My Dockerfile and docker-compose

• For development, I mostly use Podman instead of Docker. Except some applications that only supports Docker (e.g. Cosign)

• Please check the license of the components of the container images.

  • Using Apache 2.0 License for the Dockerfiles and docker-compose does not mean the container image is under Apache 2.0 License.

  • The created container image would contain other software (such as Bash, glibc and etc.), these software may be in different licenses.

• Please check any direct and in-direct dependency of the software being produced or contained.

List of materials

• Here’s a list of Dockerfile and container images that maintain or create

Application name	Dockerfile/building repository	Container repository	Signed	Purpose	Remark
pod-recon	GitHub repo, a Git mirror	GitLab Container Registry	Yes	Collection of tools for troubleshooting in container environments	Use almalinux/9-minimal as base OS
amicontained	GitHub repo	GitHub container registry	Yes	Aims to create amicontained on ARM64 platform	Use Alpine as base OS Not using set-output for GH actions
MeiliSearch	GitHub repo	GitHub container registry	Yes	For using stripped MeiliSearch binaries	Use minideb Debian-12 as base OS Not using set-output for GH actions
WikiJS	GitHub repo	GitHub container registry	Yes	Update NodeJS packages in WikiJS and other optimizations	Use node18 Debian-12 as base OS Not using set-output for GH actions
Coral Project - Talk	GitHub repo	GitLab Container Registry, ARM64 only	Yes	Coral Project - Talk does not (currently) provide official ARM64 Docker image	Use node20 Debian-11 as base OS CircleCI (build), GH actions (Cosign/SBOM, broken)
Goat Counter	GitHub repo	GitHub container registry	Yes	No official Docker image is provided	Use rockylinux/9-minimal as base OS Not using save-output for GH action
Gollum	GitHub repo	GitHub container registry	Yes	Include Pandoc and AsciiDoctor support in the container image	Use ruby Debian-11 as base OS
Kubernetes example, NFS-exporter container with a file	GitHub repo	GitHub container registry	Yes	Outdated Docker image is provided, and no ARM64 support	Use almalinuxorg/9-minimal as base OS Not using save-output for GH action
Prometheus	My GitHub repo	My GitHub container registry	Yes	For customization with glibc support	Use ChainGuard busybox:latest-glibc as base OS Not using save-output for GH actions
mcrouter by Facebook/Meta	My GitHub repo	My GitHub container registry, for AMD64 My GitLab container registry, for ARM64	No	No official container images provided	Use Almalinux 8 as base OS Not using save-output for GH actions

Container image verification by Cosign

If the container is signed (by me). You can verify by below steps:

1. Get my Cosign public key and save as cosign.pub

   -----BEGIN PUBLIC KEY-----
   MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENAxpHzZWHRHsR72J+Zzm6M32UAvv
   YeHhQD4doXjqNXHbgXI212HVfmLzBevCvUqurwPvEsTf9FqWuYHUUrrK6w==
   -----END PUBLIC KEY-----

2. Command for Cosign

   cosign verify --key cosign.pub \
     [container-registry/project-name:tag]

   Example:

   cosign verify --key cosign.pub \
     ghcr.io/patrickdung/meilisearch-crossbuild:v0.24.0

3. Output:

   Verification for ghcr.io/patrickdung/meilisearch-crossbuild:v0.24.0 --
   The following checks were performed on each of these signatures:
     - The cosign claims were validated
     - The signatures were verified against the specified public key
     - Any certificates were verified against the Fulcio roots.
   
   [{"critical":{"identity":{"docker-reference":"ghcr.io/patrickdung/meilisearch-crossbuild"},"image":{"docker-manifest-digest":"sha256:41969fc06309c9988a23aa5a1ca677c171c9011399527d2c2120bab87ea9311a"},"type":"cosign container image signature"},"optional":null}]