Last week, I pushed docker-mitreid-oidc-server at Docker Hub. It has been pulled 50 times so far. I have received some comments demanding me to fix the simple-web-app log-in bug, and also, customize the Tomcat server default page with links to the MITREid OpenID Connect administration server and its protected client web app. Additionally, I am not satisfied with the image file size because it is larger (488Mb) than I was expecting (160 Mb).
Here you will find out what I did to fix the simple-web-app log-in bug, replace the Tomcat server default page, and reduce the image file size from 488 to 212 Mb.
simple-web-app log-in bug
I have decided to stop cloning the MITREid repositories directly in the Dockerfile, I am going to fork and clone them from my own repositories instead. Doing so, I can fix any bug with no delay. However, I have to keep an eye on the MITREid repositories updates.
Tomcat server default page
I just need to remove the ROOT folder content at /usr/local/tomcat/webapps/ROOT/ path, and copy an index.html from my GitHub repo. Doing this, I can update the html file whenever I want.
Reduce image file size
I found a guide titled Multi-stage builds at Docker docs. There you will read:
With multi-stage builds, you use multiple FROM statements in your Dockerfile. Each FROM instruction can use a different base, and each of them begins a new stage of the build. You can selectively copy artifacts from one stage to another, leaving behind everything you don’t want in the final image.
-- Use multi-stage builds
By default, the stages are not named, and you refer to them by their integer number, starting with 0 for the first FROM instruction. However, you can name your stages, by adding an as
to the FROM instruction.
-- Name your build stages
Basically, I divided the Dockerfile in 3 stages:
1.- Clone
FROM alpine/git as clone
LABEL maintainer="Iván Mauricio Montilla Figueroa"
WORKDIR /app
RUN mkdir srv && cd srv && \
git clone --progress https://github.com/immontilla/OpenID-Connect-Java-Spring-Server.git && \ cd .. && mkdir web && cd web && \ git clone --progress https://github.com/immontilla/simple-web-app.git
2.- Build
FROM maven:alpine as build WORKDIR /app
COPY --from=clone /app/srv/OpenID-Connect-Java-Spring-Server /app/srv
RUN cd srv && mvn -Dmaven.javadoc.skip=true -DskipTests clean install && \
mkdir ../WARs && mv openid-connect-server-webapp/target/openid-connect-server-webapp.war ../WARs
COPY --from=clone /app/web/simple-web-app /app/web
RUN cd web && mvn -DskipTests clean install && mv target/simple-web-app.war ../WARs
3.- Deploy
FROM tomcat:alpine WORKDIR /app
COPY --from=build /app/WARs /app
RUN apk add --no-cache --update openssl && \
cp *.war /usr/local/tomcat/webapps/ && \
rm -rf /usr/local/tomcat/webapps/ROOT/WEB-INF/ && \
rm /usr/local/tomcat/webapps/ROOT/* && \
cd /usr/local/tomcat/webapps/ROOT/ && \
wget https://raw.githubusercontent.com/immontilla/docker-mitreid-oidc-server/master/index.html
You can see the full Dockerfile at immontilla/docker-mitreid-oidc-server/~/dockerfile/
The final result is a 212 Mb image. It is not as small as I originally thought. The reason is, I was not taking in count the uncompressed web app folders sizes.
Let's check the result:
Tomcat:alpine size +
openid-connect-server-webapp.war size +
openid-connect-server-webapp folder size +
simple-web-app.war size +
simple-web-app folder size
113 Mb + 28.3 Mb + 33.4 Mb + 17.9 Mb + 21.1 Mb = 213.7 Mb
If you like to check this result by yourself:
Access the console machine
docker exec -it oidc-srv bash
Get every file or folder size:
du -sh /usr/local/tomcat/webapps/openid-connect-server-webapp.war
du -sh /usr/local/tomcat/webapps/openid-connect-server-webapp/
du -sh /usr/local/tomcat/webapps/simple-web-app.war
du -sh /usr/local/tomcat/webapps/simple-web-app/
and sum them.
Lessons learned along the way
- The small image file size, the better.
Dividing the image building process in stages reduce its file size. In the final image there is no any java library, compiler files and/or folders and none build/compile utility at all. It is just Tomcat and two web applications. - Latest is not always the most recent version. Usually is the stable version.
This is why immontilla/docker-mitreid-oidc-server base image is not tomcat:9.0.1-alpine anymore. In fact, that version is no longer available at library/tomcat/, it was replaced by the 9.0.2. I chose tomcat:alpine as base image because its version is 8, which is the current Tomcat stable version.