From d468e23f480a71b32292f2ab2f6f9335aa299943 Mon Sep 17 00:00:00 2001 From: Maik Ellerbrock Date: Thu, 19 Jan 2017 20:46:33 +0100 Subject: [PATCH 1/6] build(docker): add docker best practices Signed-off-by: Maik Ellerbrock --- distros/Dockerfile.alpine | 36 +++++++++++------------------------- 1 file changed, 11 insertions(+), 25 deletions(-) diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine index 404e2cb..e2d78f9 100644 --- a/distros/Dockerfile.alpine +++ b/distros/Dockerfile.alpine @@ -4,29 +4,15 @@ LABEL org.label-schema.name="docker-bench-security" \ org.label-schema.url="https://dockerbench.com" \ org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" -ENV VERSION 1.12.6 -ENV SHA256 cadc6025c841e034506703a06cf54204e51d0cadfae4bae62628ac648d82efdd +RUN \ + apk add --no-cache \ + docker \ + dumb-init \ + git && \ + git clone https://github.com/docker/docker-bench-security.git /tmp/bench-security && \ + cp /tmp/bench-security/*.sh /usr/local/bin && \ + cp -R /tmp/bench-security/tests /usr/local/bin && \ + apk del git && \ + rm -rf /tmp/* -WORKDIR /usr/bin - -RUN apk update && \ - apk upgrade && \ - apk --update add coreutils wget ca-certificates && \ - wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz && \ - wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz.sha256 && \ - sha256sum -c docker-$VERSION.tgz.sha256 && \ - echo "$SHA256 docker-$VERSION.tgz" | sha256sum -c - && \ - tar -xzvf docker-$VERSION.tgz -C /tmp && \ - mv /tmp/docker/docker . && \ - chmod u+x docker* && \ - rm -rf /tmp/docker* && \ - apk del wget ca-certificates && \ - rm -rf /var/cache/apk/* docker-$VERSION.tgz docker-$VERSION.tgz.sha256 - -RUN mkdir /docker-bench-security - -COPY . /docker-bench-security - -WORKDIR /docker-bench-security - -ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] +ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] From 562e38da7c95534cd8b571e9f47b860810106d22 Mon Sep 17 00:00:00 2001 From: Maik Ellerbrock Date: Fri, 20 Jan 2017 19:06:06 +0100 Subject: [PATCH 2/6] fix(docker): add workdir to dockerfile Signed-off-by: Maik Ellerbrock --- distros/Dockerfile | 20 ++++++++++++++++++++ distros/Dockerfile.alpine | 4 +++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 distros/Dockerfile diff --git a/distros/Dockerfile b/distros/Dockerfile new file mode 100644 index 0000000..65ae83b --- /dev/null +++ b/distros/Dockerfile @@ -0,0 +1,20 @@ +FROM alpine:3.5 + +LABEL org.label-schema.name="docker-bench-security" \ + org.label-schema.url="https://dockerbench.com" \ + org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" + +RUN \ + apk add --no-cache \ + docker \ + dumb-init \ + git && \ + git clone https://github.com/docker/docker-bench-security.git /tmp/bench-security && \ + cp /tmp/bench-security/*.sh /usr/local/bin && \ + cp -R /tmp/bench-security/tests /usr/local/bin && \ + rm -rf /tmp/* + +WORKDIR /usr/local/bin + +ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] + diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine index e2d78f9..65ae83b 100644 --- a/distros/Dockerfile.alpine +++ b/distros/Dockerfile.alpine @@ -12,7 +12,9 @@ RUN \ git clone https://github.com/docker/docker-bench-security.git /tmp/bench-security && \ cp /tmp/bench-security/*.sh /usr/local/bin && \ cp -R /tmp/bench-security/tests /usr/local/bin && \ - apk del git && \ rm -rf /tmp/* +WORKDIR /usr/local/bin + ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] + From dcecae29e91148cdf0f4b1d0745f4cca433fcc9d Mon Sep 17 00:00:00 2001 From: Maik Ellerbrock Date: Fri, 20 Jan 2017 19:59:56 +0100 Subject: [PATCH 3/6] fix(bash): update bash script to fix exec from another dir prob Signed-off-by: Maik Ellerbrock --- docker-bench-security.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index f7c0a1d..dc00015 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -10,13 +10,13 @@ # # ------------------------------------------------------------------------------ -# Load dependencies -. ./output_lib.sh -. ./helper_lib.sh - # Setup the paths -this_path=$(abspath "$0") ## Path of this file including filenamel -myname=$(basename "${this_path}") ## file name of this script. +this_path=$(dirname "${0}") ## Path of this file including filenamel +myname=$(basename "${this_path}") ## file name of this script. + +# Load dependencies +. ${this_path}/output_lib.sh +. ${this_path}/helper_lib.sh export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/ @@ -90,9 +90,9 @@ main () { # List all running containers except docker-bench (use names to improve readability in logs) containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont") - for test in tests/*.sh + for test in ${this_path}/tests/*.sh do - . ./"$test" + . "${test}" done } From 1745cc16bb29c6302690874d1cd83188ea1fb0a4 Mon Sep 17 00:00:00 2001 From: Maik Ellerbrock Date: Sun, 22 Jan 2017 01:01:53 +0100 Subject: [PATCH 