Rootless Container with JIB
This demo again builds an improved docker image from the demo application. For details on the demo application see hello spring boot application.
But this time instead of using a Dockerfile we will use Google JIB to build the container image.
Using JIB has the following advantages compared to classical image creation using Dockerfile:
With JIB, you even can build a container image without a docker daemon installed on your machine.
Building images repeatedly is much faster as JIB optimizes this to the typical development flow (i.e. the application code changes much more frequently then dependencies).
JIB uses the Google Distroless Base Images that only include the minimum components just to execute the desired process (e.g. Go or Java)
JIB works by using adding a plugin to your maven or gradle build. So here we add the plugin to our gradle build. And we also configure a non-root user in the gradle.build file to build a container image that will run without using the root user.
You can prove this by using these commands:
This time this should report an error as in the distroless image, as used by JIB as default, there even is no shell installed and so no whoami command is possible.
You should also be able to reach the dockerized application again via localhost:8080.
Finally, stop the running container by using the following command:
Check image for Vulnerabilities
Now we can check our image for vulnerabilities with high and critical severities using this command:
Next
Last updated