From 0399f38f02015ad355350434a8a95adaeb933f79 Mon Sep 17 00:00:00 2001
From: xdrm-brackets <xdrm.brackets.dev@gmail.com>
Date: Mon, 9 Mar 2020 18:40:01 +0100
Subject: [PATCH] container from scratch (5M)

---
 Dockerfile | 41 +++++++++++++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 10 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 76e6085..b88088e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,18 +1,39 @@
 FROM golang:alpine as builder
 
-ENV GO111MODULE=on
-RUN apk add git
+RUN apk add --no-cache git
 ADD . /app
-
 WORKDIR /app
+
+# create appuser
+ENV USER=appuser
+ENV UID=10001
+
+# See https://stackoverflow.com/a/55757473/12429735RUN
+RUN adduser \
+    --disabled-password \
+    --gecos "" \
+    --home "/nonexistent" \
+    --shell "/sbin/nologin" \
+    --no-create-home \
+    --uid "${UID}" \
+    "${USER}"
+
 RUN go mod download
-RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o binary
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o binary
 
-FROM alpine:latest as production
-RUN mkdir /app
-COPY --from=builder /app/binary /app
-COPY --from=builder /app/api.json /app
+FROM scratch as production
+
+# import the user and group files from the builder.
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+
+# copy executable & config
+COPY --from=builder /app/binary /app/
+COPY --from=builder /app/api.json /app/
+
+# Use an unprivileged user.
+USER appuser:appuser
+WORKDIR /app/
 
-WORKDIR /app
 EXPOSE 4242/tcp
-CMD "/app/binary"
\ No newline at end of file
+CMD ["/app/binary"]
\ No newline at end of file