TRG 4.06 - Notice for docker images
Status | Created | Post-History |
---|---|---|
Active | 01-Aug-2024 | |
Draft | 04-May-2023 | Initial release |
Why
Due to legal constrains we need to annotate the released container images to make it clear that we do our best to provide good images for demo purposes,
but we do not provide any legal guarantee.
This has to be defined in a dedicated 'Notice for docker image' section in our repositories and on the respective image page on DockerHub
.
Be aware that in case of a multi-stage image build, the last stage is the relevant base image.
Description
There are a few properties and links, that must be present on each notice, but they do vary for each image and product. The minimum set of information is:
- Link to the source of your base image (Container registry and GitHub if available)
- Link to your product image on
DockerHub
- Link to your repository on GitHub
- Direct link to the Dockerfile used to build your image
- Link to
LICENCE
file in your repo as 'Project License' (make clear, that this is the PROJECT licence, not an image license)
How and where to annotate the base image
The above information must be provided in Markdown format, either in your toplevel README.md
, or in a dedicated
notice Markdown file, that you then reference from your toplevel README.md
.
A dedicated notice file can be necessary, if you built multiple container image from a single repository.
Multiple notice files ensure, that you can directly link the specific Dockerfile
, that is used and include it in the description, that is pushed to DockerHub
.
The notice must always start with the following headline and the reference to your image on DockerHub
(example taken from app-dashboard:
## Notice for Docker image
DockerHub: [https://hub.docker.com/r/tractusx/app-dashboard](https://hub.docker.com/r/tractusx/app-dashboard)
Following this, you must provide additional information on your product: (example taken from app-dashboard:
Eclipse Tractus-X product(s) installed within the image:
__<your product name>__
- GitHub: https://github.com/eclipse-tractusx/<your-product-repo>
- Project home: https://projects.eclipse.org/projects/automotive.tractusx
- Dockerfile: https://github.com/eclipse-tractusx/<your-product-repo>/blob/main/<path-to-Dockerfile>
- Project license: [Apache License, Version 2.0](https://github.com/eclipse-tractusx/<your-product-repo>/blob/main/LICENSE)
The last bits of information you must provide is related to your used base image. As previously described, the following information should be provided, if available:
- DockerHub links
- GitHub repo
- direct links to Dockerfile
The following example is taken from the IRS product:
**Used base image**
- [eclipse-temurin:20-jre-alpine](https://github.com/adoptium/containers)
- Official Eclipse Temurin DockerHub page: https://hub.docker.com/_/eclipse-temurin
- Eclipse Temurin Project: https://projects.eclipse.org/projects/adoptium.temurin
- Additional information about the Eclipse Temurin images: https://github.com/docker-library/repo-info/tree/master/repos/eclipse-temurin
Closing the notice, we provide a general statement about potentially contained other tools and the demo/experimental purpose of our images. We use the following text:
As with all Docker images, these likely also contain other software which may be under other licenses
(such as Bash, etc. from the base distribution, along with any direct or indirect dependencies of the primary software being contained).
As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.
Examples
The following examples are shown as reference, to see already existing and complete versions of a 'Notice for docker images'. They can not be used for your product without modifications.
Good example for notice integrated in toplevel README.md
: IRS
Good example for a dedicated notice file: edc-controlplane-memory-hashicorp-vault
Already collected base image information
The following sections contain information, that already has been collected on base images, that are used in Eclipse Tractus-X. You can use that information for your own notice. Be careful, when it comes to version, like JRE versions for example. You have to adapt some of the provided links to match your used version.
Eclipse Temurin (JRE)
- Base image reference (example)
eclipse-temurin:20-jre-alpine
- GitHub repo
- Official Eclipse Temurin DockerHub page
- Eclipse Temurin Project
- Additional information about the Eclipse Temurin images
Nginx-unprivileged (serve static HTML and JS bundles)
- Base image reference (example)
nginxinc/nginx-unprivileged:alpine
- Dockerfile (alpine)
- GitHub project: https://github.com/nginxinc/docker-nginx-unprivileged
- DockerHub: https://hub.docker.com/r/nginxinc/nginx-unprivileged
.NET runtime
- Base image reference (example):
mcr.microsoft.com/dotnet/runtime:6.0-alpine
- Dockerfile (:6-alpine): mcr.microsoft.com/dotnet/runtime:6.0-alpine
- GitHub project: https://github.com/dotnet/dotnet-docker
- DockerHub: https://hub.docker.com/_/microsoft-dotnet-runtime
ASP.NET core runtime
- Base image reference (example):
mcr.microsoft.com/dotnet/aspnet:6.0-alpine
- Dockerfile (:6-alpine): mcr.microsoft.com/dotnet/aspnet:6.0-alpine
- GitHub project: https://github.com/dotnet/dotnet-docker
- DockerHub: https://hub.docker.com/_/microsoft-dotnet-aspnet
Linux
- Base image reference (example):
alpine:3.17
- Dockerfile: alpinelinux/docker-alpine:3.17
- GitHub project: https://github.com/alpinelinux/docker-alpine
- DockerHub: https://hub.docker.com/_/alpine