Ultimate Dockerfile

Speaking of learning the basic tools, I think I learned enough of running docker on multiple platforms that I now have a nice setup that is the perfect Docker image that fits as a very perfect boilerplate template to create all your future images with.

One is based on Alpine, the other on Debian. Both will install basic tools like the needed SSL certificates to connect to HTTPS sites, wget, vim and sudo. The image always runs with a user instead of root, although to be honest the fact the user has access to adm and therefore can run as root makes this futile. However this image can easily be amended when used for production to remove the sudo part of things and just have a user run as a non-root user.

The reason for the different users is so people can become them when running the docker images and so hot reloading and source code ownership does not change when mounting the folders inside the docker container.

Also we install a standard shell, in this case the BaSH shell is chosen. This can be any arbitrary shell. The reason for this is so when people want to exec into the docker image they don't need to guess is it based on Alpine so I have to choose ash or Debian so I choose bash. Now there is always bash.

Tip: if you ever want a surefire way to get into a docker image without checking what the underlying system is use /bin/sh . That will always execute and you can then check what other shells are installed.

All these templates look to do is to instill best practices and routines.

Alpine

FROM alpine:3.13.5
LABEL maintainer="stealthycoder@stealthycoder.com"

RUN apk update && \
    apk upgrade && \
    apk add ca-certificates \
    sudo \
    vim \
    bash \
    wget && \
    adduser -u 1000 -D stealthy-adm && \
    adduser -u 1001 -D stealthy && \
    adduser -u 1002 -D stealthy-alt && \
    adduser -u 501 -D stealthy-mac && \
    echo "%adm ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
    echo "Set disable_coredump false" >> /etc/sudo.conf && \
    addgroup stealthy-adm adm && \
    addgroup stealthy adm && \
    addgroup stealthy-alt adm && \
    addgroup stealthy-mac adm && \
    mkdir -p /srv/http && \
    echo -e '#!/usr/bin/env bash\n\
    sudo chown -R $(id -u):$(id -g) /srv \n\
    pushd &>/dev/null .boot\n\
    shopt -s globstar \n\
    compgen -G **/*.sh > /dev/null && \
    for f in $(ls **/*.sh)\n\
    do\n\
        tr -d ''"\\015"'' < "$f" > "/var/lib/augmented/$f"\n\
        chmod +x "/var/lib/augmented/$f"\n\
        bash "/var/lib/augmented/$f"\n\
    done\n\
    popd &>/dev/null\n\
    /usr/bin/env bash -l -c "$*" \n\
' >> /srv/entrypoint.sh  && \
    chmod +x /srv/entrypoint.sh && \
    chown stealthy:stealthy -R /srv && \
    rm -r /var/cache/apk/*

ENTRYPOINT [ "/srv/entrypoint.sh" ]
WORKDIR /srv/http
USER stealthy:stealthy

CMD ["/bin/bash"]

This template can be extended by installing more packages, and the entryfile can be extended with more logic to run on startup. There is a way to get more scripts in there with the .boot being mounted. This line:

tr -d ''"\\015"'' < "$f" > "/var/lib/augmented/$f"\n\

just removes the CR from CRLF endings when it is mounted in Windows, and therefore it can still run when executed in Linux.

Debian

FROM debian:testing-20210329-slim
LABEL maintainer="stealthycoder@stealthycoder.com"

RUN apt update && \
    apt upgrade -y && \
    apt install -y --no-install-recommends ca-certificates \
    sudo \
    vim \
    bash \
    wget && \
    useradd -u 1000 -m -s /bin/bash stealthy-adm && \
    useradd -u 1001 -m -s /bin/bash stealthy && \
    useradd -u 1002 -m -s /bin/bash stealthy-alt && \
    useradd -u 501 -m -s /bin/bash stealthy-mac && \
    echo "%adm ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \
    echo "Set disable_coredump false" >> /etc/sudo.conf && \
    addgroup stealthy-adm adm && \
    addgroup stealthy adm && \
    addgroup stealthy-alt adm && \
    addgroup stealthy-mac adm && \
    mkdir -p /srv/http && \
    echo '#!/bin/bash\n\
    sudo chown -R $(id -u):$(id -g) /srv\n\
    pushd &>/dev/null .boot\n\
    shopt -s globstar \n\
    compgen -G **/*.sh > /dev/null && \
    for f in $(ls **/*.sh)\n\
    do\n\
        tr -d ''"\\015"'' < "$f" > "/var/lib/augmented/$f"\n\
        chmod +x "/var/lib/augmented/$f"\n\
        bash "/var/lib/augmented/$f"\n\
    done\n\
    popd &>/dev/null\n\
    /bin/bash -l -c "$*" \n\
' >> /srv/entrypoint.sh  && \
    chmod +x /srv/entrypoint.sh
   
ENTRYPOINT [ "/srv/entrypoint.sh" ]
WORKDIR /srv/http
USER stealthy:stealthy

CMD ["/bin/bash"]

This template can be extended by installing more packages, and the entryfile can be extended with more logic to run on startup. There is a way to get more scripts in there with the .boot being mounted. This line:

tr -d ''"\\015"'' < "$f" > "/var/lib/augmented/$f"\n\

just removes the CR from CRLF endings when it is mounted in Windows, and therefore it can still run when executed in Linux.

#devops