From 518cd6dc4bd07ed52f120351e58765c50f994300 Mon Sep 17 00:00:00 2001 From: Casey Waldren Date: Mon, 10 Jun 2024 17:21:06 -0700 Subject: [PATCH 1/6] docs: add docker pulls to README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index b1b59685..fed07c2d 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,8 @@ [![Actions Status](https://github.com/launchdarkly/ld-relay/actions/workflows/daily-integration-tests.yml/badge.svg)](https://github.com/launchdarkly/ld-relay/actions/workflows/daily-integration-tests.yml) [![Actions Status](https://github.com/launchdarkly/ld-relay/actions/workflows/daily-security-scan.yml/badge.svg)](https://github.com/launchdarkly/ld-relay/actions/workflows/daily-security-scan.yml) [![Actions Status](https://github.com/launchdarkly/ld-relay/actions/workflows/daily-installation-test.yml/badge.svg)](https://github.com/launchdarkly/ld-relay/actions/workflows/daily-installation-test.yml) +[![Docker Pulls](https://img.shields.io/docker/pulls/launchdarkly/ld-relay)](https://hub.docker.com/r/launchdarkly/ld-relay) + ## About the LaunchDarkly Relay Proxy From 8ee691a1b718524f14b8c63293513661cc4f36bd Mon Sep 17 00:00:00 2001 From: Casey Waldren Date: Mon, 10 Jun 2024 17:48:50 -0700 Subject: [PATCH 2/6] more badges --- docs/docker.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/docker.md b/docs/docker.md index 392792ab..5ade4e90 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -4,9 +4,20 @@ Using Docker is not required, but if you prefer using a Docker container we provide a Docker entrypoint to make this as easy as possible. -We provide two distributions. The first is a based on Alpine Linux, while the second is based on Google's -["distroless"](https://github.com/GoogleContainerTools/distroless) debian12 images. +We provide images based on Alpine Linux and Google's +["distroless"](https://github.com/GoogleContainerTools/distroless) Debian12 images. +| Image | Version | Size | amd64 | armv7 | arm64v8 | i386 | +|--------------------|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-------|-------|---------|------| +| Distroless | ![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-static-debian12-nonroot) | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-static-debian12-nonroot) | ✅ | ✅ | ✅ | ❌ | | +| Distroless (debug) | ![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-static-debian12-debug-nonroot) | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-static-debian12-debug-nonroot) | ✅ | ✅ | ✅ | ❌ | +| Alpine | ![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest) | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest) | ✅ | ✅ | ✅ | ✅ | + +We recommend using the Distroless images, as automated security scanners regularly flag issues in Alpine even though +the Relay Proxy itself is unaffected. + +Because Relay Proxy is a statically linked Go binary, it can take advantage of the reduced dependencies in the +Distroless base images. ## Local Development @@ -50,10 +61,9 @@ $ docker run --name ld-relay --link redis:redis -e USE_REDIS=1 -e LD_ENV_test="s ## Production Deployment -In production, you may choose between our Distroless or Alpine Linux images. We recommend using the Distroless -images, as they present less of an attack surface, are smaller, and should require less continual patching. +In production, you may choose between the Distroless or Alpine Linux images. -Please note that the default Distroless image does not contain a debug shell. +Please note that the default Distroless image does not contain a shell. ### Distroless Variants @@ -70,13 +80,3 @@ variant): ```shell docker exec -it [container name] /busybox/sh ``` - - -### Supported Architectures - -Alpine and Distroless are multi-arch images. - -| Image | i386 | amd64 | armv7 | arm64v8 | -|------------|------|-------|-------|---------| -| Distroless | ❌ | ✅ | ✅ | ✅ | -| Alpine | ✅ | ✅ | ✅ | ✅ | From 57b4877938bcb52f3bee2127bd45cecb073ef784 Mon Sep 17 00:00:00 2001 From: Casey Waldren Date: Tue, 11 Jun 2024 11:16:20 -0700 Subject: [PATCH 3/6] add links from badges to dockerhub --- docs/docker.