wiremock-docker icon indicating copy to clipboard operation
wiremock-docker copied to clipboard
verified publisher icon wiremock

RedHat UBI image

Open jonnisell opened this issue 4 years ago • 1 comments

Hi,

I like this image but would like to have a RedHat UBI based image to run on an on-prem Openshift-platform. After a brief look it might be possible to just clone the alpine image and rebase it onto a UBI minimal image.

jonnisell avatar Mar 16 '21 09:03 jonnisell

This would be easier to realize if the existing Dockerfiles were more standardized and up to date. Couple of things I'd read/consider:

  • OpenShift recommends running images using arbitrary UIDs this means that images that start as root and then drop down to a less privileged user (that's what gosu and su-exec are doing here) won't work out of the box (because it still starts with root before dropping down). Removing gosu from the build and providing a user which belongs to the root group as described in the document should be the way to go. This will allow compatibility with arbitrary UIDs and also reduce the attack vector of the image (since there is no need for line 12-44 and so there might be no need for the additional packages either.
  • eclipse-temurin:11.0.24_8-jre is outdated. If wiremock is not yet fully compatible with LTS 17 or 21 and you need to stay on 11, at minimum make sure to get a version higher than the java security baseline. Having something below the security baseline (11.0.29 at this time) means your image is vulnerable.
  • consider an alternative for using wget to fetch the standalone artifact directly from a maven central download link (e.g. using maven central without using mvn). If you insist publishing only on maven central, use maven. You could use a multistage Dockerfile and use a maven image as builder to get the artifact through mvn dependency:get -Dartifact= and then use COPY --from=builder to paste it into your final image. Alternatively you could also publish the standalone jar among your release artifacts here on GitHub or provide other download sources.
  • add a cleanup for packages you installed to build/prepare your image but you don't actually need to run it. Clean package manager downloads/cache.
  • UBI9 minimal or micro are great as base for anything you want to run on OpenShift.

faandg avatar Oct 31 '25 13:10 faandg