Alpine Base image (ABI) is alpinelinux minirootfs with some modifications and latest updates applied.
The idea is to simulate rolling release distro (like Gentoo,Archlinux or Manjaro) behaivor.
It has:
- latest updates
- non-root application user
Security.
The purpose of this image is base image with 0 vulnerabilities.
Normally, even base images like ubuntu
or RedHat's ubi
contain tons of rarely needed stuff,
which is hardly needed for your application to run and brings additional vulnerabilities.
This is standard alpinelinux image with edge repository enabled.
Contains only minimalistic linux runtime needed to run your application.
Technically this is edge
edition, but without package manager (apk) and shell (busybox).
It is replaced by /bin/true
binary.
Since it has no shell, container cannot be accessed using standard approaches like docker exec
.
This make runtime secure, but debug and similar stuff is no longer possible.
ABI contains non-root application user and group(appuser:appgroup
).
So you can just add this single line to your Dockerfile
USER appuser
- For
edge
edition it is fairly easy. Just run standard commands:
RUN addgroup mygroup && adduser myuser mygroup
- For
runtime
edition you have to copy you own/etc/passwd
and/etc/group
files.
FROM kio.ee/base/abi:edge as build
RUN addgroup mygroup && adduser myuser mygroup
FROM kio.ee/base/abi:runtime as final
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group
By default, IP Forwarding in ABI is disabled. Normally, container is end user system, and it has single network.
Also, this modification attempts to fix CVE-1999-0511.
Forwarding can be easily enabled by running
RUN echo "net.ipv4.ip_forward=1" > /etc/sysctl.conf
ABI uses alpine.kyberorg.fi
mirror instead of default one. This is fast mirror from Suomi/Finland.
To revert to default repo please use:
RUN sed -i 's/alpine.kyberorg.fi/dl-cdn.alpinelinux.org\/alpine/g' /etc/apk/repositories