celements-webapp docker build#543
Conversation
|
Thanks for setting up the new GHCR image pipeline! The containerization structure looks solid. After looking at the broather context and setup I have some more general suggestions regarding maintainability, security, and container best-practices. Maybe you can incorperate before merging and mirroring this to the other webapp repos if you feel it goes over scope and context of these changes here, then please add Issues to our Jira for it. 1. DRY / Boilerplate DuplicationThe Tomcat configuration files (
2. Security: Running Tomcat as RootThe execute stage in the FROM tomcat:10-jdk21-temurin AS execute
...
ENTRYPOINT ["start"]
CMD ["catalina.sh", "run"]
3. Non-standard
|
|
@fpichler Thanks for the review. 1. DRY / Boilerplate DuplicationI extracted a shared 2. Security: Running Tomcat as RootThis security concern is mainly mitigated by our rootless Docker setup. However, running as non-root inside the container is still useful defense-in-depth. I extracted this into INFRA-470, since it needs a proper implementation specs. 3. Non-standard .env Pointer File
4. Container Logging: Writing to FilesystemWe don't write only to the container writable layer, |
Related PRs