Check DSOP Dockerfile guidelines on UBI-based CNG images
This issue is part of &4 (closed).
Follow DSOP Guidelines for Dockerfiles and check the UBI-based CNG images against them. Apply the guidelines where applicable.
NOTE: Some guidelines are not applicable, for example we use UBI8, while the DSOP recommends UBI7. Also, the directory structure of image repository should be addressed separately, possibly as a different build artifact.
NOTE: We do not apply these guidelines on intermediate images, including:
git-base
gitlab-elasticsearch-indexer
gitlab-go
gitlab-python
gitlab-rails
gitlab-ruby
gitlab-ubi-builder
kubectl
postgresql
The Base Image should be the UBI7 image
FROM
dcar.dsop.io.
Not applicable.
Image must be started as
USER
, not root. Privileges/escalations must be provided to make thatUSER
work properly.
Must be applied to
-
gitaly
-
gitlab-container-registry
-
gitlab-exporter
-
gitlab-geo-logcursor
-
gitlab-mailroom
-
gitlab-redis-ha
-
gitlab-shell
-
gitlab-sidekiq
-
gitlab-task-runner
-
gitlab-unicorn
-
gitlab-workhorse
Provide a
LABEL
value for your Dockerfile, with the following key/value pairs at a minimum: [source,name,maintainer,contributor,version,release,summary,description]
Must be applied to
-
gitaly
-
gitlab-container-registry
-
gitlab-exporter
-
gitlab-geo-logcursor
-
gitlab-mailroom
-
gitlab-redis-ha
-
gitlab-shell
-
gitlab-sidekiq
-
gitlab-task-runner
-
gitlab-unicorn
-
gitlab-workhorse
Packages installed via UBI repos, where possible, using the command
yum install --disableplugin=subscription-manager <package>
Already met. We use dnf --disableplugin=subscription-manager install -yb --nodocs ...
.
Include applicable license files to enable distribution under
/licenses/
Not applicable in this repository.
Expose ports as necessary to facilitate correct operation of your application, avoid privileged ports 1024 and below to support running as a non-root user.
Already met. CNG images do not expose any port.
Provide a
HEALTHCHECK
to enable platform monitoring of your container
-
gitaly
-
gitlab-container-registry
-
gitlab-exporter
-
gitlab-geo-logcursor
-
gitlab-mailroom
-
gitlab-redis-ha
-
gitlab-shell
-
gitlab-sidekiq
-
gitlab-task-runner
-
gitlab-unicorn
-
gitlab-workhorse