#237 - Minor suggestions to improve the container image

- use user id instead of name - pin base image by digest - replace apt with apt-get - use docker metadata action
medizininformatik-initiative · Sep 10, 2024 · ce47409 · ce47409
1 parent eaf2e81
commit ce47409
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 25 deletions.
diff --git a/.github/scripts/check-if-running-as-user-10001.sh b/.github/scripts/check-if-running-as-user-10001.sh
@@ -0,0 +1,10 @@
+#!/bin/bash -e
+
+if docker exec -u0 dataportal-backend pgrep -u 10001 java > /dev/null
+then
+    echo "Java process is running as user 10001"
+    exit 0
+else
+    echo "Java process is not running as user 10001"
+    exit 1
+fi
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,6 +17,26 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Docker Meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+          labels: |
+            maintainer=medizininformatik-initiative
+            org.opencontainers.image.authors=medizininformatik-initiative
+            org.opencontainers.image.source=https://github.com/medizininformatik-initiative/feasibility-backend
+            org.opencontainers.image.vendor=medizininformatik-initiative
+            org.opencontainers.image.title=feasibility backend
+            org.opencontainers.image.description=Provides backend functions for feasibility UI including query execution
+
       - name: Set up JDK 17
         uses: actions/setup-java@v4
         with:
@@ -150,8 +170,8 @@ jobs:
       - name: Wait for Dataportal Backend
         run: .github/scripts/wait-for-url.sh  http://localhost:8091/actuator/health
 
-      - name: Check if Dataportal Backend is correctly running with the dataportal user
-        run: .github/scripts/check-if-running-as-dataportal-user.sh
+      - name: Check if Feasibility Backend is correctly running with the user with id 10001
+        run: .github/scripts/check-if-running-as-user-10001.sh
 
       - name: Wait for Blaze
         run: .github/scripts/wait-for-url.sh  http://localhost:8082/health

diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,12 @@
-FROM eclipse-temurin:17-jre
+FROM eclipse-temurin:22-jre@sha256:26bd835ee107ae775d85f1ff8c55abc799f514fb4201e65981857041d18826c1
 
-RUN apt update -yqq && apt upgrade -yqq && \
+RUN apt-get update -yqq && apt-get upgrade -yqq && \
     apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/
 
 WORKDIR /opt/dataportal-backend
 COPY ./target/*.jar ./dataportal-backend.jar
 COPY ontology ontology
 
-RUN groupadd --system dataportal && useradd --system dataportal -g dataportal
-RUN mkdir logging
-RUN chown -R dataportal:dataportal /opt/dataportal-backend
-
-USER dataportal:dataportal
-
 ARG VERSION=6.0.0
 ENV APP_VERSION=${VERSION}
 ENV DATABASE_HOST="dataportal-network"
@@ -23,22 +17,13 @@ ENV CERTIFICATE_PATH=/opt/dataportal-backend/certs
 ENV TRUSTSTORE_PATH=/opt/dataportal-backend/truststore
 ENV TRUSTSTORE_FILE=self-signed-truststore.jks
 
-RUN mkdir -p $CERTIFICATE_PATH $TRUSTSTORE_PATH
-RUN chown dataportal:dataportal $CERTIFICATE_PATH $TRUSTSTORE_PATH
+RUN mkdir logging && \
+    mkdir -p $CERTIFICATE_PATH $TRUSTSTORE_PATH && \
+    chown -R 10001:10001 /opt/dataportal-backend && \
+    chown 10001:10001 $CERTIFICATE_PATH $TRUSTSTORE_PATH
+USER 10001
 
 HEALTHCHECK --interval=5s --start-period=10s CMD curl -s -f http://localhost:8090/actuator/health || exit 1
 
 COPY ./docker-entrypoint.sh /
-ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]
-
-ARG GIT_REF=""
-ARG BUILD_TIME=""
-LABEL maintainer="medizininformatik-initiative" \
-    org.opencontainers.image.created=${BUILD_TIME} \
-    org.opencontainers.image.authors="medizininformatik-initiative" \
-    org.opencontainers.image.source="https://github.com/medizininformatik-initiative/feasibility-backend" \
-    org.opencontainers.image.version=${VERSION} \
-    org.opencontainers.image.revision=${GIT_REF} \
-    org.opencontainers.image.vendor="medizininformatik-initiative" \
-    org.opencontainers.image.title="dataportal backend" \
-    org.opencontainers.image.description="Provides backend functions for the dataportal"
+ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]