How to examine packages in Confluence container images
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.
The availability of the Confluence Data Center as a Docker image may raise security-related concerns, as the image contains software beyond just Confluence. This includes the operating system, Java, package managers, and other OS tools. While some of these components are not strictly necessary for Confluence to function, they are essential during the image build process, product setup, and updates. Each additional component carries the potential for security vulnerabilities or CVEs that are not supported by Atlassian.
Some organizations are adopting a security principle that requires container images to include only the essential software needed for the application to function. An example of this security directive is the US Department of Defense (DoD) Security Technical Implementation Guide. (STIG - https://public.cyber.mil/stigs/) directive V-233071, quote:
The container platform can be built with components that are not used for the intended purpose of the organization. To limit the attack surface of the container platform, it is essential that the non-essential services are not installed.
Customers subject to such guidelines might require specific details about the contents of Confluence Docker images.
Feature Request
There is suggestion for creating minimal container images for Confluence. SCALE-146 - Getting issue details... STATUS
Environment
Docker image for Confluence Data Center 9.0 to 9.31 (Ubuntu Based)
Atlassian first released Confluence Server as a container image with version 6.1.1, based on the Alpine Linux distribution. It started using Ubuntu-based images with version 7.13. On this article we focus on releases 9.0 through 9.3.1, which are using Ubuntu-based Eclipse-Temurin images.
Checking installed packages/software
On the official Docker Hub atlassian/confluence page, we can see the link to the Dockerfile.
We can observe that the image is based on Eclipse-Temurin.
ARG BASE_IMAGE=eclipse-temurin:17-noble
FROM $BASE_IMAGE
...Which has its own Dockerfile. The Eclipse Temurin image is in turn based on the official Ubuntu Docker image release 24.04.
...
FROM ubuntu:24.04
...So on top of the base Ubuntu image we have the followings add-ons and customizations:
- Eclipse-Temurin that adds the Adoptium JDK, as well as support tools such as the "curl", certificates management, time zone configurations, locales support and other miscellaneous utilities.
- Atlassian/Confluence adds the Confluence software itself, along with required fonts, Python interpreter and entry point scripts. Also the user and group under which Confluence will run are created.
So the Docker image as deployed by the users, whether on Docker itself or on Kubernetes, contains the base Ubuntu image plus the add-ons and modifications from Eclipse-Temurin and Confluence.
Other than reviewing the Dockerfile for each layer, the Confluence image contents can also be examined from any host where the container is executed. For example, this command below could be used to lists installed packages on an image (might need to add a specific tag to the image specification):
docker run -it atlassian/confluence /bin/bash -c 'dpkg -l'Note that Confluence itself, as well as the Adoptium JDK, are installed by extracting "tar.gz" files, so will not show up on an "apt" package listing. Instead those can be listed with normal Linux commands, such as "ls -lR /opt/atlassian"
As an alternative to reviewing the Dockerfiles, the docker history command can be used to obtain similar information:
docker history atlassian/confluence --no-trunc | lessDisclaimer
A point to take into account is that all components involved in the final Docker image are actively maintained by each software vendors. In the case of an hypothetical vulnerability on the Linux OS, Ubuntu will update its image. The same would happen for any potential issues on Java or on Confluence itself. Each vulnerability is addressed and patched according to its severity.
With regards to the concept of "non-essential software", there can be different interpretations of whether tools used only during setup/updates, such as package management, should be considered as essential or not. If a customer considers necessary to build a custom image with fewer components, Atlassian provides a basic outline: https://atlassian.github.io/data-center-helm-charts/containers/CONFLUENCE/?h=docker#advanced-configuration
If following this route, they must be aware of the increased complexity, and carefully weigh in the benefits with the risks associated to missing components required for eventual troubleshooting, updates or other situations.