From 0399f38f02015ad355350434a8a95adaeb933f79 Mon Sep 17 00:00:00 2001 From: xdrm-brackets Date: Mon, 9 Mar 2020 18:40:01 +0100 Subject: [PATCH] container from scratch (5M) --- Dockerfile | 41 +++++++++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 76e6085..b88088e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,39 @@ FROM golang:alpine as builder -ENV GO111MODULE=on -RUN apk add git +RUN apk add --no-cache git ADD . /app - WORKDIR /app + +# create appuser +ENV USER=appuser +ENV UID=10001 + +# See https://stackoverflow.com/a/55757473/12429735RUN +RUN adduser \ + --disabled-password \ + --gecos "" \ + --home "/nonexistent" \ + --shell "/sbin/nologin" \ + --no-create-home \ + --uid "${UID}" \ + "${USER}" + RUN go mod download -RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o binary +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o binary -FROM alpine:latest as production -RUN mkdir /app -COPY --from=builder /app/binary /app -COPY --from=builder /app/api.json /app +FROM scratch as production + +# import the user and group files from the builder. +COPY --from=builder /etc/passwd /etc/passwd +COPY --from=builder /etc/group /etc/group + +# copy executable & config +COPY --from=builder /app/binary /app/ +COPY --from=builder /app/api.json /app/ + +# Use an unprivileged user. +USER appuser:appuser +WORKDIR /app/ -WORKDIR /app EXPOSE 4242/tcp -CMD "/app/binary" \ No newline at end of file +CMD ["/app/binary"] \ No newline at end of file