heimdall2 icon indicating copy to clipboard operation
heimdall2 copied to clipboard

Published 20 hours ago verified publisher icon mitre

Updated COPY commands

Open catorreMC opened this issue 2 years ago • 7 comments
trafficstars

Added the built-in chmod/chown flags to improve build time. Removed standalone chmod and chown RUN commands, and removed all chmod/chown operations from the builder container. Will and I elected to keep the chmod and chown commands in the app stage of the image because they serve as a precautionary measure, and removing them makes no positive or negative impact on performance or space, and do not impact the legibility of the file.

On my machine, this improved build time from 2604 seconds to 309 - an 88 percent decrease. Pending further testing on other machines, as mine appeared to run it dramatically slower than others.

Dockerfile.lite still needs to be updated accordingly.

catorreMC avatar Feb 17 '23 18:02 catorreMC

It seems to me that this container should be running as either a heimdall user or a heimdallapp or nodeapp or something like that - and thus in the final build layer there should be commands making sure all the data on the image is owned by that user:

COPY --from=build /usr/bin/dumb-init /usr/bin/dumb-init
USER node
WORKDIR /usr/src/app
COPY --chown=node:node --from=build /usr/src/app/node_modules /usr/src/app/node_modules
COPY --chown=node:node . /usr/src/app

chmod,chwon commands can be joined and they can also be recessive. So I can chown -R user:group <path> next The files and folders on the system, I would think, only need at max: 00640 for -type f and 00750 -type d although enabling the stickly bit on all directory structures in the base layers with the right mask may save some time an effort here. However this may be showing a bug that would mean we may have to be more hands on with managing this.

https://forums.docker.com/t/permissions-issue-with-compose-build-vs-docker-build/7775

aaronlippold avatar Feb 20 '23 16:02 aaronlippold

It seems to me that this container should be running as either a heimdall user or a heimdallapp or nodeapp or something like that - and thus in the final build layer there should be commands making sure all the data on the image is owned by that user:

That's why we have that 'node' user. They've basically done the work to properly create a different user account from root and we can do whatever we want with it now as opposed to having to manually create a 'heimdall' user.

Amndeep7 avatar Feb 20 '23 22:02 Amndeep7

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

sonarqubecloud[bot] avatar Feb 24 '23 19:02 sonarqubecloud[bot]

This pull request has a conflict. Could you fix it @catorreMC?

mergify[bot] avatar May 16 '23 01:05 mergify[bot]

This pull request has a conflict. Could you fix it @catorreMC?

mergify[bot] avatar Jul 04 '23 01:07 mergify[bot]

This pull request has a conflict. Could you fix it @catorreMC?

mergify[bot] avatar Sep 05 '23 00:09 mergify[bot]

This pull request has a conflict. Could you fix it @catorreMC?

mergify[bot] avatar Feb 06 '24 01:02 mergify[bot]