commit 2b6383d243606e1f15cbd9eee6baa4a5c42cb9fb
parent f27455a26f90653140c28b702de78c60dec4a420
Author: Daniel GarcĂa <dani-garcia@users.noreply.github.com>
Date: Mon, 25 Jan 2021 12:24:04 +0100
Merge pull request #1327 from jjlin/dockerfile-cleanup
Dockerfile.j2: clean up web-vault section
Diffstat:
7 files changed, 122 insertions(+), 73 deletions(-)
diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2
@@ -1,5 +1,5 @@
# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
{% set build_stage_base_image = "rust:1.48" %}
{% if "alpine" in target_file %}
@@ -44,19 +44,26 @@
# https://docs.docker.com/develop/develop-images/multistage-build/
# https://whitfin.io/speeding-up-rust-docker-builds/
####################### VAULT BUILD IMAGE #######################
-{% set vault_image_hash = "sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0" %}
-{% raw %}
-# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
-# It can be viewed in multiple ways:
-# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
-# - From the console, with the following commands:
-# docker pull bitwardenrs/web-vault:v2.17.1
-# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+{% set vault_version = "2.17.1" %}
+{% set vault_image_digest = "sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0" %}
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
#
-# - To do the opposite, and get the tag from the hash, you can do:
-# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
-{% endraw %}
-FROM bitwardenrs/web-vault@{{ vault_image_hash }} as vault
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull bitwardenrs/web-vault:v{{ vault_version }}
+# $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" bitwardenrs/web-vault:v{{ vault_version }}
+# [bitwardenrs/web-vault@{{ vault_image_digest }}]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{ '{{' }}.RepoTags}}" bitwardenrs/web-vault@{{ vault_image_digest }}
+# [bitwardenrs/web-vault:v{{ vault_version }}]
+#
+FROM bitwardenrs/web-vault@{{ vault_image_digest }} as vault
########################## BUILD IMAGE ##########################
FROM {{ build_stage_base_image }} as build
diff --git a/docker/amd64/Dockerfile b/docker/amd64/Dockerfile
@@ -1,20 +1,27 @@
# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
# Using multistage build:
# https://docs.docker.com/develop/develop-images/multistage-build/
# https://whitfin.io/speeding-up-rust-docker-builds/
####################### VAULT BUILD IMAGE #######################
-
-# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
-# It can be viewed in multiple ways:
-# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
-# - From the console, with the following commands:
-# docker pull bitwardenrs/web-vault:v2.17.1
-# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull bitwardenrs/web-vault:v2.17.1
+# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+# [bitwardenrs/web-vault:v2.17.1]
#
-# - To do the opposite, and get the tag from the hash, you can do:
-# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
########################## BUILD IMAGE ##########################
diff --git a/docker/amd64/Dockerfile.alpine b/docker/amd64/Dockerfile.alpine
@@ -1,20 +1,27 @@
# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
# Using multistage build:
# https://docs.docker.com/develop/develop-images/multistage-build/
# https://whitfin.io/speeding-up-rust-docker-builds/
####################### VAULT BUILD IMAGE #######################
-
-# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
-# It can be viewed in multiple ways:
-# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
-# - From the console, with the following commands:
-# docker pull bitwardenrs/web-vault:v2.17.1
-# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull bitwardenrs/web-vault:v2.17.1
+# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+# [bitwardenrs/web-vault:v2.17.1]
#
-# - To do the opposite, and get the tag from the hash, you can do:
-# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
########################## BUILD IMAGE ##########################
diff --git a/docker/arm64/Dockerfile b/docker/arm64/Dockerfile
@@ -1,20 +1,27 @@
# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
# Using multistage build:
# https://docs.docker.com/develop/develop-images/multistage-build/
# https://whitfin.io/speeding-up-rust-docker-builds/
####################### VAULT BUILD IMAGE #######################
-
-# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
-# It can be viewed in multiple ways:
-# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
-# - From the console, with the following commands:
-# docker pull bitwardenrs/web-vault:v2.17.1
-# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull bitwardenrs/web-vault:v2.17.1
+# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+# [bitwardenrs/web-vault:v2.17.1]
#
-# - To do the opposite, and get the tag from the hash, you can do:
-# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
########################## BUILD IMAGE ##########################
diff --git a/docker/armv6/Dockerfile b/docker/armv6/Dockerfile
@@ -1,20 +1,27 @@
# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
# Using multistage build:
# https://docs.docker.com/develop/develop-images/multistage-build/
# https://whitfin.io/speeding-up-rust-docker-builds/
####################### VAULT BUILD IMAGE #######################
-
-# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
-# It can be viewed in multiple ways:
-# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
-# - From the console, with the following commands:
-# docker pull bitwardenrs/web-vault:v2.17.1
-# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull bitwardenrs/web-vault:v2.17.1
+# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+# [bitwardenrs/web-vault:v2.17.1]
#
-# - To do the opposite, and get the tag from the hash, you can do:
-# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
########################## BUILD IMAGE ##########################
diff --git a/docker/armv7/Dockerfile b/docker/armv7/Dockerfile
@@ -1,20 +1,27 @@
# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
# Using multistage build:
# https://docs.docker.com/develop/develop-images/multistage-build/
# https://whitfin.io/speeding-up-rust-docker-builds/
####################### VAULT BUILD IMAGE #######################
-
-# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
-# It can be viewed in multiple ways:
-# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
-# - From the console, with the following commands:
-# docker pull bitwardenrs/web-vault:v2.17.1
-# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull bitwardenrs/web-vault:v2.17.1
+# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+# [bitwardenrs/web-vault:v2.17.1]
#
-# - To do the opposite, and get the tag from the hash, you can do:
-# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
########################## BUILD IMAGE ##########################
diff --git a/docker/armv7/Dockerfile.alpine b/docker/armv7/Dockerfile.alpine
@@ -1,20 +1,27 @@
# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfile's.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
# Using multistage build:
# https://docs.docker.com/develop/develop-images/multistage-build/
# https://whitfin.io/speeding-up-rust-docker-builds/
####################### VAULT BUILD IMAGE #######################
-
-# This hash is extracted from the docker web-vault builds and it's preferred over a simple tag because it's immutable.
-# It can be viewed in multiple ways:
-# - From the https://hub.docker.com/repository/docker/bitwardenrs/web-vault/tags page, click the tag name and the digest should be there.
-# - From the console, with the following commands:
-# docker pull bitwardenrs/web-vault:v2.17.1
-# docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/bitwardenrs/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull bitwardenrs/web-vault:v2.17.1
+# $ docker image inspect --format "{{.RepoDigests}}" bitwardenrs/web-vault:v2.17.1
+# [bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
+# [bitwardenrs/web-vault:v2.17.1]
#
-# - To do the opposite, and get the tag from the hash, you can do:
-# docker image inspect --format "{{.RepoTags}}" bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0
FROM bitwardenrs/web-vault@sha256:dcb7884dc5845b3842ff2204fe77482000b771495c6c359297ec3c03330d65e0 as vault
########################## BUILD IMAGE ##########################
