Multi-arch DB image fix & Copying unprivileged init script #33
Conversation
…iding --entrypoint option in docker run
rsundriyal
changed the title
| mkdir -p "./build" && cd "./build" && \ | ||
| rust | ||
|
|
||
| RUN mkdir -p "./build" && cd "./build" && \ |
There was a problem hiding this comment.
There is a decent chance someone else will complain about this because cached layers increase the size of an image. However, I see a strong benefit to it -- particularly for the debian Dockerfiles where the multiarch builds take a really long time. We just have to remember the reason to defend this position, when people complain about it later.
There was a problem hiding this comment.
I'm looking at our current images and seeing some older CVE's even though we run a build and push updates to the images every week. I think that's because caching doesn't know when the apk-installed packages have changed. So it uses the old cached layers.
I'm unsure how to solve this problem without forcing docker to rebuild without used the cached layers... which means that this change wouldn't help any and will only have the negative effect of increasing the size of the image by inserting those layers.
Any ideas?
|
Is making the unprivileged init script available blocked by the fix for the multi-arch builds? Would it be possible to merge in a separate PR with the unprivileged init scripts commit? |
The current official Clamav image cannot be run unprivileged by default. This adds a script and changes the file permissions, so that it can run as non-root. At time of writing, there is a pending PR to add this functionality to the offical image: Cisco-Talos/clamav-docker#33. Once this is available we can switch to the offical image.
The current official Clamav image cannot be run unprivileged by default. This adds a script and changes the file permissions, so that it can run as non-root. At time of writing, there is a pending PR to add this functionality to the offical image: Cisco-Talos/clamav-docker#33. Once this is available we can switch to the offical image.
|
Changes are tested and ready to be merged. |
Fixing tagging for debian multi-arch images.
Dividing Dockerfile RUN commands into sub commands.
Adding readme file changes.
Copying unprivileged init script so that any user can use it by overriding --entrypoint option in docker run.
Resolves: #32
Related to: