RFC: Support Dockerfiles #173
Conversation
Signed-off-by: Stephen Levine <stephen.levine@gmail.com>
Signed-off-by: Stephen Levine <stephen.levine@gmail.com>
| [unresolved-questions]: #unresolved-questions | ||
|
|
||
| - Should `genpkgs` be part of this proposal? Opinion: Yes, otherwise it's difficult to maintain a valid SBoM. | ||
|
|
There was a problem hiding this comment.
Does this weaken the security stance of buildpacks? (My opinion: yes) You can literally do anything in a Dockerfile.
I feel like stack packs, while maybe not the answer, did put more controls around what you could do. The stack packs were buildpacks, so presumably (IDK exactly as it wasn't implemented), an Operations team could control which stack packs are available to their users, thereby limiting what their users could install or modify to some degree.
There's also a stronger guarantee that a stack pack would produce a legitimate BOM, since Operations teams can control what stack packs are available (and audit them). With this proposal, someone could make a Dockerfile that installs something malicious and set genpkgs to be a copy of the true binary or some other no-op binary. The proposal essentially trusts the creator of the Dockerfile to be honest and report what they've installed, which I don't think is merited givn that this proposal would allow any app dev to customize what's install with a Dockerfile.
There was a problem hiding this comment.
Operations teams can control what stack packs are available (and audit them)
I don't have any answers here, but this seems like a fairly important point to linger on.
There was a problem hiding this comment.
I think this concern is pretty well addressed by including the hooks on the builder. If the app-specified Dockerfile hook (above example) is not present, then the developer cannot provide a Dockerfile. And I suppose that trusting hook authors to provide a valid BOM is the same as trusting buildpack authors to provide a valid BOM.
In the case of the app-specified Dockerfile, the hook author could apply some label to the image so that consumers would know to approach the BOM with some suspicion. I wonder if there's value in having that spec'd ('io.buildpacks.extended'?). It's just a thought.
There was a problem hiding this comment.
I like the idea of a label to easily identify images that have had any hooks executed.
There was a problem hiding this comment.
Also /cnb/image/genpkgs (because it is executed after Dockerfiles have been applied) is helping to trust the BOM.
There was a problem hiding this comment.
Also
/cnb/image/genpkgs(because it is executed after Dockerfiles have been applied) is helping to trust the BOM.
@natalieparellano I don't really understand how this helps. By the time it is invoked, the hook author could have replaced /cnb/image/genpgks with a shell script that writes anything to the BOM.
There was a problem hiding this comment.
@samj1912 and I have recently been discussing having the platform inject genpgks. That may help here...
There was a problem hiding this comment.
@samj1912 and I have recently been discussing having the platform inject
genpgks. That may help here...
How would that work? I don't think a mount would work, since the hook could discover and overwrite it. Since the hook could do anything, I'm not even sure running a program like genpgks is safe even if the binary was untouched. I would think the genpgks would almost have to be executed in a new container against the extended image to truly be accurate.
That said - these hooks are likely authored and for sure approved/distributed by the stack author. Just because Dockerfiles are used, doesn't mean the stack distributor has to extend that control to buildpack authors or the app author. They can create a much more simple constraint (like defining an Aptfile to read package names).
There was a problem hiding this comment.
I would think the genpgks would almost have to be executed in a new container against the extended image to truly be accurate.
That's basically what we're proposing - please see https://github.com/buildpacks/rfcs/pull/173/files#r794608075 for the download I got from @samj1912 and @sclevine .
|
Will it be possible to run the build using a |
Only the Dockerfiles can run as root. This proposal does not allow buildpacks to run as root. |
So you confirm that the limitation (see hereafter) will not be fixed by this RFC ? @sclevine "The execution of a privileged command such as "yum install", as declared within a "build bash script", will fail due to the following error If the answer is Yes, how will it be then possible to support such a use case (see example hereafter) ? Example proposed within the RFC69: Using the RFC69 ? Is it approved and implemented ? |
|
RFC0069 creates a special type of buildpack that can run as root. This proposal would revert RFC0069 and instead require Dockerfiles to run commands as root. |
|
The RFC text in its current state reflects the implementation proposed in buildpacks/spec#307 and buildpacks/spec#308. Could everyone please re-read and add your review comments and/or approval, so that this could (hopefully) be merged? cc @buildpacks/toc @buildpacks/platform-maintainers @buildpacks/implementation-maintainers @buildpacks/buildpack-authors-tooling-maintainers @buildpacks/distribution-maintainers |
Signed-off-by: Natalie Arellano <narellano@vmware.com>
| ##### `/cnb/ext/com.example.appext/bin/generate` | ||
| ``` | ||
| #!/bin/sh | ||
| [ -f build.Dockerfile ] && cp build.Dockerfile "$1/" | ||
| [ -f run.Dockerfile ] && cp run.Dockerfile "$1/" | ||
| ``` |
There was a problem hiding this comment.
Given we are allowing static Dockerfiles in the case where there is no bin/generate script, is this example misleading? Should this instead be an example w/o a generate executable?
There was a problem hiding this comment.
I believe this example is copying the Dockerfiles from the app directory to the output directory
Signed-off-by: Natalie Arellano <narellano@vmware.com>
- Change launch.toml -> run.toml since there are no overlapping fields between buildpacks and extensions - Remove Dockerfile without a prefix since the args must be specified in either build.toml or run.toml - Change must -> should for defaulting build_id - Nest pre-populated output files under detect or generate (future proofing) - Mention how we'll preserve top layer information for rebase Signed-off-by: Natalie Arellano <narellano@vmware.com>
Co-authored-by: Emily Casey <ecasey@vmware.com> Signed-off-by: Natalie Arellano <narellano@vmware.com>
|
I believe this RFC now has all the required approvals for FCP. Given @jromero is out, I'm going to put the closing date as Wednesday, 7/27. |
Signed-off-by: Natalie Arellano <narellano@vmware.com>
|
This is well past FCP close date, could it be merged? It's worth noting, due to the complexity involved and the phased implementation, there are still some ambiguities outstanding (in particular around run image extension and how rebase is going to work). But I think we have clearly decided to proceed here. If necessary I am happy to "amend" the RFC with information learned from the implementation. |
|
^^ cc @buildpacks/team-leads @hone (as the assignee) |
|
For anyone interested in following the implementation of this RFC, the status can be found here: #224 |
Readable
This proposal is part of a larger initiative to reduce complexity originally outlined in #167