SISheogorath
commented
2 years ago No, this should explicitly not become a standard image, because none of the docker exec commands will work, that people might want to use to debug a situation like broken oauth or alike. This is for people who figured out containers and hedgedoc and want to cut down theoretical attack vectors.
ErikMichelson
This patch introduces a distroless container image, which cuts down the container content to the bare minimum. No shells, no package managers, nothing, just the hedgedoc.
These constraints make this setup very robust, but also hard to debug without the right tools, therefore it's not recommended to be used by people who are not completely familiar with containers and low-level debugging tools.
Nontheless this image should be very useful in Kubernetes deployments. Further, compared to the alpine container image, it'll further cut down dependencies while staying on glibc, which can prevent some common issues with musllib.
The distroless image is based on Google distroless base image for nodejs: https://github.com/GoogleContainerTools/distroless/tree/55d918e07c9341f83519ab1fc6d8fe0197bca13f/nodejs
Depends on: https://github.com/hedgedoc/hedgedoc/pull/2315