4/6] refactor(docker): update main dockerfile (copy files directly) Signed-off-by: Maik Ellerbrock --- Dockerfile | 29 +++++++++-------------------- distros/Dockerfile | 20 -------------------- docker-bench-security.sh | 16 ++++++++-------- 3 files changed, 17 insertions(+), 48 deletions(-) delete mode 100644 distros/Dockerfile diff --git a/Dockerfile b/Dockerfile index 404e2cb..dc186e4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,29 +4,18 @@ LABEL org.label-schema.name="docker-bench-security" \ org.label-schema.url="https://dockerbench.com" \ org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" -ENV VERSION 1.12.6 -ENV SHA256 cadc6025c841e034506703a06cf54204e51d0cadfae4bae62628ac648d82efdd +RUN \ + apk add --no-cache \ + docker \ + dumb-init && \ + mkdir /usr/local/bin/tests -WORKDIR /usr/bin +COPY ./*.sh /usr/local/bin/ -RUN apk update && \ - apk upgrade && \ - apk --update add coreutils wget ca-certificates && \ - wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz && \ - wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz.sha256 && \ - sha256sum -c docker-$VERSION.tgz.sha256 && \ - echo "$SHA256 docker-$VERSION.tgz" | sha256sum -c - && \ - tar -xzvf docker-$VERSION.tgz -C /tmp && \ - mv /tmp/docker/docker . && \ - chmod u+x docker* && \ - rm -rf /tmp/docker* && \ - apk del wget ca-certificates && \ - rm -rf /var/cache/apk/* docker-$VERSION.tgz docker-$VERSION.tgz.sha256 +COPY ./tests/*.sh /usr/local/bin/tests/ -RUN mkdir /docker-bench-security -COPY . /docker-bench-security +WORKDIR /usr/local/bin -WORKDIR /docker-bench-security +ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] -ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] diff --git a/distros/Dockerfile b/distros/Dockerfile deleted file mode 100644 index 65ae83b..0000000 --- a/distros/Dockerfile +++ /dev/null @@ -1,20 +0,0 @@ -FROM alpine:3.5 - -LABEL org.label-schema.name="docker-bench-security" \ - org.label-schema.url="https://dockerbench.com" \ - org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" - -RUN \ - apk add --no-cache \ - docker \ - dumb-init \ - git && \ - git clone https://github.com/docker/docker-bench-security.git /tmp/bench-security && \ - cp /tmp/bench-security/*.sh /usr/local/bin && \ - cp -R /tmp/bench-security/tests /usr/local/bin && \ - rm -rf /tmp/* - -WORKDIR /usr/local/bin - -ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] - diff --git a/docker-bench-security.sh b/docker-bench-security.sh index dc00015..f7c0a1d 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -10,13 +10,13 @@ # # ------------------------------------------------------------------------------ -# Setup the paths -this_path=$(dirname "${0}") ## Path of this file including filenamel -myname=$(basename "${this_path}") ## file name of this script. - # Load dependencies -. ${this_path}/output_lib.sh -. ${this_path}/helper_lib.sh +. ./output_lib.sh +. ./helper_lib.sh + +# Setup the paths +this_path=$(abspath "$0") ## Path of this file including filenamel +myname=$(basename "${this_path}") ## file name of this script. export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/ @@ -90,9 +90,9 @@ main () { # List all running containers except docker-bench (use names to improve readability in logs) containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont") - for test in ${this_path}/tests/*.sh + for test in tests/*.sh do - . "${test}" + . ./"$test" done } From 85a32bf8c16b4ce8bfef38f2cd9e829ce09a9bab Mon Sep 17 00:00:00 2001 From: Maik Ellerbrock Date: Wed, 25 Jan 2017 10:55:02 +0100 Subject: [PATCH 5/6] perf(docker): cleanup unused docker binaries Signed-off-by: Maik Ellerbrock --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index dc186e4..0ced361 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,6 +8,7 @@ RUN \ apk add --no-cache \ docker \ dumb-init && \ + rm -rf /usr/bin/docker-* /usr/bin/dockerd && \ mkdir /usr/local/bin/tests COPY ./*.sh /usr/local/bin/ From 4535d08967154d38cc555de8f323da71e9ca6458 Mon Sep 17 00:00:00 2001 From: binary Date: Thu, 26 Jan 2017 11:58:12 +0100 Subject: [PATCH 6/6] refactor(docker): update Dockerfile.alpine to latest version Signed-off-by: binary --- distros/Dockerfile.alpine | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine index 65ae83b..0ced361 100644 --- a/distros/Dockerfile.alpine +++ b/distros/Dockerfile.alpine @@ -7,12 +7,14 @@ LABEL org.label-schema.name="docker-bench-security" \ RUN \ apk add --no-cache \ docker \ - dumb-init \ - git && \ - git clone https://github.com/docker/docker-bench-security.git /tmp/bench-security && \ - cp /tmp/bench-security/*.sh /usr/local/bin && \ - cp -R /tmp/bench-security/tests /usr/local/bin && \ - rm -rf /tmp/* + dumb-init && \ + rm -rf /usr/bin/docker-* /usr/bin/dockerd && \ + mkdir /usr/local/bin/tests + +COPY ./*.sh /usr/local/bin/ + +COPY ./tests/*.sh /usr/local/bin/tests/ + WORKDIR /usr/local/bin