automated commit

Signed-off-by: Public copy <41898282+github-actions[bot]@users.noreply.github.com>
chainguard-images · Oct 16, 2024 · 079558c · 079558c
1 parent 6ba34bb
commit 079558c
Show file tree

Hide file tree

Showing 9 changed files with 128 additions and 51 deletions.
diff --git a/images/bash/README.md b/images/bash/README.md
@@ -32,19 +32,52 @@ Be sure to replace the `ORGANIZATION` placeholder with the name used for your or
 <!--getting:end-->
 
 <!--body:start-->
-## Usage
+## Compatibility Notes
 
-You open up an interactive shell in the Bash Image with a command like the following:
+The Chainguard Bash image is meant to serve as a drop-in replacement for the official Bash image from Docker Hub. One notable difference between the Docker Hub image and Chainguard's Bash image is the location where `bash` is installed in the container. The Bash Image from Docker Hub has `bash` installed at `/usr/local/bin/bash` while Chainguard's has it installed at the standard `/bin/bash`.
+
+Like most of Chainguard's images, the Bash image does not operate as the root user and includes only the minimum packages needed to function. 
+
+## Getting Started
+
+To open up an interactive shell in the Bash Image you could run a command like the following:
 
 ```sh
 docker run -it cgr.dev/chainguard/bash:latest /bin/bash
 ```
 
-You can also use a bind mount to test scripts from your local machine on the Bash Image:
+To test scripts from your local machine on the Bash image, you can use a [bind mount](https://docs.docker.com/engine/storage/bind-mounts/). The following example references a local script named `local-script.sh`, binds it to the container while renaming it `container-script.sh`, and then runs the script:
 
 ```sh
-docker run -it --rm -v /path/to/local-script.sh:/container-script.sh cgr.dev/chainguard/bash:latest /container-script.sh
+docker run -v /path/to/local-script.sh:/container-script.sh cgr.dev/chainguard/bash:latest /container-script.sh
+```
+
+You can also test scripts on the Bash image using a Dockerfile. The following example Dockerfile references a Bash script named `test-script.sh`:
+
 ```
+FROM cgr.dev/chainguard/bash:latest
+
+COPY test-script.sh /
+
+CMD ["bash", "/test-script.sh"]
+```
+
+You could then build an image based off this Dockerfile:
+
+```sh
+docker build -t my-bash-app .
+```
+
+And then run the new image to test the script:
+
+```sh
+docker run -it --rm --name my-running-app my-bash-app
+```
+
+## Documentation and Resources
+
+* [Vulnerability Comparison: bash](https://edu.chainguard.dev/chainguard/chainguard-images/vuln-comparison/bash/)
+* (Tutorial) [An Introduction to Shell Scripting](https://www.digitalocean.com/community/tutorial-series/an-introduction-to-shell-scripting)
 <!--body:end-->
 
 ## Contact Support

diff --git a/images/crossplane/tests/main.tf b/images/crossplane/tests/main.tf
@@ -34,7 +34,7 @@ module "helm_crossplane" {
 resource "imagetest_feature" "basic" {
   harness     = module.crossplane_harness.harness
   name        = "Basic"
-  description = "Basic functionality of the cert-manager helm chart."
+  description = "Basic functionality of the crossplane helm chart."
 
   steps = [
     {
@@ -60,19 +60,19 @@ resource "imagetest_feature" "basic" {
              echo "Waiting for secret nop-example-resource to be available..."
              sleep 5
           done
-          
+
           echo "Secret nop-example-resource is now available."
 
           # Extract and decode secret values
           secret_data=$(kubectl get secret nop-example-resource -n crossplane-system -o json | jq -r '.data | to_entries[] | .key + ": " + (.value | @base64d)' | sort)
-          
+
           # Extract YAML values
           yaml_data=$(yq '.spec.forProvider.connectionDetails[] | "\(.name): \(.value)"' /tests/nopresource.yaml | sort)
-          
+
           # Compare sorted data
           echo "Comparing Secret with YAML values:"
           diff <(echo "$secret_data") <(echo "$yaml_data")
-          
+
           if [ $? -eq 0 ]; then
               echo "The secret data matches the YAML values."
           else

diff --git a/images/datadog-agent/main.tf b/images/datadog-agent/main.tf
@@ -9,7 +9,7 @@ variable "target_repository" {
 }
 
 module "test-latest" {
-  source = "./tests"
+  source = "./tests/agent"
   digests = {
     "agent"         = module.agent.image_ref
     "cluster-agent" = module.cluster-agent.image_ref

diff --git a/images/envoy/README.md b/images/envoy/README.md
@@ -32,19 +32,36 @@ Be sure to replace the `ORGANIZATION` placeholder with the name used for your or
 <!--getting:end-->
 
 <!--body:start-->
-## Using Envoy
+## Compatibility Notes
 
-To run with Docker using default configuration
+The Chainguard Envoy image is meant to serve as a drop-in replacement for the following alternatives:
+
+* `bitnami/envoy:latest`
+* `envoyproxy/envoy:v1.25-latest`
+* `rapidfort/envoy:1.24`
+* `envoyproxy/envoy:latest`
+
+Like most of Chainguard's images, the Envoy image does not operate as the root user and includes only the minimum packages needed to function.
+
+## Getting Started
+
+The Chainguard Envoy image comes with a default configuration stored at `/etc/envoy/envoy.yaml`. To run the image with Docker using this configuration you could run a command like the following:
 
 ```sh
-docker run --platform=linux/amd64 -p10000:10000 -p 9901:9901 --rm cgr.dev/chainguard/envoy envoy --config-path /etc/envoy/envoy.yaml
+docker run -p10000:10000 -p 9901:9901 cgr.dev/chainguard/envoy --config-path /etc/envoy/envoy.yaml
 ```
 
-Or to use a customised envoy configuratiom see https://www.envoyproxy.io/docs/envoy/latest/configuration/overview/overview and mount your file into the envoy container, e.g. `-v $PWD/config:/etc/envoy`
+The `-p` options in this example connect network ports from your local machine into the container, allowing you to see Envoy in action by visiting `localhost:10000` or `localhost:9901` in your browser. The default configuration will proxy port `10000` to [envoyproxy.io](http://envoyproxy.io) and port `9901` to the Envoy management port.
+
+You can also run the image with a customized Envoy configuration. To do this, you'll need to [bind mount](https://docs.docker.com/engine/storage/bind-mounts/) your local configuration file into the envoy container:
 
 ```sh
-docker run --platform=linux/amd64 -p10000:10000 -p 9901:9901 --rm -v $PWD/config:/etc/envoy cgr.dev/chainguard/envoy envoy --config-path /etc/envoy/envoy.yaml
+docker run -p10000:10000 -p 9901:9901 -v $PWD/config.yaml:/etc/envoy cgr.dev/chainguard/envoy --config-path /etc/envoy/config.yaml
 ```
+
+This example creates a bind mount so that Envoy is running with a local configuration file named `config.yaml`.
+
+You can refer to the [overview in the envoy project's official documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/overview/overview) for more information on working with custom configurations.
 <!--body:end-->
 
 ## Contact Support

diff --git a/images/gradle/main.tf b/images/gradle/main.tf
@@ -12,8 +12,9 @@ module "config" {
   source = "./config"
   extra_packages = [
     "gradle-8",
-    "openjdk-17",
-    "openjdk-17-default-jvm",
+    "openjdk-23-default-jdk",
+    "busybox",
+    "glibc-locale-en"
   ]
 }
 
@@ -22,13 +23,15 @@ module "latest" {
 
   name = basename(path.module)
 
-  target_repository = var.target_repository
-  config            = module.config.config
+  target_repository  = var.target_repository
+  config             = module.config.config
+  extra_dev_packages = ["openjdk-23-jmods", "binutils"]
 }
 
 module "test-latest" {
-  source = "./tests"
-  digest = module.latest.image_ref
+  source       = "./tests"
+  digest       = module.latest.image_ref
+  java-version = "23"
 }
 
 resource "oci_tag" "latest" {

diff --git a/images/maven/main.tf b/images/maven/main.tf
@@ -4,34 +4,27 @@ terraform {
   }
 }
 
-locals {
-  jdks = toset(["11", "17", "21"])
-}
-
 variable "target_repository" {
   description = "The docker repo into which the image and attestations should be published."
 }
 
 module "config" {
-  for_each       = local.jdks
   source         = "./config"
-  extra_packages = ["maven", "openjdk-${each.key}", "openjdk-${each.key}-default-jvm"]
-  java_home      = "/usr/lib/jvm/java-${each.key}-openjdk"
+  extra_packages = ["maven", "openjdk-23-default-jdk", "busybox", "glibc-locale-en"]
 }
 
 module "maven" {
-  for_each          = local.jdks
-  source            = "../../tflib/publisher"
-  name              = basename(path.module)
-  target_repository = var.target_repository
-  config            = module.config[each.key].config
-  build-dev         = true
+  source             = "../../tflib/publisher"
+  name               = basename(path.module)
+  target_repository  = var.target_repository
+  config             = module.config.config
+  build-dev          = true
+  extra_dev_packages = ["openjdk-23-jmods", "binutils"]
 }
 
 module "test" {
-  for_each = local.jdks
-  source   = "./tests"
-  digest   = module.maven[each.key].image_ref
+  source = "./tests"
+  digest = module.maven.image_ref
 }
 
 module "tagger" {
@@ -40,16 +33,7 @@ module "tagger" {
   depends_on = [module.test]
 
