#237 - Minor suggestions to improve the container image

- use user id instead of name - pin base image by digest - replace apt with apt-get - use docker metadata action
medizininformatik-initiative · Jan 11, 2024 · 71de0b1 · 71de0b1
1 parent 5912541
commit 71de0b1
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 35 deletions.
diff --git a/.github/scripts/check-if-running-as-feasibility-user.sh b/.github/scripts/check-if-running-as-feasibility-user.sh
diff --git a/.github/scripts/check-if-running-as-user-10001.sh b/.github/scripts/check-if-running-as-user-10001.sh
@@ -0,0 +1,10 @@
+#!/bin/bash -e
+
+if docker exec -u0 feasibility-gui-backend pgrep -u 10001 java > /dev/null
+then
+    echo "Java process is running as user 10001"
+    exit 0
+else
+    echo "Java process is not running as user 10001"
+    exit 1
+fi
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,6 +17,26 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
+      - name: Docker Meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+          labels: |
+            maintainer=medizininformatik-initiative
+            org.opencontainers.image.authors=medizininformatik-initiative
+            org.opencontainers.image.source=https://github.com/medizininformatik-initiative/feasibility-backend
+            org.opencontainers.image.vendor=medizininformatik-initiative
+            org.opencontainers.image.title=feasibility backend
+            org.opencontainers.image.description=Provides backend functions for feasibility UI including query execution
+
       - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
@@ -148,8 +168,8 @@ jobs:
       - name: Wait for Feasibility Backend
         run: .github/scripts/wait-for-url.sh  http://localhost:8091/actuator/health
 
-      - name: Check if Feasibility Backend is correctly running with the feasibility user
-        run: .github/scripts/check-if-running-as-feasibility-user.sh
+      - name: Check if Feasibility Backend is correctly running with the user with id 10001
+        run: .github/scripts/check-if-running-as-user-10001.sh
 
       - name: Wait for Blaze
         run: .github/scripts/wait-for-url.sh  http://localhost:8082/health

diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,12 @@
-FROM eclipse-temurin:17-jre
+FROM eclipse-temurin:17-jre@sha256:171e90d2ca55e6958d8b56b58670fe42e9986c540225ce9f61a67b477017c217
 
-RUN apt update -yqq && apt upgrade -yqq && \
+RUN apt-get update -yqq && apt-get upgrade -yqq && \
     apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/
 
 WORKDIR /opt/codex-feasibility-backend
 COPY ./target/*.jar ./feasibility-gui-backend.jar
 COPY ontology ontology
 
-RUN addgroup --system feasibility && adduser --system feasibility --ingroup feasibility
-RUN mkdir logging
-RUN chown -R feasibility:feasibility /opt/codex-feasibility-backend
-
-USER feasibility:feasibility
-
 ARG VERSION=2.1.0
 ENV APP_VERSION=${VERSION}
 ENV FEASIBILITY_DATABASE_HOST="feasibility-network"
@@ -23,22 +17,13 @@ ENV CERTIFICATE_PATH=/opt/codex-feasibility-backend/certs
 ENV TRUSTSTORE_PATH=/opt/codex-feasibility-backend/truststore
 ENV TRUSTSTORE_FILE=self-signed-truststore.jks
 
-RUN mkdir -p $CERTIFICATE_PATH $TRUSTSTORE_PATH
-RUN chown feasibility:feasibility $CERTIFICATE_PATH $TRUSTSTORE_PATH
+RUN mkdir logging && \
+    mkdir -p $CERTIFICATE_PATH $TRUSTSTORE_PATH && \
+    chown -R 10001:10001 /opt/codex-feasibility-backend && \
+    chown 10001:10001 $CERTIFICATE_PATH $TRUSTSTORE_PATH
+USER 10001
 
 HEALTHCHECK --interval=5s --start-period=10s CMD curl -s -f http://localhost:8090/actuator/health || exit 1
 
 COPY ./docker-entrypoint.sh /
-ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]
-
-ARG GIT_REF=""
-ARG BUILD_TIME=""
-LABEL maintainer="medizininformatik-initiative" \
-    org.opencontainers.image.created=${BUILD_TIME} \
-    org.opencontainers.image.authors="medizininformatik-initiative" \
-    org.opencontainers.image.source="https://github.com/medizininformatik-initiative/feasibility-backend" \
-    org.opencontainers.image.version=${VERSION} \
-    org.opencontainers.image.revision=${GIT_REF} \
-    org.opencontainers.image.vendor="medizininformatik-initiative" \
-    org.opencontainers.image.title="feasibility backend" \
-    org.opencontainers.image.description="Provides backend functions for feasibility UI including query execution"
+ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]