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/docker.md b/docs/docker.md index 5ade4e90..35f315a2 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -7,11 +7,11 @@ Using Docker is not required, but if you prefer using a Docker container we prov We provide images based on Alpine Linux and Google's ["distroless"](https://github.com/GoogleContainerTools/distroless) Debian12 images. -| Image | Version | Size | amd64 | armv7 | arm64v8 | i386 | -|--------------------|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-------|-------|---------|------| -| Distroless | ![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-static-debian12-nonroot) | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-static-debian12-nonroot) | ✅ | ✅ | ✅ | ❌ | | -| Distroless (debug) | ![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-static-debian12-debug-nonroot) | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-static-debian12-debug-nonroot) | ✅ | ✅ | ✅ | ❌ | -| Alpine | ![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest) | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest) | ✅ | ✅ | ✅ | ✅ | +| Image | Version | Size | amd64 | armv7 | arm64v8 | i386 | +|--------------------|-----------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|-------|-------|---------|------| +| Distroless | [![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-static-debian12-nonroot) ][dockerhub] | [![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-static-debian12-nonroot)][dockerhub] | ✅ | ✅ | ✅ | ❌ | | +| Distroless (debug) | [![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-static-debian12-debug-nonroot) ][dockerhub] | [![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-static-debian12-debug-nonroot)][dockerhub] | ✅ | ✅ | ✅ | ❌ | +| Alpine | [![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest) ][dockerhub] | [![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest)][dockerhub] | ✅ | ✅ | ✅ | ✅ | We recommend using the Distroless images, as automated security scanners regularly flag issues in Alpine even though the Relay Proxy itself is unaffected. @@ -80,3 +80,5 @@ variant): ```shell docker exec -it [container name] /busybox/sh ``` + +[dockerhub]: https://hub.docker.com/r/launchdarkly/ld-relay From c8f837e5e06ca7eb573a9cf74e99e2f9276b5c4a Mon Sep 17 00:00:00 2001 From: Casey Waldren Date: Tue, 11 Jun 2024 11:38:13 -0700 Subject: [PATCH 4/6] feat: publish -alpine suffixed Docker images --- .goreleaser.yml | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 8ff806f7..b2571292 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -213,7 +213,9 @@ dockers: - "--platform=linux/arm64/v8" docker_manifests: - # For the Alpine image + # For backwards compatibility, we publish the :latest, :vX, and :x.y.z tags for Alpine without any suffix + # indicating that the image is Alpine based (unlike the debian12 images). This is because it's what was done historically, + # and we cannot change it yet without breaking existing users. - name_template: "launchdarkly/ld-relay:{{ .Version}}" skip_push: false image_templates: @@ -238,6 +240,32 @@ docker_manifests: - "launchdarkly/ld-relay:latest-arm64v8" - "launchdarkly/ld-relay:latest-i386" + # We'll also create aliases for the Alpine-based image with the suffix "-alpine" to make it easier to distinguish + # from the debian12 image. This will also allow us to eventually deprecate the non-suffixed tags in a future major version. + - name_template: "launchdarkly/ld-relay:{{ .Version}}-alpine" + skip_push: false + image_templates: + - "launchdarkly/ld-relay:{{ .Version }}-amd64" + - "launchdarkly/ld-relay:{{ .Version }}-armv7" + - "launchdarkly/ld-relay:{{ .Version }}-arm64v8" + - "launchdarkly/ld-relay:{{ .Version }}-i386" + + - name_template: "launchdarkly/ld-relay:v{{ .Major }}-alpine" + skip_push: false + image_templates: + - "launchdarkly/ld-relay:v{{ .Major }}-amd64" + - "launchdarkly/ld-relay:v{{ .Major }}-armv7" + - "launchdarkly/ld-relay:v{{ .Major }}-arm64v8" + - "launchdarkly/ld-relay:v{{ .Major }}-i386" + + - name_template: "launchdarkly/ld-relay:latest-alpine" + skip_push: false + image_templates: + - "launchdarkly/ld-relay:latest-amd64" + - "launchdarkly/ld-relay:latest-armv7" + - "launchdarkly/ld-relay:latest-arm64v8" + - "launchdarkly/ld-relay:latest-i386" + # For the static debian12 image - name_template: "launchdarkly/ld-relay:latest-static-debian12-nonroot" skip_push: false From c72c7256d6b297abb804a1204419912289747e0a Mon Sep 17 00:00:00 2001 From: Casey Waldren Date: Tue, 11 Jun 2024 12:04:31 -0700 Subject: [PATCH 5/6] update README --- docs/docker.