Skip to content

Latest commit

 

History

History
678 lines (632 loc) · 17.4 KB

Rules.md

File metadata and controls

678 lines (632 loc) · 17.4 KB

EL0001

Invalid line

Incorrect code:

FROM ubuntu:16.04
RUN apt-get update && 
    apt-get install -y wget

Correct code:

FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Explanation:

Lines not starting with a correct instruction or not being a part of the previous instruction are labeled as invalid.

ED0001

All parser directives must be at the very top of the Dockerfile.

Incorrect code:

# Empty line
# directive=value
FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Correct code:

# directive=value
FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Explanation:

Parser directives must be at the very top of the Dockerfile.

ED0002

Directive appears more then once.

Incorrect code:

# directive=value1
# directive=value2
FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Correct code:

# directive=value
FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Explanation:

Parser directive cannot be used more than once.

ED0003

Directives should be lowercase.

Incorrect code:

# DIRECTIVE=value
FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Correct code:

# directive=value
FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Explanation:

According to the convention, names of parser directives should be typed in lowercase.

ED0004

Parser directive will be treated as a comment.

Incorrect code:

# About my dockerfile
# directive=value
FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Correct code:

# directive=value
FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Explanation:

Parser directive is treated as a comment if it appears after a builder instruction, a comment which is not a parser directive, or when it is impossible to recognize it.

ED0005

Missing value for directive.

Incorrect code:

# About my dockerfile
# directive=
FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Correct code:

# directive=value
FROM ubuntu:16.04
RUN apt-get update && \
    apt-get install -y wget

Explanation:

If used, parser directives must contain values.

ER0001

Set the SHELL option -o (-eo for Alpine image) pipefail before RUN with a pipe in.

Incorrect code:

RUN wget -O - https://some.site | wc -l > /number

Correct code:

SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number

Explanation:

Some RUN commands depend on the ability to pipe the output of one command into another using the pipe character (|), as in the following example:

RUN wget -O - https://some.site | wc -l > /number

The commands are executed with the /bin/sh -c interpreter, which means that only the exit code of the last operation is evaluated. The build step from the example above will produce a new image for as long as the wc -l succeeds – even if the wget command fails.

EU0001

Last user should not be root.

Incorrect code:

FROM ubuntu:16.04
USER root
RUN ...

Correct code:

FROM ubuntu:16.04
USER root
RUN ...
USER not-root

Explanation:

Changing USER to root creates a risk of unauthorized access into the container. As soon as the instruction that required root access has finished, it should be changed to an unpriviliged user.

EI0001

There can only be one instruction like (CMD, HEALTHCHECK, ENTRYPOINT).

Incorrect code:

FROM node:10.16.3-alpine
CMD ["npm","install","test"]
CMD ["node","test"]

Correct code:

FROM node:10.16.3-alpine
RUN npm install test
CMD ["node","test"]

Explanation:

Instructions like CMD,HEALTHCHECK and ENTRYPOINT can only appear once in the Dockerfile. If used multiple times, only the last one will be executed.

EI0002

FROM may only be preceded by one or more ARG.

Incorrect code:

COPY file .
ARG  CODE_VERSION=latest
FROM base:${CODE_VERSION}

Correct code:

ARG  CODE_VERSION=latest
FROM base:${CODE_VERSION}

Explanation:

According to the documentation, the only instruction that can appear before FROM is ARG.

EF0001

Missing FROM.

Incorrect code:

COPY . .
RUN npm install

Correct code:

FROM node:10.16.3-alpine
COPY . .
RUN npm install

Explanation:

Every Dockerfile must contain FROM instructions.

EC0001

COPY --from cannot reference its own FROM alias.

Incorrect code:

FROM node:10.16.3-alpine as build
COPY --from=build . .

Correct code:

FROM node:10.16.3-alpine as build
RUN ...
FROM node:10.16.3-alpine
COPY --from=build . .

Explanation:

Attempting to copy from the same image in which the instruction is executed will result in an error.

EC0002

COPY --from should reference a previously defined FROM alias.

Incorrect code:

FROM node:10.16.3-alpine
RUN ...
FROM node:10.16.3-alpine
COPY --from=build . .

Correct code:

FROM node:10.16.3-alpine as build
RUN ...
FROM node:10.16.3-alpine
COPY --from=build . .

Explanation:

Attempting to copy from a non-existing image will result in an error.

EI0003

MAINTAINER is deprecated, instead use LABEL.

Incorrect code:

FROM node:10.16.3-alpine
MAINTAINER me :)

Correct code:

FROM node:10.16.3-alpine 
LABEL maintainer="me :)"

Explanation:

The MAINTAINER instruction is deprecated and should not be used anymore. It is advised to use the LABEL instruction instead.

EJ0001

You must use double-quotes (") in JSON array.

Incorrect code:

FROM node:10.16.3-alpine
CMD ['node']

Correct code:

FROM node:10.16.3-alpine 
CMD ["node"]

Explanation:

According to JSON syntax, the arguments in the table must be in double brackets.

EJ0002

CMD and ENTRYPOINT should be written in JSON form.

Incorrect code:

FROM node:10.16.3-alpine
CMD node

Correct code:

FROM node:10.16.3-alpine 
CMD ["node"]

Explanation:

If plain text is used for passing arguments, signals from the OS are not correctly passed to the executables, which is in the majority of the cases what you would expect.

EJ0003

SHELL must be written in JSON form.

Incorrect code:

FROM microsoft/windowsservercore
SHELL powershell -command
RUN Write-Host hello

Correct code:

FROM microsoft/windowsservercore
SHELL ["powershell", "-command"]
RUN Write-Host hello

Explanation:

According to the SHELL syntax, arguments must be written in a JSON table.

EF0002

FROM aliases must be unique.

Incorrect code:

FROM node:10.16.3-alpine as build
RUN ...
FROM node:10.16.3-alpine as build
RUN ...

Correct code:

FROM node:10.16.3-alpine as build1
RUN ...
FROM node:10.16.3-alpine as build2
RUN ...

Explanation:

Repeating a step name will result in an error.

EF0003

Using latest is prone to errors if the image will ever update.

Incorrect code:

FROM node:latest

Correct code:

FROM node:10.16.3-alpine

Explanation:

Using the latest tag does not mean it is assigned to a specific image version.

Exceptions:

The latest tag can be used in case the image name refers to a previously defined alias.

EF0004

Always tag the version of an image explicitly.

Incorrect code:

FROM node

Correct code:

FROM node:10.16.3-alpine

Explanation:

Using the latest tag does not mean it is assigned to a specific image version.

FROM node:10.16.3-alpine as build
RUN ...
FROM build
RUN ...

ER0002

Delete the apt-get lists after installing something.

Incorrect code:

RUN apt-get update && apt-get install -y python

Correct code:

RUN apt-get update && apt-get install -y python \
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/*

Explanation:

Removing apt-get lists will decrease the size of the image. Note: the operation must be performed in the same RUN instruction as the installation.

ER0003

Use WORKDIR to switch to a directory.

Incorrect code:

RUN cd /usr/src/app

Correct code:

WORKDIR /usr/scr/app

Explanation:

Most commands run with an absolute path and don't require changing the working directory. If you do need to change the directory, you should use the WORKDIR instruction.

ER0004

Do not use sudo, consider using gosu.

Incorrect code:

RUN sudo apt-get install

Correct code:

RUN apt-get install

Explanation:

Using sudo to provide permissions is not recommended as it may lead to unexpected behavior. It is advised to use a tool like gosu instead.

ER0005

Command (ssh, vim, shutdown, service, ps, free, top, kill, mount, ifconfig) does not make sense in a container.

Incorrect code:

FROM node:10.16.3-alpine
RUN vim

Correct code:

FROM node:10.16.3-alpine

Explanation:

Commands like ssh, vim, shutdown, service, ps, free, top, kill, mount and ifconfig should not be excecuted inside Docker containers.

ER0006

Using (apt-get upgrade, dist-upgrade, apk upgrade, apt) is not recommended.

Incorrect code:

FROM debian
RUN apt-get update && apt-get upgrade

Correct code:

FROM debian
RUN apt-get update

Explanation:

Linux distributions do not endure using apt as the tool's interface may suffer changes between versions. It is advised to use apt-get and apt-cache instead as they are more stable. Running apt-get upgrade, dist-upgrade or apk upgrade is not recommended as some of the essential packages from the base images will not upgrade inside a container with no privileges. In case a package from the base image is outdated, it is advised to contact its maintainers.

Exceptions:

If some package requires an upgrade, use apk --cache add packageName instead of apk upgrade.

EA0001

Use curl or wget instead, and delete files when no longer needed.

Incorrect code:

ADD http://example.com/big.tar.xz /usr/src/things/
RUN tar -xJf /usr/src/things/big.tar.xz -C /usr/src/things
RUN make -C /usr/src/things all

Correct code:

RUN mkdir -p /usr/src/things \
    && curl -SL http://example.com/big.tar.xz \
    | tar -xJC /usr/src/things \
    && make -C /usr/src/things all

Explanation:

Because image size matters, using ADD to fetch packages from remote URLs is strongly discouraged. Instead, you should use curl or wget. That way you can delete the files you no longer need after they’ve been extracted and you don’t have to add another layer in your image.

EC0003

Use ADD for extracting archives into a image.

Incorrect code:

COPY rootfs.tar.xz /usr/src/things
RUN tar -xJf /usr/src/things/big.tar.xz -C /usr/src/things

Correct code:

ADD rootfs.tar.xz /usr/src/things

Explanation:

Although both commands are similar in terms of functionality, it is advised to use COPY instead of ADD. COPY only supports basic copying of local files into the container, while ADD is better suited for local tar file auto-extraction into the image (e.g. ADD rootfs.tar.xz /.)

ER0007

Either use wget or curl, but not both.

Incorrect code:

FROM node:10.16.3-alpine
RUN vim

Correct code:

FROM node:10.16.3-alpine

Explanation:

Do not install two tools doing the same thing.

ER0008

Use SHELL to change the default shell.

Incorrect code:

RUN ln -sfv /bin/bash /bin/sh

Correct code:

SHELL ["/bin/bash", "-c"]

Explanation:

Docker supports the SHELL instruction which does not require overwriting /bin/sh in the container.

ER0009

Use the -y switch.

Incorrect code:

RUN apt-get install python

Correct code:

RUN apt-get install -y python

Explanation:

The build might break without human intervention if the option -y/--assume-yes is not applied.

ER0010

Avoid additional packages by specifying --no-install-recommends.

Incorrect code:

RUN apt-get install -y python

Correct code:

RUN apt-get install -y --no-install-recommends python

Explanation:

Avoid installing additional packages that you did not explicitly want.

EA0002

Use COPY instead of ADD for files and folders.

Incorrect code:

FROM python:3.4
ADD requirements.txt /usr/src/app/

Correct code:

FROM python:3.4
COPY requirements.txt /usr/src/app/

Explanation:

For other items (files, directories) that do not require ADD’s tar auto-extraction capability, you should always use COPY.

EC0004

COPY with more then 2 arguments requires the last argument to end with /.

Incorrect code:

FROM node:10.16.3-alpine
COPY package.json yarn.lock my_app

Correct code:

FROM node:10.16.3-alpine
COPY package.json yarn.lock my_app/

Explanation:

If multiple resources are specified, either directly or due to the use of a wildcard, then it must be a directory and it must end with a slash /.

ER0011

Use the --no-cache switch.

Incorrect code:

FROM alpine:3.7
RUN apk add --update foo=1.0
    && rm -rf /var/cache/apk/*

Correct code:

FROM alpine:3.7
RUN apk --no-cache add foo=1.0

Explanation:

From Alpine Linux 3.3 onwards, a new --no-cache option for apk is available which allows users to install packages with an index that is updated and used on-the-fly and not cached locally. As a result, using --update and removing /var/cache/apk/* is no longer required during the package install.

ER0012

Pin versions in apt get install.

Incorrect code:

RUN apt-get install python

Correct code:

RUN apt-get install python=2.7

Explanation:

Version pinning forces the build to retrieve a particular version regardless of the cache contents. It also reduce failures due to unanticipated changes in required packages.

ER0013

Pin versions in pip install.

Incorrect code:

RUN pip install django

Correct code:

RUN pip install django==1.9

Explanation:

Version pinning forces the build to retrieve a particular version regardless of the cache contents. It also reduce failures due to unanticipated changes in required packages.

ER0014

Pin versions in npm install.

Incorrect code:

RUN npm install express

Correct code:

RUN npm install [email protected]

Explanation:

Version pinning forces the build to retrieve a particular version regardless of the cache contents. It also reduce failures due to unanticipated changes in required packages.

ER0015

Pin versions in apk add.

Incorrect code:

RUN apk --no-cache add foo

Correct code:

RUN apk --no-cache add foo=1.2.3

Explanation:

Version pinning forces the build to retrieve a particular version regardless of the cache contents. It also reduce failures due to unanticipated changes in required packages.

ER0016

Pin versions in gem install.

Incorrect code:

RUN gem install bundler

Correct code:

RUN gem install bundler:1.1

Explanation:

Version pinning forces the build to retrieve a particular version regardless of the cache contents. It also reduce failures due to unanticipated changes in required packages.

EI0004

Don't use (ONBUILD,FROM,MAINTAINTER) in ONBUILD.

Incorrect code:

ONBUILD ONBUILD ADD . /app/src

Correct code:

ONBUILD ADD . /app/src

Explanation:

Chaining ONBUILD instructions using ONBUILD ONBUILD isn’t allowed. The ONBUILD instruction may not trigger FROM or MAINTAINER instructions.

EW0001

Use absolute WORKDIR.

Incorrect code:

WORKDIR usr/src/app

Correct code:

WORKDIR /usr/src/app

Explanation:

Version pinning forces the build to retrieve a particular version regardless of the cache contents. It also reduce failures due to unanticipated changes in required packages.

EE0001

Valid UNIX ports range from 0 to 65535.

Incorrect code:

EXPOSE 80000

Correct code:

EXPOSE 65535

Explanation:

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

EI0005

Instructions should be uppercase.

Incorrect code:

from node:10.16.3-alpine

Correct code:

FROM node:10.16.3-alpine

Explanation:

According to the convention, names of instructions should be typed in uppercase.