{{tag>Brouillon}}

= Docker image build

Voir :
* [[https://docs.docker.com/build/concepts/overview/|Docker Buildx / BuildKit]]
* https://docs.docker.com/build/building/best-practices/
* https://docs.openshift.com/container-platform/4.17/openshift_images/create-images.html
* https://docs.oracle.com/en/operating-systems/oracle-linux/podman/podman-SecurityRecommendations.html
* [[docker_install_dokuwiki|Exemple de Dockerfile pour Dokuwiki]]
* https://www.docker.com/blog/docker-best-practices-using-tags-and-labels-to-manage-docker-image-sprawl/


Outils / Méthode /  Container Image Builders :
* Docker / Dockerfile
* Buildah
* openshift-imagebuilder
* [[https://github.com/openshift/source-to-image|Source-To-Image (S2I)]]
* Buildpacks / pack
* Kaniko
* S2I 
* CNB
* Paketo
* umoci




== Bonnes pratiques

Voir : 
  * https://www.sysdig.com/learn-cloud-native/dockerfile-best-practices
  * https://collabnix.com/running-docker-containers-as-root/
  * https://www.docker.com/blog/understanding-the-docker-user-instruction/
  * https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
  * https://blog.stephane-robert.info/docs/conteneurs/outils/hadolint/
  * https://medium.com/@SecurityArchitect/hardening-container-images-best-practices-and-examples-for-docker-e941263cab13


Quand cela est possible préférer ''COPY'' à ''ADD''. Voir https://docs.docker.com/build/building/best-practices/

Immediately before your ENTRYPOINT or CMD directive, you then add a USER


Ne pas utiliser ''sudo'' mais ''gosu'' ou ''su-exec''


=== Vérif Dockerfile Conrainerfile avec Hadolint

Voir : 
* https://blog.stephane-robert.info/docs/conteneurs/outils/hadolint/

<code bash>
podman run --rm -i docker.io/hadolint/hadolint < Dockerfile
</code>





== Exemple de Dockerfile et script 

https://github.com/browserless/chrome/blob/master/start.sh

''start.sh''
<code bash>
#!/bin/bash
set -e

# When docker restarts, this file is still there,
# so we need to kill it just in case
[ -f /tmp/.X99-lock ] && rm -f /tmp/.X99-lock

_kill_procs() {
  kill -TERM $node
  kill -TERM $xvfb
}

# Relay quit commands to processes
trap _kill_procs SIGTERM SIGINT

Xvfb :99 -screen 0 1024x768x16 -nolisten tcp -nolisten unix &
xvfb=$!

export DISPLAY=:99

dumb-init -- node ./build/index.js $@ &
node=$!

wait $node
wait $xvfb
</code>


''Dockerfile''
<code ->
CMD ["./start.sh"]
</code>


== Buildha

voir https://www.grottedubarbu.fr/buildah-basics/

docker build

<code bash>
buildah bud -t myapp:latest .
</code>

L'option ''bud'' est en réalité une version courte de l'option ''build-using-dockerfile''







== Autres

''RUN apk add --no-cache shadow''