feat(docker): hugo from scratch + dockhub & quay account

[ellerbrock]

Hello Hugo's,

i optimized our Hugo Docker Image to run FROM scratch instead of Alpine Linux and with that another optimization from 27MB to 6MB. Pretty sweet optimization when thinking that we started with 428MB!

The good thing with that is we don't need to worry about security patches and image updates in the future anymore. Looking at the latest Version 3.7 of Alpine there are 3 unpatched vulnerabilities mentioned with the root cause in the underlaying Busybox:

• CVE-2017-16544
• CVE-2017-15873
• CVE-2017-15874

Hugo DockerHub

I ask on 26 Jul about the topic to configure DockerHub with Automated Builds for the Hugo Project. Since there is still no official Hugo Repo i was so free and created one myself.

DockerHub Account: gohugoio
Repository: hugo
Pull Command: docker pull gohugoio/hugo

Quay Account

Quay Account: gohugoio
Repository: hugo
Pull Command: docker pull quay.io/gohugoio/hugo

The nice thing on Quay is that they run under the hood Clair (Vulnerability Static Analysis for Containers) and we can define to trigger notifications when problems are found.

Current Status

Searching today on DockerHub there are currently 892 separate maintained versions of Hugo. Since Hugo is such a great project with a very big community i would love to work together with you guys to make an official image maintained by the project. I configured DockerHub and Quay with Automatic Builds for maximum transparency with the nice side effect that pushing to a defined branch (currently master) the Docker Image will be build automatically.
On Quay i also configured notification on found vulnerabilities (currently with risk level medium).

Next Steps

If you guys like the idea to create a official Docker and Quay Repo for the Hugo Project we should discuss the next steps. Since I'm not a project member i had to fork the repository to configure the automatic build. Problem is that i can't trigger new builds when changes were made in the original repository here. We could solve that by setting up a Webhook but the better way would be in my opinion to use the official repo here for that instead. You can read about how to setup a Automated Build here.

The system prompts you to choose between Public and Private and Limited Access. The Public and Private connection type is required if you want to use the Automated Builds.

Let me know if you are interested then i can create users in both accounts for you and we could setup the repository here to be used for automated builds. When all is working and tested for a while we could then try to apply to become a official Docker Repository.

Have a nice weeked!

Cheers Maik

[bep]

Since there is still no official Hugo Repo i was so free and created one myself.

https://hub.docker.com/u/gohugo/

[ellerbrock]

hi @bep,

thanks for the confirmation that there is no docker image out there we as a community could use.
from the marketing point of view i also would recommend to choose one name and stick with that through all social media platforms. since that is gohugoio for github and twitter makes sense to use the same for DockerHub and Quay.

please don't get me wrong, i did not create the accounts for myself, my target is to help the project to optimize the docker stuff and automate as much as possible.
of course you guys, the hugo project maintainers should have the full and only control of the accounts and not me. next step in the right direction would be to add you guys as admins to these accounts so that you can change the credentials and other account settings.
i can help you with the setup for both dockerhub and quay and quess that all could be done in around an hour. after we got everything working you can take the access rights from me away or give me read only permissions in case of concerns.

after we got everything automated and working i would move on anyway and hack on other stuff but could help in the future in case of problems and optimizations.

cheers maik

[skoblenick]

I wanted to chime in on this conversation. I agree generally with what @ellerbrock is trying to achieve here. Hugo needs to have a official Docker container on the Docker Hub. I would recommend a different path from both of the mentioned (above). Official Docker containers for projects, or at least those for common use cases, typically follow a different structure then those that are namespaced.

The process is outlined in Official repositories on Docker Hub. Official project container that would match the URL structure below:

https://hub.docker.com/_/ubuntu/
https://hub.docker.com/_/alpine/

In Hugo's case whatever identifier makes the most sense for findability.

This isn't to say Hugo couldn't have namespaced containers but they should probably directed to specific use cases that aren't covered by the "general purpose" containers usually provided by official containers such as dev, build tools, etc.

It is a bit unclear what you mean @bep. Is https://hub.docker.com/u/gohugo/ the "official" organization account on Docker Hub? There is nothing that would indicate this or denoting it as the official organization account in the docs; might be something to consider. I am more inclined to agree with @ellerbrock regarding locking down gohugoio as it fit with the existing "brand". Holding gohugo can't hurt but I would add details directing it to gohugoio.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. The resources of the Hugo team are limited, and so we are asking for your help.
If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.
If this is a feature request, and you feel that it is still relevant and valuable, please tell us why.
This issue will automatically be closed in the near future if no further activity occurs. Thank you for all your contributions.

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.