Skip to main content

TRG 4.06 - Notice for docker images

StatusCreatedPost-History
Active01-Aug-2024
Draft04-May-2023Initial release

Why

Due to legal constrains we need to annotate the released container images to make it clear that we do our best to provide good images for demo purposes, but we do not provide any legal guarantee. This has to be defined in a dedicated 'Notice for docker image' section in our repositories and on the respective image page on DockerHub.

Be aware that in case of a multi-stage image build, the last stage is the relevant base image.

Description

There are a few properties and links, that must be present on each notice, but they do vary for each image and product. The minimum set of information is:

  • Link to the source of your base image (Container registry and GitHub if available)
  • Link to your product image on DockerHub
  • Link to your repository on GitHub
  • Direct link to the Dockerfile used to build your image
  • Link to LICENCE file in your repo as 'Project License' (make clear, that this is the PROJECT licence, not an image license)

How and where to annotate the base image

The above information must be provided in Markdown format, either in your toplevel README.md, or in a dedicated notice Markdown file, that you then reference from your toplevel README.md.

A dedicated notice file can be necessary, if you built multiple container image from a single repository. Multiple notice files ensure, that you can directly link the specific Dockerfile, that is used and include it in the description, that is pushed to DockerHub.

The notice must always start with the following headline and the reference to your image on DockerHub (example taken from app-dashboard:

## Notice for Docker image

DockerHub: [https://hub.docker.com/r/tractusx/app-dashboard](https://hub.docker.com/r/tractusx/app-dashboard)

Following this, you must provide additional information on your product: (example taken from app-dashboard:

Eclipse Tractus-X product(s) installed within the image:

__<your product name>__

- GitHub: https://github.com/eclipse-tractusx/<your-product-repo>
- Project home: https://projects.eclipse.org/projects/automotive.tractusx
- Dockerfile: https://github.com/eclipse-tractusx/<your-product-repo>/blob/main/<path-to-Dockerfile>
- Project license: [Apache License, Version 2.0](https://github.com/eclipse-tractusx/<your-product-repo>/blob/main/LICENSE)

The last bits of information you must provide is related to your used base image. As previously described, the following information should be provided, if available:

  • DockerHub links
  • GitHub repo
  • direct links to Dockerfile

The following example is taken from the IRS product:

**Used base image**

- [eclipse-temurin:20-jre-alpine](https://github.com/adoptium/containers)
- Official Eclipse Temurin DockerHub page: https://hub.docker.com/_/eclipse-temurin
- Eclipse Temurin Project: https://projects.eclipse.org/projects/adoptium.temurin
- Additional information about the Eclipse Temurin images: https://github.com/docker-library/repo-info/tree/master/repos/eclipse-temurin

Closing the notice, we provide a general statement about potentially contained other tools and the demo/experimental purpose of our images. We use the following text:

As with all Docker images, these likely also contain other software which may be under other licenses
(such as Bash, etc. from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.

Examples

The following examples are shown as reference, to see already existing and complete versions of a 'Notice for docker images'. They can not be used for your product without modifications.

Good example for notice integrated in toplevel README.md: IRS

Good example for a dedicated notice file: edc-controlplane-memory-hashicorp-vault

Already collected base image information

The following sections contain information, that already has been collected on base images, that are used in Eclipse Tractus-X. You can use that information for your own notice. Be careful, when it comes to version, like JRE versions for example. You have to adapt some of the provided links to match your used version.

Eclipse Temurin (JRE)

Nginx-unprivileged (serve static HTML and JS bundles)

.NET runtime

ASP.NET core runtime

Linux