Fossil SCM
Removal of the Tcl example in §5.5 of the containers doc left hanging references in the Python example in a few places.
Commit
40e537e94dac80c20d628d93571ee28d6e782768993658a2b1108b5eb5eb7767
Parent
616a37f4f71e7b3…
1 file changed
+7
-5
+7
-5
| --- www/containers.md | ||
| +++ www/containers.md | ||
| @@ -457,14 +457,15 @@ | ||
| 457 | 457 | it’s written for one of the bare-bones script interpreters that BusyBox |
| 458 | 458 | ships.(^[BusyBox]’s `/bin/sh` is based on the old 4.4BSD Lite Almquist |
| 459 | 459 | shell, implementing little more than what POSIX specified in 1989, plus |
| 460 | 460 | equally stripped-down versions of `awk` and `sed`.) |
| 461 | 461 | |
| 462 | -Let’s say the extension is written in Python. While you could handle it | |
| 463 | -the same way we do with the Tcl example above, Python is more | |
| 464 | -popular, giving us more options. Let’s inject a Python environment into | |
| 465 | -the stock Fossil container via a suitable “[distroless]” image instead: | |
| 462 | +Let’s say the extension is written in Python. Because this is one of the | |
| 463 | +most popular programming languages in the world, we have many options | |
| 464 | +for achieving this. For instance, there is a whole class of | |
| 465 | +“[distroless]” images that will do this efficiently by changing “`STAGE | |
| 466 | +2`” in the `Dockefile` to this: | |
| 466 | 467 | |
| 467 | 468 | ``` |
| 468 | 469 | ## --------------------------------------------------------------------- |
| 469 | 470 | ## STAGE 2: Pare that back to the bare essentials, plus Python. |
| 470 | 471 | ## --------------------------------------------------------------------- |
| @@ -493,11 +494,12 @@ | ||
| 493 | 494 | docker exec -i $(make container-version) python --version |
| 494 | 495 | 3.11.2 |
| 495 | 496 | ``` |
| 496 | 497 | |
| 497 | 498 | The compensation for the hassle of using Chainguard over something more |
| 498 | -general purpose like Alpine + “`apk add python`” | |
| 499 | +general purpose like changing the `run` layer to Alpine and then adding | |
| 500 | +a “`apk add python`” command to the `Dockerfile` | |
| 499 | 501 | is huge: we no longer leave a package manager sitting around inside the |
| 500 | 502 | container, waiting for some malefactor to figure out how to abuse it. |
| 501 | 503 | |
| 502 | 504 | Beware that there’s a limit to this über-jail’s ability to save you when |
| 503 | 505 | you go and provide a more capable runtime layer like this. The container |
| 504 | 506 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -457,14 +457,15 @@ | |
| 457 | it’s written for one of the bare-bones script interpreters that BusyBox |
| 458 | ships.(^[BusyBox]’s `/bin/sh` is based on the old 4.4BSD Lite Almquist |
| 459 | shell, implementing little more than what POSIX specified in 1989, plus |
| 460 | equally stripped-down versions of `awk` and `sed`.) |
| 461 | |
| 462 | Let’s say the extension is written in Python. While you could handle it |
| 463 | the same way we do with the Tcl example above, Python is more |
| 464 | popular, giving us more options. Let’s inject a Python environment into |
| 465 | the stock Fossil container via a suitable “[distroless]” image instead: |
| 466 | |
| 467 | ``` |
| 468 | ## --------------------------------------------------------------------- |
| 469 | ## STAGE 2: Pare that back to the bare essentials, plus Python. |
| 470 | ## --------------------------------------------------------------------- |
| @@ -493,11 +494,12 @@ | |
| 493 | docker exec -i $(make container-version) python --version |
| 494 | 3.11.2 |
| 495 | ``` |
| 496 | |
| 497 | The compensation for the hassle of using Chainguard over something more |
| 498 | general purpose like Alpine + “`apk add python`” |
| 499 | is huge: we no longer leave a package manager sitting around inside the |
| 500 | container, waiting for some malefactor to figure out how to abuse it. |
| 501 | |
| 502 | Beware that there’s a limit to this über-jail’s ability to save you when |
| 503 | you go and provide a more capable runtime layer like this. The container |
| 504 |
| --- www/containers.md | |
| +++ www/containers.md | |
| @@ -457,14 +457,15 @@ | |
| 457 | it’s written for one of the bare-bones script interpreters that BusyBox |
| 458 | ships.(^[BusyBox]’s `/bin/sh` is based on the old 4.4BSD Lite Almquist |
| 459 | shell, implementing little more than what POSIX specified in 1989, plus |
| 460 | equally stripped-down versions of `awk` and `sed`.) |
| 461 | |
| 462 | Let’s say the extension is written in Python. Because this is one of the |
| 463 | most popular programming languages in the world, we have many options |
| 464 | for achieving this. For instance, there is a whole class of |
| 465 | “[distroless]” images that will do this efficiently by changing “`STAGE |
| 466 | 2`” in the `Dockefile` to this: |
| 467 | |
| 468 | ``` |
| 469 | ## --------------------------------------------------------------------- |
| 470 | ## STAGE 2: Pare that back to the bare essentials, plus Python. |
| 471 | ## --------------------------------------------------------------------- |
| @@ -493,11 +494,12 @@ | |
| 494 | docker exec -i $(make container-version) python --version |
| 495 | 3.11.2 |
| 496 | ``` |
| 497 | |
| 498 | The compensation for the hassle of using Chainguard over something more |
| 499 | general purpose like changing the `run` layer to Alpine and then adding |
| 500 | a “`apk add python`” command to the `Dockerfile` |
| 501 | is huge: we no longer leave a package manager sitting around inside the |
| 502 | container, waiting for some malefactor to figure out how to abuse it. |
| 503 | |
| 504 | Beware that there’s a limit to this über-jail’s ability to save you when |
| 505 | you go and provide a more capable runtime layer like this. The container |
| 506 |