Closed v1v closed 4 months ago
Please note that we are going to preserve the current Dockerfile, so that users will still be able to build their custom images based on Alpine: this is needed because docker.elastic.co/wolfi/chainguard-base is not a public base image, so docker build would fail for unauthenticated users.
If users cannot use this new image, what is the purpose of adding it?
If users cannot use this new image, what is the purpose of adding it?
IIUC, users can use the docker image we generate based on Wolfi, but they cannot use the base docker image docker.elastic.co/wolfi/chainguard-base
.
IIUC, users can use the docker image we generate based on Wolfi, but they cannot use the base docker image docker.elastic.co/wolfi/chainguard-base.
I see. I suppose the purpose of this PR is to enhance security so that we don't ship any outdated libs in our docker image, correct?
I'd argue then why not simply not use any base-image at all (FROM scratch
in the Dockerfile)?
Our image is not intended to be used as a base image, the docs state that it should be used in a COPY
-statement:
COPY --from=docker.elastic.co/observability/apm-agent-java:latest /usr/agent/elastic-apm-agent.jar /elastic-apm-agent.jar
I feel like this would be a much simpler and easier to maintain approach (if I'm not misunderstanding the goal here). I'd need to double check with them that we really don't want to use our published images as base images anywhere.
I'd argue then why not simply not use any base-image at all (FROM scratch in the Dockerfile)?
For completeness in this thread, I just added you to the loop on an internal GitHub issue.
I'd argue then why not simply not use any base-image at all (FROM scratch in the Dockerfile)?
For reference: We found out that the K8s-attacher requires executing cp
within the container, so using FROM scratch
is not an option.
What does this pull request do?
Release two flavours of Docker images:
Please note that we are going to preserve the current
Dockerfile
, so that users will still be able to build their custom images based onAlpine
: this is needed becausedocker.elastic.co/wolfi/chainguard-base
is not a public base image, so docker build would fail for unauthenticated users.Tests
I created a feature branch
test/docker-images-wolfi
and ran the snapshot workflow:Checklist