Che dockerfiles extended with security in mind
This repo is divided into two directories:
./recipes/context
contains a shared build context for all docker images (e.g. theentrypoint.sh
script, and helpful scripts that are used in building dependencies within images)./recipes/dockerfiles
contains subdirectories for each docker image.
As a result, to build an image locally, it is necessary to set the build context to ./recipes
and explicitly specify the dockerfile being built. E.g. from the root of the repo
docker build \
-t spring-boot:local \
-f ./recipes/dockerfiles/spring-boot/Dockerfile \
./recipes/
The scripts in ./recipes/context
are, in short:
download-maven-deps.sh <mission> <runtime> ...
parses the latest booster version number from the osio rest endpoint, clones git repositories, and executes a maven build to cache the dependencies required in the local maven repository. See [1] for details of what is required formission
andruntime
maven-deps.install <mission> <runtime> ...
wrapsdownload_maven_deps.sh
, to install required dependencies for parsing version numbers (jq
) and clean up afterwards.entrypoint.sh
is a shared entrypoint for most of the dockerfilesgeneral-deps.install <OPENSHIFT_VERSION> [<JAVA_VERSION>]
is a script that stores dependencies for running on osio and is generally run in every (applicable) docker image. All non-temporary dependencies should be included here.grant-access-arbitirary-UID.sh
allows arbitrary users to access the/home/user
,/etc/passwd
,/etc/group
, and/projects
directoriesnodejs.install
is responsible for installing nodejs.nss_wrapper.install
is responsible for installing nss_wrapper.