Add Dockerfile linting tools for CNG
Summary
In #3249 (closed) we found out that when calling CMD
inside of a Dockerfile we should use CMD ["executable","param1","param2"]
(exec form) rather than CMD command param1 param2
(shell form) since shell form
will spawn a sh command as PID 1, which can be problematic since termination signals don't go to the right process.
This is explained in detail in the documentation
If you use the shell form of the CMD, then the will execute in /bin/sh -c:
If you want to run your without a shell then you must express the command as a JSON array and give the full path to the executable. This array form is the preferred format of CMD. Any additional parameters must be individually expressed as strings in the array:
In #3249 (closed) we updated our Docker images in CNG to use the json array (CMD ["executable","param1","param2"]
). However, we should have a programmatic way to enforce this for future developers working on these images not to fall for the same issue.
hadolint
We can use hadolint and add it as part of CI process to lint our Dockerfile. hadolint
has a specific rule for CMD
which is enabled by default called DL3025
For example, running it on our CNG
repository we see it reported it multiple times
CNG master hadolint $(find . -type f -name 'Dockerfile.*') | grep 'DL3025'
./gitaly/Dockerfile.ubi8:58 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-geo-logcursor/Dockerfile.ubi8:32 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-container-registry/Dockerfile.ubi8:37 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-shell/Dockerfile.ubi8:42 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-exporter/Dockerfile.ubi8:38 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-webservice/Dockerfile.ubi8:46 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-pages/Dockerfile.ubi8:38 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-mailroom/Dockerfile.ubi8:33 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-sidekiq/Dockerfile.ubi8:41 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
hadolint
Introducing hadolint
has a lot of rules and we violate a lot of them, the aim of this issue should be to introduce hadolint
and not fix all of those issues.
We can configure to ignore the rules that we violate and have a follow up issue/epic to fix them after it makes sense.
Licencing
hadolint
is GNU General Public License v3.0
but this was approved in the past for lining usage.