search

authgear / authgear-server

Open source alternative to Auth0 / Firebase Auth
https://www.authgear.com
Apache License 2.0
81 stars 37 forks source link

Switch base image to Ubuntu #3029

Open louischan-oursky opened 1 year ago

louischan-oursky commented 1 year ago

Ubuntu has more security fixes.

louischan-oursky commented 1 year ago

It is not easy as it seems. We depend on the following system libs libicu, libvips, and libmagic. The official Golang image is based on Debian. So when we build the Go binary, the binary remembers the version of the libs at the time of the build, which are the versions available on Debian.

If we switch the runtime image to Ubuntu, the binary cannot be run because it cannot find the versioned .so files. We will see error message like error while loading shared libraries: libicui18n.so.67: cannot open shared object file: No such file or directory

kiootic commented 1 year ago

Maybe we can use distroless as base image: https://github.com/GoogleContainerTools/distroless/issues/863#issuecomment-949723748

louischan-oursky commented 1 year ago

The main problem is Golang is either debian or alpine based, and our C dependencies and CGO.

kiootic commented 1 year ago

Distroless is debian based (name is misleading), and the linked comment shows how to install Debian packages into the image.

louischan-oursky commented 1 year ago

The official Golang docker image https://github.com/docker-library/golang can be easily customized to become ubuntu based. There is the patch

diff --git a/versions.json b/versions.json
index 179613b..f53e319 100644
--- a/versions.json
+++ b/versions.json
@@ -155,6 +155,7 @@
     "variants": [
       "bullseye",
       "buster",
+      "jammy",
       "alpine3.17",
       "alpine3.16",
       "windows/windowsservercore-ltsc2022",
@@ -320,6 +321,7 @@
     "variants": [
       "bullseye",
       "buster",
+      "jammy",
       "alpine3.17",
       "alpine3.16",
       "windows/windowsservercore-ltsc2022",
diff --git a/versions.sh b/versions.sh
index a26dea4..6121e3c 100755
--- a/versions.sh
+++ b/versions.sh
@@ -145,6 +145,7 @@ for version in "${versions[@]}"; do
                variants: [
                        "bullseye",
                        "buster",
+                       "jammy",
                        (
                                "3.17",
                                "3.16"

Then we can experiment using this base image, and change our runtime image to ubuntu.