |
Dockerfile
Outdated
@@ -37,12 +37,11 @@ RUN case ${TARGETPLATFORM} in \ | |||
GOARCH=${GOARCH} VERSION=${VERSION} make build && touch jwt_signing_key.pem | |||
|
|||
# Copy binary to alpine | |||
FROM alpine:3.15 | |||
FROM gcr.io/distroless/static-debian11:nonroot |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would expect to publish a separate image so that we maintain the old alpine image for those that rely on it. Is there a way we can parameterise this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is, I will take a look and update the PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've parameterised the runtime image, so it's possible to adjust which image to be used in the make file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which would you prefer to be default, distroless or alpine image?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a question, is it necessary to create a separate tag for different platforms? The $(DOCKER_BUILDX_X_PLATFORM) -f Dockerfile -t $(REGISTRY)/oauth2-proxy:${VERSION} .
does cover all of them in one
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the moment, we can only push one version right? Perhaps we need a separate target that pushes a set of distroless tags?
For now I think the default should remain as alpine so that it's not a surprising change to users
If I’m not mistaken, the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, lets add a changelog entry and in particular I would like to see an important note denoting the change in the UID:GID for the file
# UID/GID 65532 is also known as nonroot user in distroless image | ||
USER 65532:65532 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we expect users will be relying on the existing user number? We probably won't consider this a breaking change but we should definitely add an important note to the changelog for this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really doubt it would break for anyone. Only if they've added some restrictions to what UIDs can start processes on the host machine.
But a note in the changelog about the change sounds good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added an entry under Important Notes
- #1478 Changes the UID and GID of the runtime user to
65532
.
Which also is known asnonroot
user in distroless images.
Not exactly sure how you want to release the docker images and the following changes required in the |
DOCKER_BUILDX_ARGS ?= | ||
DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION} | ||
DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION} --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE} | ||
DOCKER_BUILDX_X_PLATFORM := $(DOCKER_BUILDX) --platform ${DOCKER_BUILD_PLATFORM} | ||
DOCKER_BUILDX_PUSH := docker buildx build --push ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new build args will need to be added here as well else the push won't recognise the cached builds/won't have the correct RUNTIME_IMAGE
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved it to DOCKER_BUILDX_ARGS
, as it's used in both DOCKER_BUILDX
and DOCKER_BUILDX_PUSH
Alpine does not have that user, and it cause issues when trying to start the container
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for the delay in getting back to this, LGTM
Description
Adds a build-arg for setting which docker image to be used as runtime.
Motivation and Context
Enables future implementation of building distroless versions of the oauth2-proxy docker image.
How Has This Been Tested?
Checklist: