Comments (11)
@athomas Thanks for your guidance/advice. I think for AWS I could live with alpine
as its just 1 low vulnerability. Perhaps for other platforms like GCP scratch
will do just fine.
I resolved the MongoDB connection issue I was having. I just had to close and reopen the connection :) Now I can proceed to creating my next Dart tutorial
from dart-docker.
Hi @graphicbeacon have you tried to build a serving image rather than using the development image for serving?
Here's the suggested Dockerfile from dart create -t server-shelf serverapp
:
# Use latest stable channel SDK.
FROM dart:stable AS build
# Resolve app dependencies.
WORKDIR /app
COPY pubspec.* ./
RUN dart pub get
# Copy app source code (except anything in .dockerignore) and AOT compile app.
COPY . .
RUN dart compile exe bin/server.dart -o bin/server
# Build minimal serving image from AOT-compiled `/server`
# and the pre-built AOT-runtime in the `/runtime/` directory of the base image.
FROM scratch
COPY --from=build /runtime/ /
COPY --from=build /app/bin/server /app/bin/
# Start server.
EXPOSE 8080
CMD ["/app/bin/server"]
from dart-docker.
I didn't go through all of the results, but mostly this is just a scan of what's in Debian buster right now:
buster (misc): 2.28-10
Binary packages: [show 29 binary packages]
bullseye (misc): 2.31-13+deb11u2
Binary packages: [show 28 binary packages]
Per https://dart.dev/get-dart#linux we should upgrade to bullseye anyway, so I created #77.
from dart-docker.
@mit-mit Thanks for getting back to me Michael. I have tried the AOT compilation route but ECR throws the following exception when scanning the docker image:
UnsupportedImageError: The operating system and/or package manager are not supported.
@athomas Thanks for creating the PR. I can try this out once merged
from dart-docker.
After further investigation the exception appears to be caused by the scratch image
FROM scratch
COPY --from=build /runtime/ /
COPY --from=build /app/bin/server /app/bin/
Works when I disable those lines (still including the vulnerabilities)
from dart-docker.
ECR just doesn't support scanning FROM scratch
images:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-troubleshooting.html
from dart-docker.
@graphicbeacon Without FROM scratch
images can be huge. If you use a full dart image you get about ~750MB. Whether the ECR image scanning is worth the size hit is up to you. You could also use another base image instead of scratch (and similarly the size will be that image + the dart files copied over from the build image). See https://medium.com/google-cloud/build-slim-docker-images-for-dart-apps-ee98ea1d1cf7 for additional context (this is an older version of what we did here, but it informed our decisions for the official image).
Dart provides a full featured development image and instructions to create a minimal production image.
from dart-docker.
@graphicbeacon So used the alpine base image which gave me 6MB with just 1 vulnerability(low)!
FROM dart:stable
RUN apt -y update && apt -y upgrade
WORKDIR /app
COPY pubspec.* .
RUN dart pub get
COPY . .
RUN dart pub get --offline
RUN dart compile exe bin/server.dart -o bin/server
FROM alpine
COPY --from=0 /app/bin/server /app/bin/server
# COPY any other directories or files you may require at runtime, ex:
COPY --from=0 /app/public/ /app/public/
EXPOSE 12021
ENTRYPOINT ["/app/bin/server"]
Only problem is that now I have issue connecting to MongoDB database from the running binary.
MongoDart Error: No master connection
Might be unrelated but, is there anything I need to be aware about outgoing connections from the compiled binary?
from dart-docker.
@graphicbeacon 1 is more than 0 :)
Even with base alpine you still get more of an OS (and therefore a bigger attack surface) than you'll get with a scratch image. But it's a good compromise and there's nothing wrong with going that way. Alpine's also a minimal image and it will grow if you add more packages to it (and it will bring the vulnerabilities of those packages with it). So using alpine for the dart
development image isn't a silver bullet. For a minimal production image, it's probably a pretty good choice but not necessarily superior to scratch
.
I'm not an "alpine networking" expert, so I'm afraid I don't know the answer to the outgoing connection. I'd try to open a connection to MongoDB with some standard MongoDB client to see if this is a general issue with your setup or a Dart specific issue. If that doesn't help, stack overflow is probably a better place to ask.
from dart-docker.
@athomas 1 low vulnerability is less than 114 :)
The Mongo issue is not happening when the Dart server is running in JIT mode. It just might be an edge case with the AOT binary. This ain't your problem however so will go to StackOverflow
from dart-docker.
The vulnerability report was created using the dart development image (by removing the FROM scratch
). This isn't the recommended setup for production where these vulnerabilities don't apply (because they largely refer to code that isn't in the production image, only in the development image).
The development image was upgraded to the latest stable Debian in #77 which addresses some of them (it is still a fully featured image with a lot of dependencies and there are no plans to change that).
from dart-docker.
Related Issues (20)
- Reduce size of images that are based on jit snapshots HOT 4
- MIrrors HOT 2
- No linux/arm/v7 image for 2.17.6 HOT 1
- Dart sqlcipher simple HOT 1
- libatomic.so.1 needed in /runtime for RISC-V HOT 1
- error while running the container HOT 1
- Handshake error in dart client using this dart docker image when calling kubernetes api from inside pod HOT 1
- Use newer Debian stable base image than debian:bullseye-slim
- Crash when building linux/amd64 image on arm64 HOT 4
- Incorrect permissions on /usr/lib/dart/bin on linux aarch64 2.14.4 build
- Usage instructions HOT 1
- Support versions besides buster HOT 2
- Documentation on how to bind volume to minimal scatch : AOT : docker-compose HOT 1
- Any example of how to use the Dart VM for local development with Docker? HOT 3
- Changes in my source code are not included when rebuilding Docker container HOT 1
- No Armv7 image in 2.17.0 tag on Docker Hub HOT 1
- pub is unavailable on 2.17 HOT 1
- RISC-V image for beta channel HOT 5
- Lag between SDK releases and Dart library image updates HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dart-docker.