   tags = {
-    "openjdk-11" : module.maven["11"].image_ref
-    "openjdk-11-dev" : module.maven["11"].dev_ref
-
-    "openjdk-17" : module.maven["17"].image_ref
-    "openjdk-17-dev" : module.maven["17"].dev_ref
-
-    "openjdk-21" : module.maven["21"].image_ref
-    "openjdk-21-dev" : module.maven["21"].dev_ref
-
-    "latest" : module.maven["21"].image_ref
-    "latest-dev" : module.maven["21"].dev_ref
+    "latest" : module.maven.image_ref
+    "latest-dev" : module.maven.dev_ref
   }
 }
diff --git a/images/redis/tests/03-server-activedefrag.sh b/images/redis/tests/03-server-activedefrag.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -o errexit -o nounset -o errtrace -o pipefail -x
+
+# to prevent duplicate container name issues when we run similar tests for both versions within the configs/ folder.
+CONTAINER_NAME=${CONTAINER_NAME:-"redis-defragtest-$(date +%s)-$(uuidgen)"}
+
+# Turn on activedefrag to ensure redis is being built with jemalloc
+
+docker run -d --name $CONTAINER_NAME $IMAGE_NAME
+
+trap "docker logs $CONTAINER_NAME && docker rm -f $CONTAINER_NAME" EXIT
+
+sleep 15
+
+docker exec -i $CONTAINER_NAME redis-cli config set activedefrag yes | grep OK
+
+# Check if the setting took
+docker exec -i $CONTAINER_NAME redis-cli config get activedefrag | grep "yes"
diff --git a/images/redis/tests/main.tf b/images/redis/tests/main.tf
@@ -17,3 +17,8 @@ data "oci_exec_test" "server" {
   digest = var.digest
   script = "${path.module}/02-server.sh"
 }
+
+data "oci_exec_test" "activedefrag" {
+  digest = var.digest
+  script = "${path.module}/03-server-activedefrag.sh"
+}
diff --git a/images/ruby/README.md b/images/ruby/README.md
@@ -32,11 +32,27 @@ Be sure to replace the `ORGANIZATION` placeholder with the name used for your or
 <!--getting:end-->
 
 <!--body:start-->
-## Usage
+## Compatibility Notes
 
-Ruby applications typically require the installation of third-party dependencies through [Rubygems](https://rubygems.org/). This means that using a fully distroless image for building your application would not work, as these do not include a package manager. In cases like this, you’ll need to implement a multi-stage Docker build that uses one of Chainguard's `-dev` Image variants to set up the application.
+Chainguard's Ruby image is meant to serve as a drop-in replacement for the official Ruby image from Docker Hub. There are, however, a number of differences between the two images that one should be aware of before migrating to the Chainguard Ruby image:
 
-We encourage you to check out our guide on [getting started with Ruby](https://edu.chainguard.dev/chainguard/chainguard-images/getting-started/getting-started-ruby/) which demonstrates how you can use Chainguard's Ruby Image in both single- and multi-stage builds.
+* The Chainguard Ruby image does not run as the root user and contains only the minimum packages it needs to operate.
+* Ruby applications typically require the installation of third-party dependencies through [Rubygems](https://rubygems.org/). This means that using a fully distroless image for building your application would not work, as these do not include a package manager. In cases like this, you’ll need to implement a multi-stage Docker build that uses one of Chainguard's `-dev` Image variants to set up the application.
+* [Bundler](https://bundler.io/), a popular tool for installing Ruby gems, typically installs to `/usr/lib/bundle`. The default installation location in the Chainguard Ruby image is `/home/nonroot`, which can cause issues for dependencies that expect to find gems in `/usr/lib/bundle`.
+* Environment variables, especially gem paths, sometimes differ from those in the official Ruby Image.
+* The Chainguard Ruby Image does not default to using `UTF-8`. You will need to specify this yourself.
+
+To better understand the differences between Chainguard's Ruby image and alternatives, it may be helpful to review the upstream's Dockerfiles. For example, you can review the [`alpine3.19` Dockerfile available for Ruby 3.3](https://github.com/docker-library/ruby/blob/master/3.3/alpine3.19/Dockerfile).
+
+## Getting Started
+
+To better understand how you can work with the Chainguard Ruby Image, we encourage you to check out our guide on [getting started with Ruby](https://edu.chainguard.dev/chainguard/chainguard-images/getting-started/getting-started-ruby/). This resource demonstrates how you can use Chainguard's Ruby Image in both single- and multi-stage builds.
+
+
+## Documentation and Resources
+
+* [Getting Started with the Ruby Chainguard Image](https://edu.chainguard.dev/chainguard/chainguard-images/getting-started/ruby/)
+*  [Vulnerability comparison: ruby](https://edu.chainguard.dev/chainguard/chainguard-images/vuln-comparison/ruby/)
 <!--body:end-->
 
 ## Contact Support