Parameterise runtime image #1478
Conversation
|
I am unfamiliar what Name Service Switch does, and if it works as intended in a distroless image. Another thing I noticed when doing this PoC, is the line |
There are a couple of things we could do here, either we can add more files to the |
Dockerfile
Outdated
| @@ -37,12 +37,11 @@ RUN case ${TARGETPLATFORM} in \ | |||
| GOARCH=${GOARCH} VERSION=${VERSION} make build && touch jwt_signing_key.pem | |||
|
|
|||
| # Copy binary to alpine | |||
| FROM alpine:3.15 | |||
| FROM gcr.io/distroless/static-debian11:nonroot | |||
There was a problem hiding this comment.
I would expect to publish a separate image so that we maintain the old alpine image for those that rely on it. Is there a way we can parameterise this?
There was a problem hiding this comment.
There is, I will take a look and update the PR
There was a problem hiding this comment.
I've parameterised the runtime image, so it's possible to adjust which image to be used in the make file.
There was a problem hiding this comment.
Which would you prefer to be default, distroless or alpine image?
There was a problem hiding this comment.
Just a question, is it necessary to create a separate tag for different platforms? The $(DOCKER_BUILDX_X_PLATFORM) -f Dockerfile -t $(REGISTRY)/oauth2-proxy:${VERSION} . does cover all of them in one
There was a problem hiding this comment.
At the moment, we can only push one version right? Perhaps we need a separate target that pushes a set of distroless tags?
For now I think the default should remain as alpine so that it's not a surprising change to users
If I’m not mistaken, the |
| # UID/GID 65532 is also known as nonroot user in distroless image | ||
| USER 65532:65532 |
There was a problem hiding this comment.
Do we expect users will be relying on the existing user number? We probably won't consider this a breaking change but we should definitely add an important note to the changelog for this
There was a problem hiding this comment.
I really doubt it would break for anyone. Only if they've added some restrictions to what UIDs can start processes on the host machine.
But a note in the changelog about the change sounds good.
There was a problem hiding this comment.
I've added an entry under Important Notes
- #1478 Changes the UID and GID of the runtime user to
65532.
Which also is known asnonrootuser in distroless images.
omBratteng
changed the title
|
Not exactly sure how you want to release the docker images and the following changes required in the |
| DOCKER_BUILDX_ARGS ?= | ||
| DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION} | ||
| DOCKER_BUILDX := docker buildx build ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION} --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE} | ||
| DOCKER_BUILDX_X_PLATFORM := $(DOCKER_BUILDX) --platform ${DOCKER_BUILD_PLATFORM} | ||
| DOCKER_BUILDX_PUSH := docker buildx build --push ${DOCKER_BUILDX_ARGS} --build-arg VERSION=${VERSION} |
There was a problem hiding this comment.
The new build args will need to be added here as well else the push won't recognise the cached builds/won't have the correct RUNTIME_IMAGE
There was a problem hiding this comment.
I moved it to DOCKER_BUILDX_ARGS, as it's used in both DOCKER_BUILDX and DOCKER_BUILDX_PUSH
Alpine does not have that user, and it cause issues when trying to start the container
Description
Adds a build-arg for setting which docker image to be used as runtime.
Motivation and Context
Enables future implementation of building distroless versions of the oauth2-proxy docker image.
How Has This Been Tested?
Checklist: