-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Base images should rarely expose ports #68
Conversation
Given that it is unlikely that the alpine-nginx image would be deployed as-is, it should not expose ports. Instead that should be left to the image that uses alpine-nginx as its base. This is especially true because, unlike `CMD` or `ENTRYPOINT` a derived image _cannot_ override the `EXPOSE` command of a base image. This means that should a derived image want nginx to _not_ expose ports 80 or 443, they cannot use this as a base image. Also, nginx logs should always be redirected to stdout and stderr, and therefore the commands to make this happen should remain the responsibility of alpine-nginx base image.
@rbellamy, yeah I agree on the ports issue. Let me think about the logs issue a little more... |
@smebberson I'd be interested in hearing a use-case where you would NOT want the nginx logs forwarded to |
@rbellamy, I run multiple instances of Much nicer than trying to get A quick Google search gives you plenty of mixed opinions on this matter. I would say the majority log to I mean, I guess all of the other services here do log to |
From my admittedly limited experience and reading, the "best practice" for log aggregation seems to be to offer that as a service within kubernetes, not within the docker image itself (e.g. https://github.com/deis/fluentd). While I (obviously) understand the need and use of the |
I'm considering the best way to allow a downstream image to modify the nginx config - and debating with myself whether overwriting either |
An example of the use this could be put to is removing the I see a similar need in configuring the |
One last thing and I'll stop spamming you - in order to get the |
Given that it is unlikely that the alpine-nginx image would be deployed
as-is, it should not expose ports. Instead that should be left to the
image that uses alpine-nginx as its base.
This is especially true because, unlike
CMD
orENTRYPOINT
a derivedimage cannot override the
EXPOSE
command of a base image. This meansthat should a derived image want nginx to not expose ports 80 or 443,
they cannot use this as a base image.
Also, nginx logs should always be redirected to stdout and stderr, and
therefore the commands to make this happen should remain the
responsibility of alpine-nginx base image.