build-containers icon indicating copy to clipboard operation
build-containers copied to clipboard
verified publisher icon godotengine

[WIP] Hadolint recommendations

Open TokisanGames opened this issue 6 years ago • 2 comments

I ran http://github.com/hadolint/hadolint per calinou. This resulted in 45 best practices warnings. I fixed all except for using WORKDIR instead of cd, and pinning apt-get installs (and dnf) to specific versions).

DL3003 Use WORKDIR to switch to a directory
DL3008 Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Key takeaways:

  • Any docker that uses | should have SHELL ["/bin/bash", "-o", "pipefail", "-c"] before RUN so it will fail if either side of the pipe fails.
  • Globs *.deb should begin with ./*.deb in case a file begins with a hyphen so it's not interpreted as an option.
  • -e on echo is not a POSIX standard and printf is recommended.
  • CMD is a json list, so should be formatted as CMD ["/bin/bash"]
  • Because of the above, I combined xcode RUN and CMD into one command and removed the redundant line in build.sh

TokisanGames avatar Mar 19 '20 17:03 TokisanGames

In spite of what hadolint says, SHELL ["/bin/bash", "-o", "pipefail", "-c"] is apparently not accepted by podman. Though it doesn't cause any errors building the docker, it does report this message:

time="2020-03-25T15:53:41+08:00" level=error msg="SHELL is not supported for OCI image format, [/bin/bash -o pipefail -c] will be ignored. Must use `docker` format"

Making this one WIP while I figure it out.

TokisanGames avatar Mar 25 '20 09:03 TokisanGames

This should be rebased to remove the commits from #40 (merged) and #42 (not merged yet but I will after branching the 3.2 buildsystem off).

akien-mga avatar Apr 06 '20 06:04 akien-mga