Streamline Builds

Ensure only the required assets are deployed in a container image.

Context and problem

In order to make images as small as possible and minimise the impact of security risks it's important to use a minimal base image that you build up with capabilities.

Solution

Use the container builder pattern

This scenario consists of a Dockerfile that builds a Rust project with external SSL dependancies and the configures a minimal image to use it.

A working reference is available in the repo for this project.

Issues and considerations

While a single base image is the desired goal it may be necessery to use more than one base image.

Ensure security scans of the images and a process to manage them is in place.

Understand how you are going to support the OS layer and related system libraries.

When to use this scenario

As you move into the Replatform stage of modernization it is good practice to put this scenario in place.

Example


###############################################
# This is the configuration for the container 
# that will be build the assets for deployment
###############################################
# Start with a standard base image See the Standard Operating Environment folder for more details.
FROM registry.access.redhat.com/ubi8/ubi as rhel8builder

# Example of installing development libs for the build
RUN yum install -y gcc openssl-devel && \
    rm -rf /var/cache/dnf && \
    curl https://sh.rustup.rs -sSf | sh -s -- -y

COPY . /app-build

WORKDIR "/app-build"
# Set up build paths and other config
ENV PATH=/root/.cargo/bin:${PATH}

RUN cargo build --release

########################################################################
# This is the configuration for the container                          #
# that will be distributed.                                            #
# You may also want to consider using an organisational base image.    #
# See the standard operating environment folder                        #                          
########################################################################
FROM registry.access.redhat.com/ubi8/ubi-minimal

# ubi-minimal uses `microdnf` a small pkg management system.
RUN  microdnf update && microdnf install -y procps-ng

# Add a group and user call `appuser`
RUN addgroup -S appuser && adduser -S appuser -G appuser

WORKDIR "/app"
COPY --from=rhel8builder /app-build/target/release/stream-line-builds ./

# set the user that will run the application
USER appuser

CMD ["./stream-line-builds"]

Standard Operating Environment