container icon indicating copy to clipboard operation
container copied to clipboard

Published 20 hours ago verified publisher icon hedgedoc

feat(distroless): Provide distroless container image

Open SISheogorath opened this issue 2 years ago • 2 comments

This patch introduces a distroless container image, which cuts down the container content to the bare minimum. No shells, no package managers, nothing, just the hedgedoc.

These constraints make this setup very robust, but also hard to debug without the right tools, therefore it's not recommended to be used by people who are not completely familiar with containers and low-level debugging tools.

Nontheless this image should be very useful in Kubernetes deployments. Further, compared to the alpine container image, it'll further cut down dependencies while staying on glibc, which can prevent some common issues with musllib.

The distroless image is based on Google distroless base image for nodejs: https://github.com/GoogleContainerTools/distroless/tree/55d918e07c9341f83519ab1fc6d8fe0197bca13f/nodejs

Depends on: https://github.com/hedgedoc/hedgedoc/pull/2315

SISheogorath avatar May 04 '22 01:05 SISheogorath

No, this should explicitly not become a standard image, because none of the docker exec commands will work, that people might want to use to debug a situation like broken oauth or alike. This is for people who figured out containers and hedgedoc and want to cut down theoretical attack vectors.

SISheogorath avatar May 07 '22 18:05 SISheogorath

As hedgedoc/hedgedoc#2315 was merged, can this go forward?

ErikMichelson avatar Feb 21 '23 11:02 ErikMichelson