feat(docker): harden docker image #394
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit changes the replica path format to group segments within a single index in the same directory. This is to eventually add the ability to seek to a record on file-based systems without having to iterate over the records. The DB shadow WAL will also be changed to this same format to support live replicas.
Per the godoc on Replica.Restore and RestoreOptions.OutputPath, Replica.db.path should be used when RestoreOptions.OutputPath is empty. Fixes benbjohnson#233
This commit fixes an issue where the reference is taken on the loop variable rather than the slice element when computing the minimum snapshot within a generation so it can cause the wrong snapshot to be chosen.
By default, the snapshots command seems to output in alphabetical order of hash, which isn't meaningful, as far as I can tell. This change modifies the order of the command output so that ./litestream snapshots returns snapshots from newest to oldest.
This commit refactors out the complexity of downloading ordered WAL files in parallel to a type called `WALDownloader`. This makes it easier to test the restore separately from the download.
Bumps [github.com/pierrec/lz4/v4](https://github.com/pierrec/lz4) from 4.1.3 to 4.1.12. - [Release notes](https://github.com/pierrec/lz4/releases) - [Commits](pierrec/lz4@v4.1.3...v4.1.12) --- updated-dependencies: - dependency-name: github.com/pierrec/lz4/v4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.27.0 to 1.42.39. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](aws/aws-sdk-go@v1.27.0...v1.42.39) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) from 1.15.0 to 1.18.2. - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@pubsub/v1.15.0...storage/v1.18.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/storage dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.45.0 to 0.65.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.45.0...v0.65.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.42.39 to 1.42.40. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](aws/aws-sdk-go@v1.42.39...v1.42.40) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
export LITESTREAM_ACCESS_KEY_ID=your_key_id export LITESTREAM_SECRET_ACCESS_KEY=your_access_key export LITESTREAM_ENDPOINT=your_endpoint export LITESTREAM_REGION=your_region litestream replicate fruits.db s3://mybkt/fruits.db
Signed-off-by: Ryan Russell <ryanrussell@users.noreply.github.com>
Signed-off-by: Ryan Russell <git@ryanrussell.org>
|
@hazcod Thanks for the PR. I'll have to do some testing with this. Isn't running as |
|
@benbjohnson It's still a best practice not to, running as root in a container greatly increases the risk of kernel exploitation or container escape. https://dockerlabs.collabnix.com/security/Running-Containers-as-ROOT.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change removes the
alpinedocker image with an empty scratch image.This removes a bunch of attack surface which is unused anyway.
Additionally it adds-in an unprivileged user such that root is no longer used to reduce attack surface.