Port Docker base image to slim variation

jonasbn / ebirah

Experimental Docker project for Dist::Zilla

https://jonasbn.github.io/ebirah/

MIT License

3 stars 1 forks source link

Port Docker base image to slim variation #34

Closed jonasbn closed 5 months ago

jonasbn commented 2 years ago

There are way too many security issues with the regular base image, if you evaluate the reporting from Snyk.

perl:5.34.1-bullseye
- Critical: 4
- High: 26
- Medium 5
- Low 200
perl:5.34.1-bullseye-slim (from Ebirah report)
- Critical: 0
- High: 1
- Medium 0
- Low 41

A slim variation would be beneficial to minimizing the number of issues and general attack surface.

glasswalk3r commented 7 months ago

It is doable, but the slim version might have less development tools that might be required when running dzil. If you want to give a shoot it anyway, it is possible to use the "non-slim" base image, install Dist:Zilla in ~/perl5 using local::lib and then copying the directory to a slim version of the base image. See #82 for details.

jonasbn commented 7 months ago

@glasswalk3r I will revisit the decision and see what can be done, thanks

jonasbn commented 5 months ago

Hi @glasswalk3r

The original reason for selecting a non-slim image was that I wanted users to be able to add Dist::Zilla plugins/extensions without any hassle.

I believe most Dist::Zilla plugins would just work and pure-perl components would just install. Well even most non-pure-perl would propably install with the basic development dependencies met.

At the same time this project is still beta (0.X.X), so one could argue that aiming for world-domination for the docker-dzil sphere is still just a dream and a slim image could be the way to go.

And if there was any plugins attempted used and they would fail, we could adopt the necessary components to make them work.

glasswalk3r commented 5 months ago

It will be very hard to not find any security issues in the Debian Docker images. Even in distributions like RedHat, some security issues findings take very long to be fixed and some might not even happen at all, due the way those flaws are first classified in terms of risk of being actually exploited. Another option would be to create a new Docker image based on Debian, updating all packages (in a attempt to get fixes) and then creating a new user (ebirah?) to setup with the USER directive in the Dockerfile. At least, all tasks executed from Ebirah would be executed without root rights.

jonasbn commented 5 months ago

I will try with:

5.40.0-slim-bookworm

jonasbn commented 5 months ago

Currently latest should be pointing to a slim version. I will do some more testing before making a release.