From 485f184e408a0a649c318d5aea8f7259921f99ea Mon Sep 17 00:00:00 2001 From: Ramon Smits Date: Wed, 5 Feb 2025 18:10:04 +0100 Subject: [PATCH 1/5] Docker tag usage --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index b9bc9581..6d788cce 100644 --- a/README.md +++ b/README.md @@ -165,6 +165,9 @@ For easy deployment, we've created an official Docker container. There are two v The default one will run as `root`: +> !WARN +> Do not use tag `latest` as this is not the latest released version + ```bash docker run --publish 8080:8080 dutchcoders/transfer.sh:latest --provider local --basedir /tmp/ ``` From 649f7f659bc87bb9e0f32cf434a1208a18bf4b66 Mon Sep 17 00:00:00 2001 From: Ramon Smits Date: Wed, 5 Feb 2025 18:13:18 +0100 Subject: [PATCH 2/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6d788cce..cb59966a 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,7 @@ For easy deployment, we've created an official Docker container. There are two v The default one will run as `root`: > !WARN -> Do not use tag `latest` as this is not the latest released version +> Do not use tag `latest` as this is not the latest released version. Do not use WatchTower using this tag as. User an actual version tag until transfert supports major or minor version tags. ```bash docker run --publish 8080:8080 dutchcoders/transfer.sh:latest --provider local --basedir /tmp/ From af26d45ca6d5cbd113ae2d32885c9e70f719c9a5 Mon Sep 17 00:00:00 2001 From: Ramon Smits Date: Wed, 5 Feb 2025 18:21:25 +0100 Subject: [PATCH 3/5] Update README.md --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index cb59966a..31b40418 100644 --- a/README.md +++ b/README.md @@ -176,6 +176,19 @@ The one tagged with the suffix `-noroot` will use `5000` as both UID and GID: ```bash docker run --publish 8080:8080 dutchcoders/transfer.sh:latest-noroot --provider local --basedir /tmp/ ``` +### Tags + +Name | Usage +--|-- +latest-noroot| TODO +nightly-noroot| TODO +latest| TODO +nightly| TODO +edge-noroot| TODO +edge| TODO +x.y.z| TODO +x.y.z-noroot| TODO + ### Building the Container You can also build the container yourself. This allows you to choose which UID/GID will be used, e.g. when using NFS mounts: From c6ffabd4888d6cfe040c5cd55e032efd3517f269 Mon Sep 17 00:00:00 2001 From: Ramon Smits Date: Wed, 5 Feb 2025 23:00:37 +0100 Subject: [PATCH 4/5] Changed based on feedback --- README.md | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 31b40418..8bd6d3b5 100644 --- a/README.md +++ b/README.md @@ -165,29 +165,41 @@ For easy deployment, we've created an official Docker container. There are two v The default one will run as `root`: -> !WARN +> [!WARNING] > Do not use tag `latest` as this is not the latest released version. Do not use WatchTower using this tag as. User an actual version tag until transfert supports major or minor version tags. ```bash docker run --publish 8080:8080 dutchcoders/transfer.sh:latest --provider local --basedir /tmp/ ``` +### No root + +The `-noroot` tags setup container images to run least priviledge to reduce the attack surface when an application is compromised. + +> [!NOTE] +> Using `-noroot` is **recommended** + The one tagged with the suffix `-noroot` will use `5000` as both UID and GID: ```bash docker run --publish 8080:8080 dutchcoders/transfer.sh:latest-noroot --provider local --basedir /tmp/ ``` + +> [!NOTE] +> Development history details at: +> - https://github.com/dutchcoders/transfer.sh/pull/418 + ### Tags Name | Usage --|-- -latest-noroot| TODO -nightly-noroot| TODO -latest| TODO -nightly| TODO -edge-noroot| TODO -edge| TODO -x.y.z| TODO -x.y.z-noroot| TODO +latest| Latest CI build, can be nightly, at commit, at tag, etc. +latest-noroot| Latest CI build, can be nightly, at commit, at tag, etc. using [no root] +nightly| Scheduled CI build every midnight UTC +nightly-noroot| Scheduled CI build every midnight UTC using [no root] +edge| Latest CI build after every commit on `main` +edge-noroot| Latest CI build after every commit on `main` using [no root] +x.y.z| CI build after tagging a release +x.y.z-noroot| CI build after tagging a release using [no root] ### Building the Container From 71352bb57059088ccb83ddc98a28cc029a478ca5 Mon Sep 17 00:00:00 2001 From: Ramon Smits Date: Thu, 6 Feb 2025 00:24:54 +0000 Subject: [PATCH 5/5] Feedback --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8bd6d3b5..07b6c14c 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,7 @@ For easy deployment, we've created an official Docker container. There are two v The default one will run as `root`: > [!WARNING] -> Do not use tag `latest` as this is not the latest released version. Do not use WatchTower using this tag as. User an actual version tag until transfert supports major or minor version tags. +> It is discouraged to use `latest` tag for WatchTower or similar tools. The `latest` tag can reference unreleased developer, test builds, and patch releases for older versions. Use an actual version tag until transfer.sh supports major or minor version tags. ```bash docker run --publish 8080:8080 dutchcoders/transfer.sh:latest --provider local --basedir /tmp/ @@ -174,8 +174,7 @@ docker run --publish 8080:8080 dutchcoders/transfer.sh:latest --provider local - ### No root -The `-noroot` tags setup container images to run least priviledge to reduce the attack surface when an application is compromised. - +The `-noroot` tags indicate image builds that run with least priviledge to reduce the attack surface might an application get compromised. > [!NOTE] > Using `-noroot` is **recommended**