refactor(docker): optimize build architecture and security#237
Open
rmie wants to merge 2 commits into
Open
Conversation
- Invert base image to use Playwright Noble for native browser support - Install Temurin 21 JDK directly from Adoptium APT repository - Extract Rust toolchain from official image via multi-stage COPY - Relocate appuser creation to preempt UID 1000 conflicts - Update HEALTHCHECK to use Spring Boot liveness probe
Contributor
Author
|
@tmseidel I spent some time this week working on integration tests, https://github.com/rmie/ai-git-bot/tree/feature/add-test-framework-integration-tests Current State & Blockers
"Tiny CI" & Security Trade-offsThe "tiny CI" concept offers a self-contained feedback loop, but it carries inherent architectural risks that need to be addressed:
|
Owner
|
@rmie Great work so far. I'll take a deeper look on this in the next days, Scheduled this for 1.15.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Problem
The original Dockerfile architecture attempted to graft Playwright into a Java (
eclipse-temurin) base image. This forced the build to download and runplaywright install-deps(which executes heavyapt-getcommands for browser libraries) on every cache miss, drastically slowing down build times. Additionally, the build relied on insecure patterns (executingcurl | bashfor the Rust toolchain), created theappusertoo late (risking UID conflicts), and improperly targeted the generic Spring Boot health endpoint.This is a major refactor and I happily accept rejection because of "lacking tests". I'd willing to work on this and provide integration tests for the tools included in the image, covering aspects, like
But I'd need guidance for that.
The Solution
This PR entirely inverts the Docker architecture to use the official Playwright image as the runtime base, significantly improving build speeds, correctness, and security.
Key Architectural Changes:
mcr.microsoft.com/playwright:v1.60.0-nobleas the foundation, providing perfectly configured Chromium, Node, and shared libraries out of the box without requiring a slowinstall-depsstep.temurin-21-jdkdirectly from the official Adoptium APT repository, retaining the exact same update speed and binaries as theeclipse-temurinDocker image.curl | bashpattern entirely. Rust is now extracted via a clean multi-stageCOPY --from=rust:1-slim-bookworm, leveraging Docker Hub's image integrity while retaining perfectglibcbackward compatibility.appusercreation to the very top of the runtime stage to claim UID/GID1000before anyaptpackages install, preventing fatal post-install script collisions.HEALTHCHECKto use the/actuator/health/livenessprobe, which is the correct Spring Boot endpoint for container orchestration restarts.AI Usage Disclosure
This PR was heavily refactored using Google Antigravity.
Dockerfileto implement the inverted base image architecture and wrote the Docker multi-stageCOPYcommands for the Rust toolchain.appusercreation and the correct Spring Boot liveness endpoint). All code changes and builds were verified and explicitly approved by the human developer.