Open lucassus opened 11 months ago
google search first result to "gloursdocker/docker" : https://registry.hub.docker.com/layers/gloursdocker/docker/latest/images/sha256-a66243282b1165f556ec4a91d749c1ebc81dd28bcfbce653ccf49b01ae3b3fdf
@zozitak thank you. I saw it, but still it's pretty hard to figure out what it exactly does.
Copying all the contents of the root directory (/) from the gloursdocker/docker
image into the root directory (/) of the current build stage
Copying all the contents of the root directory (/) from the
gloursdocker/docker
image into the root directory (/) of the current build stage
Thanks for your answer. I believe, most of us here understand, what that command literally does. I hopped for a bit more explanation on why the root directory was copied and some elaboration about the effects of this copying…
Copying all the contents of the root directory (/) from the
gloursdocker/docker
image into the root directory (/) of the current build stageThanks for your answer. I believe, most of us here understand, what that command literally does. I hopped for a bit more explanation on why the root directory was copied and some elaboration about the effects of this copying…
When you build a Docker image, each instruction in the Dockerfile creates a new layer on top of the previous one
gloursdocker/docker
this is the official docker image which has all the base files required for the application
so here we are copying the entire contents of the gloursdocker/docker
to our docker image
as there is already an image of gloursdocker/docker
which is official image of docker
we need not build the same image again and used the cached one from gloursdocker/docker
also coming to the question 'why the root directory was copied'
I found this thread after asking myself the same question, and like @lucassus , I'm still unclear of what the purpose of the line is?
I understand it copies some files from the gloursdocker/docker
image, but those files are not required for the fastapi application. If you remove that line, the fastapi will still build/run successfully.
The files it copies - such as docker and docker-compose - are used from the host rather than inside the container, so the purpose of copying them into an image during build time is a mystery. Maybe there's a specific use case, but I can't think of what it might be.
TBH my first thought was that this copy from gloursdocker/docker might be a way to inject some malware. Imagine a situation where someone silently does something nasty with this image.
TBH my first thought was that this copy from gloursdocker/docker might be a way to inject some malware. Imagine a situation where someone silently does something nasty with this image.
Yes, this is my thought as well. An example repository where lots of devs copy/paste from is an ideal place to slip some malware into. @glours needs to provide some explanation here. As it stands, I find this deeply suspicious.
Thanks all for raising this! I'll be sure to raise this internally and see if we can get this resolved ASAP.
The reasoning for it... many of the examples in this repo were previously updated to support Docker's dev environment feature, which required additional support and tooling inside of the image. Since then, dev environments have been deprecated and the Compsoe-based configuration was removed. But, it appears the Dockerfiles were not updated.
We'll get it fixed. And yes, it is understandable to have security concerns for this. In the meantime, feel free to ignore this line as it should not affect the running of any of the examples in this repo.
This instruction, for some reason, is used in many examples. The comment
install Docker tools (cli, buildx, compose)
in my opinion, is not really helpful.