Adding document analyzing CI/dockerfile #3940
Conversation
apostasie
force-pushed
the
analyze-dockerfile
branch
2 times, most recently
from
30881d4 to
91edb07
Compare
| golang:${GO_VERSION}-bookworm => hack-build-base-debian | ||
| golang:${GO_VERSION}-alpine => hack-build-base | ||
| ubuntu:${UBUNTU_VERSION} => hack-base | ||
| ``` |
There was a problem hiding this comment.
( I once had a BuildKit PR to allow injecting a hook to update CAs, but it wasn't accepted 😞 moby/buildkit#4669 Still thinking about an alternative... )
There was a problem hiding this comment.
Yeah.
I always end-up doing some ridiculous monkeying for that kind of stuff (same for overloading apt config, netrc, etc). Deviating the base like here, or using secrets (secrets is neat, but forces you to have additional --mount for every RUN, which is highly unpractical).
I just think the Dockerfile as a front-end is not aging too well... things like Dagger or Earthly are kinda touching on this overall question (eg: of a better frontend for developer that leverages the buildkit DAG).
But then, Dockerfile is everywhere now, so... something "new" comes up with a price...
AkihiroSuda
added
documentation
|
Let's keep this PR open a little while. I'll add more measurements. Marking draft. |
apostasie
force-pushed
the
analyze-dockerfile
branch
from
91edb07 to
c6c16f1
Compare
Signed-off-by: apostasie <[email protected]>
apostasie
force-pushed
the
analyze-dockerfile
branch
from
c6c16f1 to
0331f8f
Compare
Title says all.
Sharing audit notes in a new document (we can also just slap this into an issue if it is better - I don't mind either way).
I am rewriting the Dockerfile now and will provide an updated audit to see if we have measurable improvements.