Improve docker images #3737
Improve docker images #3737
Conversation
|
I am not inclined to use dependabot as the risks outweigh the benefits. I apologize, but I do not have the energy to review so many changes that are unrelated to the code. It might be more appropriate if you could first describe your expected changes and reasons in an issue, and then break them down into smaller, individual changes. |
|
Didn't want to cause stress, I will break them into 2 PRs without dependabot (which doesn't automerge, only suggests PRs automatically). |
reneleonhardt
force-pushed
the
update-and-improve-docker
branch
from
24e5b67 to
54218d0
Compare
reneleonhardt
changed the title
|
|
||
| ARG APP | ||
| ARG TITLE | ||
| LABEL org.opencontainers.image.authors="fatedier <[email protected]>" |
There was a problem hiding this comment.
Why do we need these labels? What benefits will it bring?
There was a problem hiding this comment.
Best practice, a docker image tag is a also only a "label", those labels make it easier for your users what's inside this image.
The specific app version would be good too, but a bit harder to integrate in this case.
https://snyk.io/blog/how-and-when-to-use-docker-labels-oci-container-annotations/
There was a problem hiding this comment.
I do not prefer to add these redundant information.
Dockerfile
Outdated
|
|
||
| ARG APP | ||
| RUN addgroup -g 1000 -S ${APP} && adduser -u 1000 -S ${APP} -G ${APP} --home /app \ | ||
| && echo -e "#!/bin/sh\nexec /usr/local/bin/${APP} \$@" > /app/entrypoint.sh \ |
There was a problem hiding this comment.
What's the purpose of this script? What are the differences compared to the previous execution method?
There was a problem hiding this comment.
The reason for introducing this script was the unification of the 2 Dockerfiles into 1.
It's not allowed to use ARG/ENV variables inside ENTRYPOINT, your binaries have different names, it's best practice to create a minimal exec script in this case.
I will improve it a bit to make hadolint happy 😄
| FROM alpine:3.18 AS runtime | ||
|
|
||
| ARG APP | ||
| RUN addgroup -g 1000 -S ${APP} && adduser -u 1000 -S ${APP} -G ${APP} --home /app \ |
There was a problem hiding this comment.
Given that frp is often used to listen on port 80, will not using the root user have any impact? On the other hand, what problems may arise from using the root user?
There was a problem hiding this comment.
Using root opens the attack surface to a whole lot more security bug possibilities.
The privileged port problem was solved 3 years ago:
https://stackoverflow.com/questions/66431299/i-can-bind-to-port-80-as-a-non-root-user-in-a-docker-container-why-whats-goin
Can you try both new images to verify the expected functionality?
It would be optimal if the Docker build would automatically verify the expected functionality... 😉
|
I am not very professional in many aspects. From my perspective, I am currently replacing some very simple and easy-to-understand Dockfile with a more complex version. I feel that there needs to be sufficient reasons to explain why we must do this. I don't want to frequently modify these configurations/scripts that are unrelated to the core code unless there is official documentation stating that certain methods are explicitly prohibited or not recommended. This is similar to submitting a PR to modify code style, which may sometimes be acceptable but for maintainers, the benefits are minimal and it only increases maintenance costs. |
|
I wasn't accusing you of anything, I am a professional 😄 You don't have to accept it if you don't want it. For me it's 2 times easier to maintain 1 Dockerfile instead of 2 Dockerfiles doing "mostly" the same 😉 Maybe you didn't notice, but I was able to actually remove quite a lot of code lines in the process... |
|
I think the addition of not running the code as root is a very good improvement. I think this is a good request and the guy did most of the heavy lifting already. Not seeing any issues with his changes. Would recommend pushing change. |
|
Perhaps some changes are indeed necessary, but I find it difficult to accept the complexity introduced into originally simple rules. I don't see where the core value and benefits lie. Maybe we can just make the necessary changes. |
|
我试过,如果不以root权限启动,就不能添加1024以下的端口了。 |
|
PRs go stale after 30d of inactivity. Stale PRs rot after an additional 7d of inactivity and eventually close. |
Summary
🤖 Generated by Copilot at 24e5b67
This pull request refactors and improves the docker-related files and workflows of the project. It adds a
Dockerfilethat builds a single image for bothfrpcandfrps, using build arguments and multi-stage build. It also adds a.dockerignorefile and a.github/dependabot.ymlfile, and simplifies the.github/workflows/build-and-push-image.ymlfile. It deletes thedockerfiles/Dockerfile-for-frpcanddockerfiles/Dockerfile-for-frpsfiles, as they are no longer needed.WHY
Docker improvements: