Skip to content

Add Dockerfile linting tools for CNG

Summary

In #3249 (closed) we found out that when calling CMD inside of a Dockerfile we should use CMD ["executable","param1","param2"] (exec form) rather than CMD command param1 param2 (shell form) since shell form will spawn a sh command as PID 1, which can be problematic since termination signals don't go to the right process.

This is explained in detail in the documentation

If you use the shell form of the CMD, then the will execute in /bin/sh -c:

If you want to run your without a shell then you must express the command as a JSON array and give the full path to the executable. This array form is the preferred format of CMD. Any additional parameters must be individually expressed as strings in the array:

In #3249 (closed) we updated our Docker images in CNG to use the json array (CMD ["executable","param1","param2"]). However, we should have a programmatic way to enforce this for future developers working on these images not to fall for the same issue.

hadolint

We can use hadolint and add it as part of CI process to lint our Dockerfile. hadolint has a specific rule for CMD which is enabled by default called DL3025

For example, running it on our CNG repository we see it reported it multiple times

 CNG master hadolint $(find . -type f -name 'Dockerfile.*') | grep 'DL3025'
./gitaly/Dockerfile.ubi8:58 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-geo-logcursor/Dockerfile.ubi8:32 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-container-registry/Dockerfile.ubi8:37 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-shell/Dockerfile.ubi8:42 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-exporter/Dockerfile.ubi8:38 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-webservice/Dockerfile.ubi8:46 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-pages/Dockerfile.ubi8:38 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-mailroom/Dockerfile.ubi8:33 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments
./gitlab-sidekiq/Dockerfile.ubi8:41 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments

Introducing hadolint

hadolint has a lot of rules and we violate a lot of them, the aim of this issue should be to introduce hadolint and not fix all of those issues.

We can configure to ignore the rules that we violate and have a follow up issue/epic to fix them after it makes sense.

Licencing

hadolint is GNU General Public License v3.0 but this was approved in the past for lining usage.