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/docker.md b/docs/docker.md index 35f315a2..289c7c39 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -7,11 +7,11 @@ Using Docker is not required, but if you prefer using a Docker container we prov We provide images based on Alpine Linux and Google's ["distroless"](https://github.com/GoogleContainerTools/distroless) Debian12 images. -| Image | Version | Size | amd64 | armv7 | arm64v8 | i386 | -|--------------------|-----------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|-------|-------|---------|------| -| Distroless | [![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-static-debian12-nonroot) ][dockerhub] | [![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-static-debian12-nonroot)][dockerhub] | ✅ | ✅ | ✅ | ❌ | | -| Distroless (debug) | [![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-static-debian12-debug-nonroot) ][dockerhub] | [![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-static-debian12-debug-nonroot)][dockerhub] | ✅ | ✅ | ✅ | ❌ | -| Alpine | [![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest) ][dockerhub] | [![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest)][dockerhub] | ✅ | ✅ | ✅ | ✅ | +| Image | Version | Size | amd64 | armv7 | arm64v8 | i386 | +|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-------|-------|---------|------| +| Distroless | [![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-static-debian12-nonroot) ][dockerhub-distroless] | [![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-static-debian12-nonroot)][dockerhub-distroless] | ✅ | ✅ | ✅ | ❌ | | +| Distroless (debug) | [![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-static-debian12-debug-nonroot) ][dockerhub-distroless-debug] | [![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-static-debian12-debug-nonroot)][dockerhub-distroless-debug] | ✅ | ✅ | ✅ | ❌ | +| Alpine | [![Docker Image Version](https://img.shields.io/docker/v/launchdarkly/ld-relay/latest-alpine) ][dockerhub-alpine] | [![Docker Image Size (tag)](https://img.shields.io/docker/image-size/launchdarkly/ld-relay/latest-alpine)][dockerhub-alpine] | ✅ | ✅ | ✅ | ✅ | We recommend using the Distroless images, as automated security scanners regularly flag issues in Alpine even though the Relay Proxy itself is unaffected. @@ -81,4 +81,6 @@ variant): docker exec -it [container name] /busybox/sh ``` -[dockerhub]: https://hub.docker.com/r/launchdarkly/ld-relay +[dockerhub-distroless]: https://hub.docker.com/r/launchdarkly/ld-relay/tags?page=&page_size=&ordering=&name=static-debian12-nonroot +[dockerhub-distroless-debug]: https://hub.docker.com/r/launchdarkly/ld-relay/tags?page=&page_size=&ordering=&name=static-debian12-debug-nonroot +[dockerhub-alpine]: https://hub.docker.com/r/launchdarkly/ld-relay/tags?page=&page_size=&ordering=&name=alpine From 54ec4d1cf54a9c72454a2b5df8eed0e9e20aa697 Mon Sep 17 00:00:00 2001 From: Casey Waldren Date: Fri, 14 Jun 2024 14:52:25 -0700 Subject: [PATCH 6/6] also scan -alpine suffixed images --- .github/workflows/daily-security-scan-alpine.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/daily-security-scan-alpine.yml b/.github/workflows/daily-security-scan-alpine.yml index e4a47a78..ead150ba 100644 --- a/.github/workflows/daily-security-scan-alpine.yml +++ b/.github/workflows/daily-security-scan-alpine.yml @@ -8,7 +8,7 @@ jobs: scan-relay: strategy: matrix: - tag: ['latest', 'v7', 'v8'] + tag: ['latest', 'latest-alpine', 'v7', 'v8', 'v8-alpine'] fail-fast: false runs-on: ubuntu-latest steps: