Rootless Container with Paketo

This demo again builds a container image from the demo application. For details on the demo application see hello spring boot application.

But this time instead of using a Dockerfile or JIB we will just try spring boot tooling together with paketo buildpacks to build the container image.

Important note: Paketo buildpacks are still missing ARM64 support (Apple M1/M2 Mac hardware). See GitHub issue: Add support for arm64 for details.

plugins {
    id 'com.google.cloud.tools.jib' version '2.6.0'
}

jib {
    to {
        image = 'andifalk/hello-rootless-jib:latest'
    }
    container {
        user = 1002
    }
}

You can prove this by using these commands:

docker container run --rm --detach --name hello-rootless-jib \
-p 8080:8080 andifalk/hello-rootless-jib:latest
docker exec hello-rootless-jib whoami

This time this should report an error as in the distroless image, as used by JIB as default, there even is no shell installed and so no whoami command is possible.

You should also be able to reach the dockerized application again via localhost:8080.

Finally, stop the running container by using the following command:

docker stop hello-rootless-jib

Check image for Vulnerabilities

Now we can check our image for vulnerabilities with high and critical severities using this command:

trivy clean --scan-cache
trivy image --severity HIGH,CRITICAL andifalk/hello-rootless-jib:latest

Next

Next: Initial Unsafe K8s Deploy