> > > Thanks for weighing in. This is cool. I like that you separated the data > from the image, and that you’ve externalized the keystore pw. What kinds > changes to make this suitable for production? > > Since ApacheDS stores pretty much all of its configuration internally in the directory its probably mostly a documentation project. maybe injecting additional environment variables to support replication?
> And this is open for discussion… my view, to be ‘official’, needs to be > under the ‘apachedirectory’ repository, i.e. ASF supported. > I honestly find this isn't that important as long as you are getting the container from a reputable source. I generally avoid personal repos but if a repo is from a company with experience in the space and some kind of support behind it (even if its just public open source) you're probably in good shape. Some things to look for: 1. Company supported - even if its just open source 2. How often is it updated? How often do you patch your VMs? You want something that has a similar caedence. 3. Is the dockerfile opensource? You should know what code is running in your environment. 4. Is the build reproducible? Can you recreate the container with just the dockerfile? 5. Is the container running as root? Too many "official" containers do this. This is on top of doing your own scans to look for issues. As an example of where I skip "official" builds is if red hat provides a container I go with that because they keep them up to date and don't run as root. > > More questions, how much work is this to maintain? Does it need to > updated once per release (apacheds), or more often? What else… should the > image be signed? > Containers should be updated at least on a periodic cadence and better to be triggered by an event such as the from container being updated. We scan our containers using anchore.io and whenever a package is released to address a known cve, we rebuild. > Thinking out loud here. How about every release of apacheds includes > publishing a docker image. > > And a disclaimer, only rudimentary docker skillset here, so feel free to > tell me to RTFM. ;-) > > > — > Shawn > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org > For additional commands, e-mail: dev-h...@directory.apache.org > >
