Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(distroless): Provide distroless container image #313

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

SISheogorath
Copy link
Contributor

@SISheogorath SISheogorath commented May 4, 2022

This patch introduces a distroless container image, which cuts down the
container content to the bare minimum. No shells, no package managers,
nothing, just the hedgedoc.

These constraints make this setup very robust, but also hard to debug
without the right tools, therefore it's not recommended to be used by
people who are not completely familiar with containers and low-level
debugging tools.

Nontheless this image should be very useful in Kubernetes deployments.
Further, compared to the alpine container image, it'll further cut down
dependencies while staying on glibc, which can prevent some common
issues with musllib.

The distroless image is based on Google distroless base image for
nodejs:
https://github.com/GoogleContainerTools/distroless/tree/55d918e07c9341f83519ab1fc6d8fe0197bca13f/nodejs

Depends on: hedgedoc/hedgedoc#2315

This patch introduces a distroless container image, which cuts down the
container content to the bare minimum. No shells, no package managers,
nothing, just the hedgedoc.

These constraints make this setup very robust, but also hard to debug
without the right tools, therefore it's not recommended to be used by
people who are not completely familiar with containers and low-level
debugging tools.

Nontheless this image should be very useful in Kubernetes deployments.
Further, compared to the alpine container image, it'll further cut down
dependencies while staying on glibc, which can prevent some common
issues with musllib.

The distroless image is based on Google distroless base image for
nodejs:
https://github.com/GoogleContainerTools/distroless/tree/55d918e07c9341f83519ab1fc6d8fe0197bca13f/nodejs

Signed-off-by: Sheogorath <[email protected]>
Copy link
Member

@ErikMichelson ErikMichelson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Despite being still a draft I took a look at the new Dockerfile and it seems like a good idea.
Maybe the distroless image could become the new :latest in the future of HD1.

WORKDIR /hedgedoc
RUN yarn install --production=false --frozen-lockfile
RUN yarn run build
RUN yarn install --production=true --frozen-lockfile
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This command seems not to prune dev dependencies if called after a non-production install.

see yarnpkg/yarn#6373

@SISheogorath
Copy link
Contributor Author

No, this should explicitly not become a standard image, because none of the docker exec commands will work, that people might want to use to debug a situation like broken oauth or alike. This is for people who figured out containers and hedgedoc and want to cut down theoretical attack vectors.

@ErikMichelson
Copy link
Member

As hedgedoc/hedgedoc#2315 was merged, can this go forward?

@SISheogorath SISheogorath marked this pull request as ready for review February 21, 2023 19:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants