Build unprivileged minimal container image #29350
Conversation
- Base the Docker image on gcr.io/distroless - Use nginx-unprivileged instead of tweaking ownership manually
| COPY --from=nginx \ | ||
| /lib/${LIBARCH}-linux-gnu/ld-2.31.so \ | ||
| /lib/${LIBARCH}-linux-gnu/libc-2.31.so \ | ||
| /lib/${LIBARCH}-linux-gnu/libcrypt.so.1 \ | ||
| /lib/${LIBARCH}-linux-gnu/libdl-2.31.so \ | ||
| /lib/${LIBARCH}-linux-gnu/libpthread-2.31.so \ | ||
| /lib/${LIBARCH}-linux-gnu/libz.so.1 \ | ||
| /lib/${LIBARCH}-linux-gnu/ | ||
|
|
||
| COPY --from=nginx \ | ||
| /usr/lib/${LIBARCH}-linux-gnu/libcrypto.so.1.1 \ | ||
| /usr/lib/${LIBARCH}-linux-gnu/libpcre2-8.so.0 \ | ||
| /usr/lib/${LIBARCH}-linux-gnu/libssl.so.1.1 \ | ||
| /usr/lib/${LIBARCH}-linux-gnu/ | ||
|
|
||
| COPY --from=nginx /usr/sbin/nginx /usr/sbin/nginx | ||
| COPY --from=nginx /usr/share/nginx/html /usr/share/nginx/html | ||
| COPY --from=nginx /etc/nginx /etc/nginx | ||
| COPY --from=nginx /var/log/nginx /var/log/nginx |
There was a problem hiding this comment.
This looks pretty unmaintainable
There was a problem hiding this comment.
There's unfortunately no official image for distroless Nginx to use as a base. There exist third-party images, but that would add a potentially unreliable dependency. So the next best idea is to build it here.
What could help with stability is to lock down the Nginx image to a specific release. It also should be possible to write a script that checks which libraries are used by the base Nginx process & update this Dockerfile accordingly.
There was a problem hiding this comment.
It also should be possible to write a script that checks which libraries are used by the base Nginx process & update this Dockerfile accordingly.
Couldn't the same script just set up a chroot in the originating image and copy that across to the app image? COPY --from=nginx /everything-nginx-needs/ /
AndrewFerr
force-pushed
the
docker/distroless
branch
from
75505fc to
ce3abf3
Compare
|
Please refrain from force pushing once you have put a PR up for review, it breaks any ability to do delta reviews. The merge queue enforces squash merges. |
|
Note, as of #29346 which is about to land there are a number of incompatibilities
Also worth noting it'd be criminal to not include wget like we have today to enable healthchecks without needing an external daemon, e.g. with a stock docker-compose. In the near future the image will also need curl/wget for an additional entrypoint anyhow. |
| # Run a no-op action of nginx to run entrypoint scripts that may tweak config files | ||
| USER nginx | ||
| RUN ["nginx", "-t"] |
There was a problem hiding this comment.
This won't work as this isn't the final image, yet uses runtime environment variables.
https://github.com/element-hq/element-web/blob/develop/docs/install.md#docker specifies ELEMENT_WEB_PORT runtime envvar, which is consumed by the nginx entrypoint scripts which tweak the nginx config files, if this is run only at build time then it will be broken.
| # HTTP listen port | ||
| ENV ELEMENT_WEB_PORT=80 |
There was a problem hiding this comment.
See above, this no longer works. https://github.com/element-hq/element-web/pull/29350/files#r1968072943
That is at odds with using a distroless image, so putting this PR in draft for now. In the meantime, I split out the usage of |
There was a problem hiding this comment.
You haven't said what benefit this gives or linked to an issue. Distroless seems nice in principle but I agree with Michael, having to extract the libc from an ubuntu image to run it seems very prone to breakage. If we're doing this, I'd vote for building on a dedicated distroless nginx base docker image, not trying to make one ourselves as part of element-web.
Checklist
public/exportedsymbols have accurate TSDoc documentation.