Re: MASSEMBLY-918 proposal

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: MASSEMBLY-918 proposal

Enrico Olivelli
Marat,
Sorry for late reply.

Il lun 29 lug 2019, 19:00 <[hidden email]> ha scritto:

> Hi community.
>
> I use Maven with Maven Resources plugin and Dockerfile Maven plugin
> (https://github.com/spotify/dockerfile-maven) for building my Docker
> images
> and this approach works fine (much better than shell scripts) except one
> issue - refer to "The backlash of chmod/chown/mv in your Dockerfile"
> article
> (
> https://medium.com/@lmakarov/the-backlash-of-chmod-chown-mv-in-your-dockerf
> ile-f12fe08c0b55
> <https://medium.com/@lmakarov/the-backlash-of-chmod-chown-mv-in-your-dockerfile-f12fe08c0b55>).
> I was able to solve this issue in terms of location and
> file / directory permissions with Maven Assembly plugin and TAR format but
> ownership of files and directories is still an issue - refer to
> https://issues.apache.org/jira/browse/MASSEMBLY-918 for details.
>


So you need to create tar files with root:root as owner of files?

Enrico

>
> This issue with ownership is important for the business project I work in
> because this issue becomes security issue (well, it's **minor** security
> issue to be honest, but I'd prefer to not prove that for software security
> team but just fix the issue) when Red Hat OpenShift and RHEL 7 are used,
> i.e. the same issue may be important for other business projects
> ("corporates") utilizing the same (popular) stack.
>
> I implemented PoC which demonstrates that MASSEMBLY-918 can be easily
> solved
> (refer to issue description). It's still PoC because it doesn't follow all
> the rules required for official pull requests and contains no unit tests
> for
> the new feature I implemented.
>
> I'd like to understand:
>
> 1. If MASSEMBLY-918 is actual for other developers? Does anybody else use
> Maven for building of Docker images and have the same limits because of
> RHEL
> and OpenShift?
> 2. Does it make sense to invest into official pull requests for further
> promotion of changes (these changes may be helpful not only for building of
> Docker images)?
>
> Thank you.
>
> Regards,
> Marat Abrarov.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: MASSEMBLY-918 proposal

Enrico Olivelli
Can't you run some post package script with the maven exec plugin?


Enrico

Il ven 16 ago 2019, 19:55 <[hidden email]> ha scritto:

> Hi Enrico,
>
> Yes, I need just root:root for the task I described, but it doesn't look
> like correct (generic) solution to add just flag for the "root ownership",
> because its implementation looks as hard (easy for smbd) as adding
> possibility to specify both user and group.
>
> Marat.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: MASSEMBLY-918 proposal

Enrico Olivelli
I was thinking more about 1) but I am not a 'tar' master.
Maybe you can write a simple jshell script that uses the java libs and
tweaks the tarbar

Enrico

Il dom 18 ago 2019, 22:10 <[hidden email]> ha scritto:

> 4. Squash Docker image layers? This approach requires additional tool (
> https://github.com/jwilder/docker-squash requires sudo) and understanding
> of what layers to squash and what layers to keep as is (for optimization of
> Docker image delivery - some base layers are taken from image vendor and
> are not changed, so I need to keep them to avoid re-delivering of the whole
> Docker image). I'm not sure about impact of squashing of Docker layers on
> Docker build cache and on the whole time required for building (if TAR
> checksum didn't change then rebuilding of Docker image is faster due to
> Docker build cache).
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>