From c5ca588a6f026a25da1ad62fe9bb967468d7a951 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Sun, 24 Jan 2021 17:26:25 -0800 Subject: [PATCH] Dockerfile.j2: clean up web-vault section --- docker/Dockerfile.j2 | 33 ++++++++++++++++++++------------- docker/amd64/Dockerfile | 27 +++++++++++++++++---------- docker/amd64/Dockerfile.alpine | 27 +++++++++++++++++---------- docker/arm64/Dockerfile | 27 +++++++++++++++++---------- docker/armv6/Dockerfile | 27 +++++++++++++++++---------- docker/armv7/Dockerfile | 27 +++++++++++++++++---------- docker/armv7/Dockerfile.alpine | 27 +++++++++++++++++---------- 7 files changed, 122 insertions(+), 73 deletions(-) diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2 index 42ea2209..a986d3a3 100644 --- a/docker/Dockerfile.j2 +++ b/docker/Dockerfile.j2 @@ -1,5 +1,5 @@ # This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's. +# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. {% set build_stage_base_image = "rust:1.48" %} {% if "alpine" in target_file %} @@ -44,19 +44,26 @@ # https://docs.docker.com/develop/develop-images/multistage-build/ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### -{% set vault_image_hash = "sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0" %} -{% raw %} -# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. -# It can be viewed in multiple ways: -# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. -# - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.17.1 -# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +{% set vault_version = "2.17.1" %} +{% set vault_image_digest = "sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0" %} +# The web-vault digest specifies a particular web-vault build on Docker Hub. +# Using the digest instead of the tag name provides better security, +# as the digest of an image is immutable, whereas a tag name can later +# be changed to point to a malicious image. # -# - To do the opposite, and get the tag from the hash, you can do: -# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 -{% endraw %} -FROM bitwardenrs/web-vault@{{ vault_image_hash }} as vault +# To verify the current digest for a given tag name: +# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags, +# click the tag name to view the digest of the image it currently points to. +# - From the command line: +# $ docker pull bitwardenrs/web-vault:v{{ vault_version }} +# $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" bitwardenrs/web-vault:v{{ vault_version }} +# [bitwardenrs/web-vault@{{ vault_image_digest }}] +# +# - Conversely, to get the tag name from the digest: +# $ docker image inspect --format "{{ '{{' }}.RepoTags}}" bitwardenrs/web-vault@{{ vault_image_digest }} +# [bitwardenrs/web-vault:v{{ vault_version }}] +# +FROM bitwardenrs/web-vault@{{ vault_image_digest }} as vault ########################## BUILD IMAGE ########################## FROM {{ build_stage_base_image }} as build diff --git a/docker/amd64/Dockerfile b/docker/amd64/Dockerfile index 0d57ce48..4f6ab20d 100644 --- a/docker/amd64/Dockerfile +++ b/docker/amd64/Dockerfile @@ -1,20 +1,27 @@ # This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's. +# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. # Using multistage build: # https://docs.docker.com/develop/develop-images/multistage-build/ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### - -# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. -# It can be viewed in multiple ways: -# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. -# - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.17.1 -# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# The web-vault digest specifies a particular web-vault build on Docker Hub. +# Using the digest instead of the tag name provides better security, +# as the digest of an image is immutable, whereas a tag name can later +# be changed to point to a malicious image. +# +# To verify the current digest for a given tag name: +# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags, +# click the tag name to view the digest of the image it currently points to. +# - From the command line: +# $ docker pull bitwardenrs/web-vault:v2.17.1 +# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0] +# +# - Conversely, to get the tag name from the digest: +# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 +# [bitwardenrs/web-vault:v2.17.1] # -# - To do the opposite, and get the tag from the hash, you can do: -# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault ########################## BUILD IMAGE ########################## diff --git a/docker/amd64/Dockerfile.alpine b/docker/amd64/Dockerfile.alpine index 3831c35a..4576afc8 100644 --- a/docker/amd64/Dockerfile.alpine +++ b/docker/amd64/Dockerfile.alpine @@ -1,20 +1,27 @@ # This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's. +# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. # Using multistage build: # https://docs.docker.com/develop/develop-images/multistage-build/ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### - -# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. -# It can be viewed in multiple ways: -# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. -# - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.17.1 -# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# The web-vault digest specifies a particular web-vault build on Docker Hub. +# Using the digest instead of the tag name provides better security, +# as the digest of an image is immutable, whereas a tag name can later +# be changed to point to a malicious image. +# +# To verify the current digest for a given tag name: +# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags, +# click the tag name to view the digest of the image it currently points to. +# - From the command line: +# $ docker pull bitwardenrs/web-vault:v2.17.1 +# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0] +# +# - Conversely, to get the tag name from the digest: +# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 +# [bitwardenrs/web-vault:v2.17.1] # -# - To do the opposite, and get the tag from the hash, you can do: -# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault ########################## BUILD IMAGE ########################## diff --git a/docker/arm64/Dockerfile b/docker/arm64/Dockerfile index f1cb1625..fd7bedaf 100644 --- a/docker/arm64/Dockerfile +++ b/docker/arm64/Dockerfile @@ -1,20 +1,27 @@ # This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's. +# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. # Using multistage build: # https://docs.docker.com/develop/develop-images/multistage-build/ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### - -# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. -# It can be viewed in multiple ways: -# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. -# - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.17.1 -# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# The web-vault digest specifies a particular web-vault build on Docker Hub. +# Using the digest instead of the tag name provides better security, +# as the digest of an image is immutable, whereas a tag name can later +# be changed to point to a malicious image. +# +# To verify the current digest for a given tag name: +# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags, +# click the tag name to view the digest of the image it currently points to. +# - From the command line: +# $ docker pull bitwardenrs/web-vault:v2.17.1 +# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0] +# +# - Conversely, to get the tag name from the digest: +# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 +# [bitwardenrs/web-vault:v2.17.1] # -# - To do the opposite, and get the tag from the hash, you can do: -# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault ########################## BUILD IMAGE ########################## diff --git a/docker/armv6/Dockerfile b/docker/armv6/Dockerfile index fd859988..d4361872 100644 --- a/docker/armv6/Dockerfile +++ b/docker/armv6/Dockerfile @@ -1,20 +1,27 @@ # This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's. +# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. # Using multistage build: # https://docs.docker.com/develop/develop-images/multistage-build/ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### - -# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. -# It can be viewed in multiple ways: -# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. -# - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.17.1 -# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# The web-vault digest specifies a particular web-vault build on Docker Hub. +# Using the digest instead of the tag name provides better security, +# as the digest of an image is immutable, whereas a tag name can later +# be changed to point to a malicious image. +# +# To verify the current digest for a given tag name: +# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags, +# click the tag name to view the digest of the image it currently points to. +# - From the command line: +# $ docker pull bitwardenrs/web-vault:v2.17.1 +# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0] +# +# - Conversely, to get the tag name from the digest: +# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 +# [bitwardenrs/web-vault:v2.17.1] # -# - To do the opposite, and get the tag from the hash, you can do: -# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault ########################## BUILD IMAGE ########################## diff --git a/docker/armv7/Dockerfile b/docker/armv7/Dockerfile index bdd21c50..5bd945d9 100644 --- a/docker/armv7/Dockerfile +++ b/docker/armv7/Dockerfile @@ -1,20 +1,27 @@ # This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's. +# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. # Using multistage build: # https://docs.docker.com/develop/develop-images/multistage-build/ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### - -# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. -# It can be viewed in multiple ways: -# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. -# - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.17.1 -# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# The web-vault digest specifies a particular web-vault build on Docker Hub. +# Using the digest instead of the tag name provides better security, +# as the digest of an image is immutable, whereas a tag name can later +# be changed to point to a malicious image. +# +# To verify the current digest for a given tag name: +# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags, +# click the tag name to view the digest of the image it currently points to. +# - From the command line: +# $ docker pull bitwardenrs/web-vault:v2.17.1 +# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0] +# +# - Conversely, to get the tag name from the digest: +# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 +# [bitwardenrs/web-vault:v2.17.1] # -# - To do the opposite, and get the tag from the hash, you can do: -# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault ########################## BUILD IMAGE ########################## diff --git a/docker/armv7/Dockerfile.alpine b/docker/armv7/Dockerfile.alpine index 3ac38ce6..00cba645 100644 --- a/docker/armv7/Dockerfile.alpine +++ b/docker/armv7/Dockerfile.alpine @@ -1,20 +1,27 @@ # This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's. +# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. # Using multistage build: # https://docs.docker.com/develop/develop-images/multistage-build/ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### - -# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable. -# It can be viewed in multiple ways: -# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there. -# - From the console, with the following commands: -# docker pull bitwardenrs/web-vault:v2.17.1 -# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# The web-vault digest specifies a particular web-vault build on Docker Hub. +# Using the digest instead of the tag name provides better security, +# as the digest of an image is immutable, whereas a tag name can later +# be changed to point to a malicious image. +# +# To verify the current digest for a given tag name: +# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags, +# click the tag name to view the digest of the image it currently points to. +# - From the command line: +# $ docker pull bitwardenrs/web-vault:v2.17.1 +# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1 +# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0] +# +# - Conversely, to get the tag name from the digest: +# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 +# [bitwardenrs/web-vault:v2.17.1] # -# - To do the opposite, and get the tag from the hash, you can do: -# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault ########################## BUILD IMAGE ##########################