Skip to content

chore: reduce attack surface and size for Docker image#77

Merged
scriptmonkey merged 2 commits intomasterfrom
unknown repository
Apr 28, 2023
Merged

chore: reduce attack surface and size for Docker image#77
scriptmonkey merged 2 commits intomasterfrom
unknown repository

Conversation

@bqcuong
Copy link
Contributor

@bqcuong bqcuong commented Apr 11, 2023

Hi,

This pull request includes several small improvements for the Dockerfile, which should help improve the security of container and reduce the risk of potential attacks.

The following changes have been made:

  • I added --no-install-recommends to remove unnecessary apt packages, that were not needed for the container's functionality. Not only can this change trim your image size but it also can also reduce the attack surface.
  • dirmngr was added because it was needed for the gpg command.

I hope that you find them useful. Please let me know if you have any concerns.

Thank you.

@scriptmonkey
Copy link
Collaborator

scriptmonkey commented Apr 12, 2023

@bqcuong, thank you for the PR. I will download and test this change in the next few days.

I am fine with the --no-install-reccomends as it makes sense to me.

I am not sure why we need the dirmngr is needed, as I don't think we encountered issues. But, I will test and see what the difference is.

Thank you!

@bqcuong
Copy link
Contributor Author

bqcuong commented Apr 12, 2023

Hi @scriptmonkey,

I tried to build the Dockerfile in several ways and below is the information about the builds.
I hope that you find it helpful.

The build with changes:

  • Without --no-install-reccomends and dirmgr, build successfully, 16 newly installed packages
  • With --no-install-reccomends and dirmgr, build successfully, 8 newly installed packages
  • With --no-install-reccomends but without dirmgr, it encountered the errors as below logs:
Step 6/11 : RUN set -xe;   for key in   9056B710F1E332780DE7AF34CBAEBE39A46C4CA1   F067B8140F5DD80E1D3B5D92318242FE9A0B1183   223D3A74B068ECA354DC385CE126833F9CF64915   DBCCD103B8B24F86FFAAB025C8BB472CD297D428   7A2744A8A9AAF063C23EB7868EBE7DBE8D050EEF   B8B301E6105DF628076BD92C5483E55897ABD9B9   FAA603D58B1BA4EDF65896D0ED340E0E6D545F97   A57DAF81C1B69921F4BA8723A8DE0A4DB863A7C1   82D8419BA697F0E7FB85916EE91287822FDB81B1   B7574789F5018690043E6DD9C212662E12F3E1DD   C23A3F6F595EBD0F960270CC997C8F1A5BE6E4C1   678F2D98F1FD9643811639FB622B8F2D043F71D8   BDD0BBEB753192957EFC5F896A62FC8EF17D8FEF   D11DF12CC2CA4894BDE638B967C1227A2678363C   C92604B0DEC5C62CFF5801E73D4683C24EDC64D1   626C542EDA7C113814B77AF09C04914D63645D20   3948829384B269D333CC5B98358807C52B4B0E23   B83D15E72253ED1104EB4FBBDAB472F0E5B8A431   ; do     gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys "$key" ||     gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ;   done
 ---> Running in e12a3ddbdfff
+ gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9056B710F1E332780DE7AF34CBAEBE39A46C4CA1
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: failed to start the dirmngr '/usr/bin/dirmngr': No such file or directory
gpg: connecting dirmngr at '/root/.gnupg/S.dirmngr' failed: No such file or directory
gpg: keyserver receive failed: No dirmngr
+ gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys 9056B710F1E332780DE7AF34CBAEBE39A46C4CA1
gpg: failed to start the dirmngr '/usr/bin/dirmngr': No such file or directory
gpg: connecting dirmngr at '/root/.gnupg/S.dirmngr' failed: No such file or directory
gpg: keyserver receive failed: No dirmngr
The command '/bin/sh -c set -xe;   for key in   9056B710F1E332780DE7AF34CBAEBE39A46C4CA1   F067B8140F5DD80E1D3B5D92318242FE9A0B1183   223D3A74B068ECA354DC385CE126833F9CF64915   DBCCD103B8B24F86FFAAB025C8BB472CD297D428   7A2744A8A9AAF063C23EB7868EBE7DBE8D050EEF   B8B301E6105DF628076BD92C5483E55897ABD9B9   FAA603D58B1BA4EDF65896D0ED340E0E6D545F97   A57DAF81C1B69921F4BA8723A8DE0A4DB863A7C1   82D8419BA697F0E7FB85916EE91287822FDB81B1   B7574789F5018690043E6DD9C212662E12F3E1DD   C23A3F6F595EBD0F960270CC997C8F1A5BE6E4C1   678F2D98F1FD9643811639FB622B8F2D043F71D8   BDD0BBEB753192957EFC5F896A62FC8EF17D8FEF   D11DF12CC2CA4894BDE638B967C1227A2678363C   C92604B0DEC5C62CFF5801E73D4683C24EDC64D1   626C542EDA7C113814B77AF09C04914D63645D20   3948829384B269D333CC5B98358807C52B4B0E23   B83D15E72253ED1104EB4FBBDAB472F0E5B8A431   ; do     gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys "$key" ||     gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ;   done' returned a non-zero code: 2

@bqcuong
Copy link
Contributor Author

bqcuong commented Apr 18, 2023

Hi @scriptmonkey,

I would like to hear if there is any update on this pull request?

@scriptmonkey
Copy link
Collaborator

scriptmonkey commented Apr 19, 2023

ok, I am good with these changes, now they just need to be made to all of the Dockerfiles in the repo. I will take care of TomEE 9.1.0 when I do those later this week.

@bqcuong
Copy link
Contributor Author

bqcuong commented Apr 20, 2023

I made updates for all the ubuntu Dockerfiles with this improvement.
Could we make a merge on this?

@scriptmonkey
Copy link
Collaborator

scriptmonkey commented Apr 20, 2023

@bqcuong I will pull them down and test them this evening.

@scriptmonkey scriptmonkey merged commit 267b8cb into tomitribe:master Apr 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bqcuong @scriptmonkey