As discussed offline other big images like Node.js or Nginx use root as the default user and the users in the end can base-off from our image to add their security features.
Not sure if follow up docs changes are required for that.
Fix#3703Fix#3681
It turns out that the new `docker push --all-tags` is not yet available
in the latest docker distribution on Ubuntu 20.04.
This provides a helper script to tag and publish the docker image.
It turns out Github Actions have docker pre-installed.
This patch unifies the codepaths that we use to build docker image
locally and to publish it from CI.
As a result, there's no extra `--prepare-context` argument in
`//docs/docker/build.sh` that was used solely on CI.
References #2926
This patch:
- updates docker seccomp profile to use a slightly modified default docker
profile
- removes SUID sandbox documentation since it doesn't seem to work
References #2745
This patch bakes browsers into docker image.
Important observations:
- We now re-build docker image everytime we roll browsers.
- Docker image size almost doubles: from `225MB` to `496MB`.
References #2926
This adds a new script to calculate docker image size with
all parent layers.
Note: take this metrics with a grain of salt, since in reality
docker compresses and reuses layers.
Some historic stats obtained with this script:
- **`208MB`** (-33MB) chore(docker): skip "recommended" dependencies (#2917) (1cebf8757c)
- **`241MB`** (-29MB) chore(docker): trim some of the gstreamer dependencies (#2897) (bce4b1aea9)
- **`272MB`** (-1MB) devops: do cache busting for APT (#2656) (bb34418095)
- **`273MB`** (+49MB) fix(webkit): update Docker file to include gstreamer (#2636) (5c6c65915c)
- **`224MB`** (+0MB) chore: fix emojis for CR and FF in Dockerfile (#2522) (24316ad261)
- **`224MB`** (-1MB) fix: Dockerfile for Firefox (#1937) (b516ac4fb2)
- **`225MB`** (+49MB) devops(docker): Install ffmpeg dependency, adding codecs necessary for video playback in Firefox (#1627) (222d01caaa)
- **`176MB`** (+32MB) chore(docs): optionally install XVFB in docker(ec3ee66043)
- **`144MB`** (+144MB) feat: add a playwright-ready docker image (#1161)(1781ae7006)
Has some overlaps with the troubleshooting doc, which I plan to clean up in a subsequent PR. This first version of the doc has a feel of "build-your-own" with our sample configurations. Over time we can tweak the level of hand-holding for the best user experience to get started with CI.
Fixes#1103
