DL4006 警告:在 运行 之前设置 SHELL 选项 -o pipefail,其中包含一个管道
DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it
我有一个 Dockerfile
FROM strimzi/kafka:0.20.1-kafka-2.6.0
USER root:root
RUN mkdir -p /opt/kafka/plugins/debezium
# Download, unpack, and place the debezium-connector-postgres folder into the /opt/kafka/plugins/debezium directory
RUN curl -s https://repo1.maven.org/maven2/io/debezium/debezium-connector-postgres/1.7.0.Final/debezium-connector-postgres-1.7.0.Final-plugin.tar.gz | tar xvz --transform 's/debezium-connector-postgres/debezium/' --directory /opt/kafka/plugins/
USER 1001
当我在上面使用 hadolint 时
hadolint Dockerfile
我收到警告
Dockerfile:6 DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
我知道我在以 RUN
开头的行中有一个管道 |
。
但是,我仍然真的不知道如何根据此警告进行修复。
哦,刚刚在 https://github.com/hadolint/hadolint/wiki/DL4006
的 wiki 页面中找到了解决方案
这是我的固定版本:
FROM strimzi/kafka:0.20.1-kafka-2.6.0
USER root:root
RUN mkdir -p /opt/kafka/plugins/debezium
# Download, unpack, and place the debezium-connector-postgres folder into the /opt/kafka/plugins/debezium directory
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -s https://repo1.maven.org/maven2/io/debezium/debezium-connector-postgres/1.7.0.Final/debezium-connector-postgres-1.7.0.Final-plugin.tar.gz | tar xvz --transform 's/debezium-connector-postgres/debezium/' --directory /opt/kafka/plugins/
USER 1001
添加SHELL ["/bin/bash", "-o", "pipefail", "-c"]
的原因是在https://github.com/docker/docker.github.io/blob/master/develop/develop-images/dockerfile_best-practices.md#using-pipes
复制如下:
一些 RUN
命令依赖于使用管道字符 (|
) 将一个命令的输出通过管道传输到另一个命令的能力,如下例所示:
RUN wget -O - https://some.site | wc -l > /number
Docker 使用 /bin/sh -c
解释器执行这些命令,它只
评估管道中最后一个操作的退出代码以确定成功。
在上面的示例中,此构建步骤成功并生成了一个新图像 so long
因为 wc -l
命令成功,即使 wget
命令失败。
如果您希望命令因管道中任何阶段的错误而失败,
前置 set -o pipefail &&
以确保意外错误阻止
从不经意的成功中建立。例如:
RUN set -o pipefail && wget -O - https://some.site | wc -l > /number
Not all shells support the -o pipefail
option.
In cases such as the dash
shell on
Debian-based images, consider using the exec form of RUN
to explicitly
choose a shell that does support the pipefail
option. For example:
RUN ["/bin/bash", "-c", "set -o pipefail && wget -O - https://some.site | wc -l > /number"]
我有一个 Dockerfile
FROM strimzi/kafka:0.20.1-kafka-2.6.0
USER root:root
RUN mkdir -p /opt/kafka/plugins/debezium
# Download, unpack, and place the debezium-connector-postgres folder into the /opt/kafka/plugins/debezium directory
RUN curl -s https://repo1.maven.org/maven2/io/debezium/debezium-connector-postgres/1.7.0.Final/debezium-connector-postgres-1.7.0.Final-plugin.tar.gz | tar xvz --transform 's/debezium-connector-postgres/debezium/' --directory /opt/kafka/plugins/
USER 1001
当我在上面使用 hadolint 时
hadolint Dockerfile
我收到警告
Dockerfile:6 DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
我知道我在以 RUN
开头的行中有一个管道 |
。
但是,我仍然真的不知道如何根据此警告进行修复。
哦,刚刚在 https://github.com/hadolint/hadolint/wiki/DL4006
的 wiki 页面中找到了解决方案这是我的固定版本:
FROM strimzi/kafka:0.20.1-kafka-2.6.0
USER root:root
RUN mkdir -p /opt/kafka/plugins/debezium
# Download, unpack, and place the debezium-connector-postgres folder into the /opt/kafka/plugins/debezium directory
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -s https://repo1.maven.org/maven2/io/debezium/debezium-connector-postgres/1.7.0.Final/debezium-connector-postgres-1.7.0.Final-plugin.tar.gz | tar xvz --transform 's/debezium-connector-postgres/debezium/' --directory /opt/kafka/plugins/
USER 1001
添加SHELL ["/bin/bash", "-o", "pipefail", "-c"]
的原因是在https://github.com/docker/docker.github.io/blob/master/develop/develop-images/dockerfile_best-practices.md#using-pipes
复制如下:
一些 RUN
命令依赖于使用管道字符 (|
) 将一个命令的输出通过管道传输到另一个命令的能力,如下例所示:
RUN wget -O - https://some.site | wc -l > /number
Docker 使用 /bin/sh -c
解释器执行这些命令,它只
评估管道中最后一个操作的退出代码以确定成功。
在上面的示例中,此构建步骤成功并生成了一个新图像 so long
因为 wc -l
命令成功,即使 wget
命令失败。
如果您希望命令因管道中任何阶段的错误而失败,
前置 set -o pipefail &&
以确保意外错误阻止
从不经意的成功中建立。例如:
RUN set -o pipefail && wget -O - https://some.site | wc -l > /number
Not all shells support the
-o pipefail
option.In cases such as the
dash
shell on Debian-based images, consider using the exec form ofRUN
to explicitly choose a shell that does support thepipefail
option. For example:RUN ["/bin/bash", "-c", "set -o pipefail && wget -O - https://some.site | wc -l > /number"]