Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOLR-16752 Reduce attack surface and size for Docker image #1575

Merged
merged 4 commits into from Apr 19, 2023
Merged

SOLR-16752 Reduce attack surface and size for Docker image #1575

merged 4 commits into from Apr 19, 2023

Conversation

bqcuong
Copy link
Contributor

@bqcuong bqcuong commented Apr 19, 2023
edited
Loading

https://issues.apache.org/jira/browse/SOLR-16752

Description

The Dockerfiles should contain the --no-install-recommends option wherever there is an apt-get install command. This should help improve the security of the container and reduce the risk of potential attacks.

In detail, the --no-install-recommends option helps remove unnecessary apt packages that are not needed for the container's functionality. This change can not only trim your image size but also reduce the attack surface.

I hope you find this information useful. Please let me know if you have any concerns.

Thank you.

Checklist

Please review the following and check all that apply:

  • I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
  • I have created a Jira issue and added the issue ID to my pull request title.
  • I have given Solr maintainers access to contribute to my PR branch. (optional but recommended)
  • I have developed this patch against the main branch.
  • I have run ./gradlew check.
  • I have added tests for my changes.
  • I have added documentation for the Reference Guide

@janhoy
Copy link
Contributor

janhoy commented Apr 19, 2023

Thanks. Did you consider patching the apt-get command in the header template too? It only installs wget (gpg is removed in same RUN) so not sure if there is any difference.

@bqcuong
Copy link
Contributor Author

bqcuong commented Apr 19, 2023

Currently, there should be no removed packages for that apt-get install command. However, I think it is recommended to have --no-intall-recommends for the case that you want to add other packages rather than wget. gnupg package is required for performing GPG key checks in the below commands. I updated the changes with the second commit.

I tested the build for this changes on the Dockerfile of version 9.2.

@HoustonPutman
Copy link
Contributor

This looks good to me. If you want to add an entry to solr/CHANGELOG.txt, I think this should be good to go.

@bqcuong
Copy link
Contributor Author

bqcuong commented Apr 19, 2023

I updated the Changelog in the newest commit. Please revise.

@HoustonPutman HoustonPutman merged commit 8a0bf24 into apache:main Apr 19, 2023
HoustonPutman pushed a commit that referenced this pull request Apr 19, 2023
@bqcuong @HoustonPutman
SOLR-16752: Reduce attack surface and size for Docker image (#1575)
b1b9064 
(cherry picked from commit 8a0bf24)
@HoustonPutman
Copy link
Contributor

Thanks for the contribution @bqcuong !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@janhoy janhoy janhoy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bqcuong @janhoy @HoustonPutman