# Dockerfile ###### tags: `CKS Day2` [dockerfile example](https://github.com/HugoXiao1984/docker-spring-boot-java-web-service-example/blob/master/Dockerfile) ## dockerfile ``` #Use an official OpenJDK runtime as a parent image FROM openjdk:8-jre-alpine #set shell to bash #source: https://stackoverflow.com/a/40944512/3128926 RUN apk update && apk add bash #Set the working directory to /app WORKDIR /app #Copy the fat jar into the container at /app COPY /target/docker-java-app-example.jar /app #Make port 8080 available to the world outside this container EXPOSE 8080 #Run jar file when the container launches CMD ["java", "-jar", "docker-java-app-example.jar"] ``` ## Build ``` mvn clean install ``` ``` docker build --tag=docker-java-hello-world-app . ``` ## Dockerfile Security Best Practice [dockerfile-security.rego](https://github.com/gbrindisi/dockerfile-security/blob/main/dockerfile-security.rego) ## TBS ``` kp image create springtest2\ --tag harbor.sys.tas.haas-451.pez.vmware.com/hugo/springtest\ --git https://github.com/HugoXiao1984/docker-spring-boot-java-web-service-example\ --wait ``` ## Practice There is a Deployment image-verify in Namespace team-blue which runs image registry.killer.sh:5000/image-verify:v1.DevSecOps has asked you to improve this image by: * Changing the base image to alpine:3.12 * Not installing curl * Updating nginx to version >=1.18.0 * Running the main process as user myuser ``` FROM alpine:3.4 RUN apk update && apk add vim curl nginx=1.10.3-r0 RUN addgroup -S myuser && adduser -S myuser -G myuser COPY ./run.sh run.sh RUN ["chmod", "+x", "./run.sh"] USER root ENTRYPOINT ["/bin/sh", "./run.sh"] ```