Improve usage of the Docker image #42
Conversation
This image has the ca-certs and timezone db in there already
marcofranssen
force-pushed
the
improve-docker-image
branch
from
1055593
to
ac10ee8
Compare
| FROM scratch | ||
| COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ | ||
|
|
||
| FROM cgr.dev/chainguard/static:latest-20230102 |
There was a problem hiding this comment.
I'm not interested in using anything besides SCRATCH
There was a problem hiding this comment.
Essentially this is the scratch image that already has the ssl certs.
chainguard is updating these images continuously to have zero vulnerabilities.
https://github.com/chainguard-images/images
These images are based on wolfi-os which is basically a Linux (un)distro.
There was a problem hiding this comment.
I known (and trust) the Chainguard, but this provides no added value over the scratch image. The container is intentionally as lightweight as possible.
| @@ -53,7 +53,7 @@ image: 'ubuntu@sha256:47f14534bda344d9fe6ffd6effb95eefe579f4be0d508b7445cf77f61a | |||
| **⚠️ Warning!** The README corresponds to the `main` branch of ratchet's | |||
| development, and it may contain unreleased features. | |||
|
|
|||
| **Pin to specific versions:** | |||
| ### Pin to specific versions | |||
There was a problem hiding this comment.
It allows me to link to the readme using anchors. Used same style for the new doc section added.
| # Normally we would set this to run as "nobody", but to play nicely with GitHub | ||
| # Actions, it must run as the default user: | ||
| # | ||
| # https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user | ||
| # | ||
| # USER nobody | ||
| WORKDIR /ws |
There was a problem hiding this comment.
I don't see the value in hard coding this. Users can boot the image with "-w" to set a working directory if needed.
There was a problem hiding this comment.
It gives a much better out of the box experience. Of course users can customize anything they desire, but this gives at least out of the box an easy experience without customizations.
There was a problem hiding this comment.
I don't agree. This relies on the user being willing to recognize and remember a random directory name (/ws) versus being explicit. I'm fine updating the README with an explicit example for running the container as a binary, but the rest of these changes seem unnecessary:
docker run -it --rm -v $PWD:$PWD -w $PWD ghcr.io/sethvargo/ratchet:0.4.0 "$@"| Or create yourself an alias in your `~/.bashrc` or `~/.zshrc` | ||
|
|
||
| ```shell | ||
| function ratchet { |
There was a problem hiding this comment.
This could be docker run -it --rm --volume $PWD:$PWD -w $PWD ghcr.io/sethvargo/ratchet:0.4.0 "$@" which would require no changes to the Dockerfile.
This PR improves the usage of the Docker image by using a WORKDIR (You can't mount a volume at
/).Also it improves the Dockerfile itself by using chainguards static image which ships automatically with