Skip to content

[security] improve Docker file#6524

Merged
dizzzz merged 2 commits into
eXist-db:developfrom
line-o:docker-security
Jun 30, 2026
Merged

[security] improve Docker file#6524
dizzzz merged 2 commits into
eXist-db:developfrom
line-o:docker-security

Conversation

@line-o

@line-o line-o commented Jun 25, 2026

Copy link
Copy Markdown
Member

Check additional policy boxes in docker-scout

  • add SBOM
  • add provenance
  • run as nonroot

References

@line-o line-o force-pushed the docker-security branch 5 times, most recently from 91dd39e to f9ab302 Compare June 25, 2026 11:47
@line-o

line-o commented Jun 25, 2026

Copy link
Copy Markdown
Member Author

I am not able to find a configuration for the docker/setup-buildx-action that uses containerd storage for building. That is the only way to make SBOM and provenance export in multi-arch builds work (tested on my local machine).

ALSO NOTE: If you want to try this at home you will have to switch to containerd as well. Otherwise your build will fail with the same error:

[INFO] DOCKER> ERROR: failed to build: docker exporter does not currently support exporting manifest lists

--- update ---

Modifying the docker deamon and restarting docker seems to be the only viable option.

@line-o line-o force-pushed the docker-security branch 2 times, most recently from f9a6d8a to b0762b0 Compare June 25, 2026 12:10
@line-o line-o marked this pull request as ready for review June 25, 2026 12:15
@line-o line-o requested a review from a team as a code owner June 25, 2026 12:15

@duncdrum duncdrum left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a breaking change. Why would you chown nonroot on a normal base image? That's what the nonroot tags are for. So consume :nonroot in FROM and also tag modify the pushed tag to signal a break from :latest images as they are now.

I find nonroot easier to read and self documenting instead of GID numbers

@line-o

line-o commented Jun 25, 2026

Copy link
Copy Markdown
Member Author

This is a breaking change.

I would like to know what exactly you see as a breaking change @duncdrum

Why would you chown nonroot on a normal base image?

I am not sure what you mean by that. We are using the distroless base image which creates a user nonroot. This user has a fixed UID and GID. Unfortunately - according to GoogleContainerTools/distroless#427 - we cannot use its name but have to resort to its numeric identifier.

Before this change the image we provided ran as root because we did not specify a USER

A Dockerfile with a base image without specifying a USER will run commands as the root user by default, which can pose security risks.

Docker Scout in which we enrolled today flagged it for the non-DEBUG builds and I considered this a security issue/ bug.

If we consider this a breaking change then now is the perfect moment to do it.

@duncdrum

duncdrum commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

@line-o what do you mean where is the breakage? This potentially breaks every docker build that incorporates any of the tagged images, volume owner ship, logging aggregation, conf modifications, … all will have to deal with potential permissions denied errors.

There is no reason to break the existing tags. The use of root is not an oversight, but a convention that dates back to how this whole container thing started. There is a way to get around it, but that is by not breaking existing tags. Instead issue new ones that clearly state the kind of image, like distroless does it as well.

Yes the vanilla base image defines the user, but doesn't apply it anywhere, everything still works with root , use the nonroot image to actually have the user own stuff. I never experienced the problems in the link, https://hub.docker.com/r/duncdrum/existdb/tags?name=nonroot setting user to nonroot:nonroot works just fine for me.

see https://github.com/duncdrum/distroless-exist/actions/runs/28210943614/job/83571939672#step:16:71

@line-o

line-o commented Jun 26, 2026

Copy link
Copy Markdown
Member Author

I see that the switch to nonroot by default is controversial and will split it into a separate PR.

There is no reason to break the existing tags

The moving target like release do include breaking changes. Switching to nonroot is just another one.
Anyone interested in immutable containers should use a versioned image and the downstream projects I know of do exactly that.

line-o added 2 commits June 26, 2026 16:34
This PR adds the possibility to add the software bill or materials (SBOM) and provenance attestations to the Docker images built by exist-docker.

mvn clean package \
  -Pdocker,skip-build-dist-archives \
  -Ddocker.sbom=true -Ddocker.provenance=true

NOTE: In order to build multiplatform images with attestations you will have to use containerd for storage.
This is why these attestations are not added by default.
With this PR merged all Docker images built in CI will have SBOM and provenance.
This will check two additional policy boxes in Docker Scout.

The quiet flag from maven was removed again in order to be able to verify the docker build.
@line-o line-o force-pushed the docker-security branch from b0762b0 to bdbc765 Compare June 26, 2026 15:28
@line-o

line-o commented Jun 26, 2026

Copy link
Copy Markdown
Member Author

@duncdrum I left the Docker images to run as root in order to further discuss this next

I also decided to not add SBOM and provenance all the time but added flags that can be activated.
These are now activated in CI for all images built by the job.

@line-o line-o requested review from a team and duncdrum June 26, 2026 15:31
@line-o

line-o commented Jun 26, 2026

Copy link
Copy Markdown
Member Author

SBOM and provenance added to the image(s)

[INFO] DOCKER> docker --config /home/runner/work/exist/exist/exist-docker/target/docker/existdb/existdb/7.0.0-SNAPSHOT/docker buildx build --progress=plain --builder maven --platform linux/amd64 --tag existdb/existdb:7.0.0-SNAPSHOT --tag existdb/existdb:latest --sbom=true --provenance=true --file=/home/runner/work/exist/exist/exist-docker/target/docker/existdb/existdb/7.0.0-SNAPSHOT/tmp/docker-build/Dockerfile /home/runner/work/exist/exist/exist-docker/target/docker/existdb/existdb/7.0.0-SNAPSHOT/tmp/docker-build --load

@duncdrum duncdrum left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense.

@duncdrum duncdrum added the docker issues related to our container images label Jun 27, 2026
@dizzzz dizzzz merged commit 7b9a2d6 into eXist-db:develop Jun 30, 2026
9 checks passed
@line-o line-o mentioned this pull request Jul 6, 2026
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docker issues related to our container images

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants