Alpine Base image (ABI) is alpinelinux minirootfs with some modifications and latest updates applied.
The idea is to simulate rolling release distro (like Gentoo,Archlinux or Manjaro) behaivor.
It has:
- latest updates
- non-root application user
Security.
The purpose of this image is base image with 0 vulnerabilities.
Normally, even base images like ubuntu or RedHat's ubi contain tons of rarely needed stuff,
which is hardly needed for your application to run and brings additional vulnerabilities.
This is standard alpinelinux image with edge repository enabled.
Contains only minimalistic linux runtime needed to run your application.
Technically this is edge edition, but without package manager (apk) and shell (busybox).
It is replaced by /bin/true binary.
Since it has no shell, container cannot be accessed using standard approaches like docker exec.
This make runtime secure, but debug and similar stuff is no longer possible.
ABI contains non-root application user and group(appuser:appgroup).
So you can just add this single line to your Dockerfile
USER appuser- For
edgeedition it is fairly easy. Just run standard commands:
RUN addgroup mygroup && adduser myuser mygroup- For
runtimeedition you have to copy you own/etc/passwdand/etc/groupfiles.
FROM kio.ee/base/abi:edge as build
RUN addgroup mygroup && adduser myuser mygroup
FROM kio.ee/base/abi:runtime as final
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/groupBy default, IP Forwarding in ABI is disabled. Normally, container is end user system, and it has single network.
Also, this modification attempts to fix CVE-1999-0511.
Forwarding can be easily enabled by running
RUN echo "net.ipv4.ip_forward=1" > /etc/sysctl.confABI uses alpine.kyberorg.fi mirror instead of default one. This is fast mirror from Suomi/Finland.
To revert to default repo please use:
RUN sed -i 's/alpine.kyberorg.fi/dl-cdn.alpinelinux.org\/alpine/g' /etc/apk/repositories