Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve quality of helix Dockerfiles #869

Open
richlander opened this issue May 15, 2023 · 1 comment
Open

Improve quality of helix Dockerfiles #869

richlander opened this issue May 15, 2023 · 1 comment

Comments

@richlander
Copy link
Member

richlander commented May 15, 2023

There are opportunities to improve the helix Dockerfiles.

  • Make the Dockerfiles non-root: The Dockerfiles define a non-root user, but install sudo and give that user sudoer permissions. That means that the resultant container images are effectively root images. That's not great.
  • Base on runtime-deps: We already have official images for running .NET code in containers w/baseline dependencies. We should use them and not guess. Where we don't have the correct runtime-deps image, we should ask for one.
  • Limit dependencies: This Alma Dockerfile works so why does this Debian Dockerfile install so many packages? We should define the min set and stick to that.
  • Use Python idiomatically: There are multiple opportunities to improve how we use Python. Those are listed later.

Opportunities to improve Python use:

  • Install pip one way: First, we install pip via apt, then install pip via curl, and then upgrade pip via pip.
  • Adopt venv: venv seems to have replaced virtualenv for most use cases. venv comes with Python. In the case of Debian, we can install it via python3-venv in recent Debian versions. Also, if you use venv, you don't need to separately install pip.
  • Use the standard directory for venv: The venv docs suggest that env is the default name. We are using .vsts-env. Is that to align with scripts that are run in multiple environments?
  • Install packages via venv: This approach will enable us to stop using --break-system-package

Related issues:

@mthalman
Copy link
Member

[Triage]
To begin, we'll update the existing distros for which we have official runtime-deps images and change the relevant Dockerfiles in this repo to be based on those tags. At that point, we'll evaluate to see how that it's working and assess next steps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Backlog
Development

No branches or pull requests

2 participants