610e3044ad
Even though we use `ubi8-minimal` as the parent of our container, it still has many RPMs installed that aren't necessary to run the Keycloak server. Also, since the JDK RPM (that we install on top of `ubi8-minimal`) is designed for general use, it pulls in more dependency RPMs than it strictly needs to, like cups and avahi. Keycloak will never need to access a printer itself! Trimming down these excess RPMs will improve our CVE statistics with automated scanners, and therefore let us perform fewer CVE rebuilds. `ubi8-null.sh` uses the low-level `rpm` command to identify and forcibly remove dependencies and operating system files that are not required to boot our Quarkus-based server. This includes `microdnf` and `rpm` itself! I have preserved bash however, so it's still possible to debug the container from a shell. I've created an initial set of allow/disallow lists, that seems to pass a smoke test (server boots, admin console works). This leaves 37 packages installed, with 96 removed relative to `ubi8-minimal`. We could go more minimal than this, or less minimal if required. Trial and error is required. Closes #16902 |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| Dockerfile | ||
| README.md | ||
| ubi8-null.sh | ||
Keycloak Image
For more information, see the Running Keycloak in a container guide.
Build the image
It is possible to download the Keycloak distribution from a URL:
docker build --build-arg KEYCLOAK_DIST=http://<HOST>:<PORT>/keycloak-<VERSION>.tar.gz . -t <YOUR_TAG>
Alternatively, you need to build the local distribution first, then copy the distributions tar package in the containers folder and point the build command to use the image:
cp $KEYCLOAK_SOURCE/quarkus/dist/target/keycloak-<VERSION>.tar.gz .
docker build --build-arg KEYCLOAK_DIST=keycloak-<VERSION>.tar.gz . -t <YOUR_TAG>