[security] improve Docker file#6524
Conversation
91dd39e to
f9ab302
Compare
|
I am not able to find a configuration for the ALSO NOTE: If you want to try this at home you will have to switch to containerd as well. Otherwise your build will fail with the same error: --- update --- Modifying the docker deamon and restarting docker seems to be the only viable option. |
f9a6d8a to
b0762b0
Compare
duncdrum
left a comment
There was a problem hiding this comment.
This is a breaking change. Why would you chown nonroot on a normal base image? That's what the nonroot tags are for. So consume :nonroot in FROM and also tag modify the pushed tag to signal a break from :latest images as they are now.
I find nonroot easier to read and self documenting instead of GID numbers
I would like to know what exactly you see as a breaking change @duncdrum
I am not sure what you mean by that. We are using the Before this change the image we provided ran as
Docker Scout in which we enrolled today flagged it for the non-DEBUG builds and I considered this a security issue/ bug. If we consider this a breaking change then now is the perfect moment to do it. |
|
@line-o what do you mean where is the breakage? This potentially breaks every docker build that incorporates any of the tagged images, volume owner ship, logging aggregation, conf modifications, … all will have to deal with potential permissions denied errors. There is no reason to break the existing tags. The use of Yes the vanilla base image defines the user, but doesn't apply it anywhere, everything still works with see https://github.com/duncdrum/distroless-exist/actions/runs/28210943614/job/83571939672#step:16:71 |
|
I see that the switch to nonroot by default is controversial and will split it into a separate PR.
The moving target like |
This PR adds the possibility to add the software bill or materials (SBOM) and provenance attestations to the Docker images built by exist-docker. mvn clean package \ -Pdocker,skip-build-dist-archives \ -Ddocker.sbom=true -Ddocker.provenance=true NOTE: In order to build multiplatform images with attestations you will have to use containerd for storage. This is why these attestations are not added by default.
With this PR merged all Docker images built in CI will have SBOM and provenance. This will check two additional policy boxes in Docker Scout. The quiet flag from maven was removed again in order to be able to verify the docker build.
|
@duncdrum I left the Docker images to run as root in order to further discuss this next I also decided to not add SBOM and provenance all the time but added flags that can be activated. |
|
SBOM and provenance added to the image(s)
|
Check additional policy boxes in docker-scout
run as nonrootReferences