#237 - Minor suggestions to improve the container image

- use user id instead of name - pin base image by digest - replace apt with apt-get - use docker metadata action
medizininformatik-initiative · Nov 14, 2023 · 685d468 · 685d468
1 parent 5818af3
commit 685d468
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 10 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,6 +17,26 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
+      - name: Docker Meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+          labels: |
+            maintainer=medizininformatik-initiative
+            org.opencontainers.image.authors=medizininformatik-initiative
+            org.opencontainers.image.source=https://github.com/medizininformatik-initiative/feasibility-backend
+            org.opencontainers.image.vendor=medizininformatik-initiative
+            org.opencontainers.image.title=feasibility backend
+            org.opencontainers.image.description=Provides backend functions for feasibility UI including query execution
+
       - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:

diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,12 @@
-FROM eclipse-temurin:17-jre
+FROM eclipse-temurin:17-jre@sha256:171e90d2ca55e6958d8b56b58670fe42e9986c540225ce9f61a67b477017c217
 
-RUN apt update -yqq && apt upgrade -yqq && \
+RUN apt-get update -yqq && apt-get upgrade -yqq && \
     apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/
 
 WORKDIR /opt/codex-feasibility-backend
 COPY ./target/*.jar ./feasibility-gui-backend.jar
 COPY ontology ontology
 
-RUN addgroup --system feasibility && adduser --system feasibility --ingroup feasibility
-RUN mkdir logging
-RUN chown -R feasibility:feasibility /opt/codex-feasibility-backend
-
-USER feasibility:feasibility
-
 ARG VERSION=2.1.0
 ENV APP_VERSION=${VERSION}
 ENV FEASIBILITY_DATABASE_HOST="feasibility-network"
@@ -23,8 +17,10 @@ ENV CERTIFICATE_PATH=/opt/codex-feasibility-backend/certs
 ENV TRUSTSTORE_PATH=/opt/codex-feasibility-backend/truststore
 ENV TRUSTSTORE_FILE=self-signed-truststore.jks
 
-RUN mkdir -p $CERTIFICATE_PATH $TRUSTSTORE_PATH
-RUN chown feasibility:feasibility $CERTIFICATE_PATH $TRUSTSTORE_PATH
+RUN mkdir logging && \
+    chown -R 10001:10001 /opt/codex-feasibility-backend && \
+    chown 10001:10001 $CERTIFICATE_PATH $TRUSTSTORE_PATH
+USER 10001
 
 HEALTHCHECK --interval=5s --start-period=10s CMD curl -s -f http://localhost:8090/actuator/health || exit 1