Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
Moby
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
-
Lean and Mean Docker containers
Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
If you're using Go, I recommend https://github.com/google/ko (shameless plug), or for Java, use Jib.
There's also (another shameless plug) crane append which simply adds the contents of a tar to an existing base image directly in the registry: https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_append.md
COPY --exclude. https://github.com/moby/moby/issues/15771
With Nix you have to look up obscure sites like this and look for specific hashes and pray that the version you need exists (or package it and distribute it yourself). Approaches like this are not that inviting.
Or you can save your time micromanaging your Dockerfile and just use docker-slim.
Similarly, Dockerfile with buildkit support a 'COPY --chmod' directive now. https://github.com/moby/buildkit/pull/1492. Again not quite everything you're looking for, but addresses the OP's issue.
Related posts
- Launch HN: EdgeBit (YC W23) – live software vulnerability analysis
- Building a software bill of materials (SBOM) using open source tools
- 'cargo auditable' can now be used as a drop-in replacement for Cargo
- Keeping up with dependencies like a boss
- Wake-up call: why it's urgent to deal with your hardcoded credentials