From 4b4d761b19481213d7734a0625e784332b40475a Mon Sep 17 00:00:00 2001 From: Wolfgang Welz <welzwo@gmail.com> Date: Mon, 16 Mar 2020 15:46:55 +0100 Subject: [PATCH] harden docker image (#290) --- .dockerignore | 12 ++++++++++++ Dockerfile | 45 ++++++++++++++++++++++++++++----------------- docker-compose.yml | 2 +- 3 files changed, 41 insertions(+), 18 deletions(-) diff --git a/.dockerignore b/.dockerignore index f860d2cf..8e8d2930 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,2 +1,14 @@ +.git +.gitignore + +LICENSE +README.md +CHANGELOG.md +images/ +docker-compose.yml + +tools/ +client/ + # Database directory mainnetdb/ diff --git a/Dockerfile b/Dockerfile index b786c918..89d34179 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,36 +1,47 @@ -# we need to use alpine to build since cgo is required -FROM golang:1.14-alpine AS build -RUN apk add --no-cache git gcc g++ +############################ +# Build +############################ +# golang:1.14.0-buster +FROM golang@sha256:fc7e7c9c4b0f6d2d5e8611ee73b9d1d3132750108878517bbf988aa772359ae4 AS build + +# Ensure ca-certficates are up to date +RUN update-ca-certificates # Set the current Working Directory inside the container RUN mkdir /goshimmer WORKDIR /goshimmer -# Download dependencies -COPY go.mod . +# Use Go Modules +COPY go.mod . COPY go.sum . + +ENV GO111MODULE=on RUN go mod download +RUN go mod verify # Copy everything from the current directory to the PWD(Present Working Directory) inside the container COPY . . -# Build -RUN CGO_ENABLED=1 GOOS=linux go build -o /go/bin/goshimmer - -FROM alpine:latest - -RUN apk --no-cache add ca-certificates +# Build the binary +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ + -ldflags='-w -s -extldflags "-static"' -a \ + -o /go/bin/goshimmer -WORKDIR /app +############################ +# Image +############################ +# using static nonroot image +# user:group is nonroot:nonroot, uid:gid = 65532:65532 +FROM gcr.io/distroless/static@sha256:23aa732bba4c8618c0d97c26a72a32997363d591807b0d4c31b0bbc8a774bddf -VOLUME /app/mainnetdb +VOLUME /mainnetdb EXPOSE 14666/tcp EXPOSE 14626/udp # Copy the Pre-built binary file from the previous stage -COPY --from=build /go/bin/goshimmer . -# Copy the docker config -COPY config.json config.json +COPY --from=build /go/bin/goshimmer /run/goshimmer +# Copy the default config +COPY config.default.json config.json -ENTRYPOINT ["./goshimmer"] +ENTRYPOINT ["/run/goshimmer", "--database.directory=/mainnetdb"] diff --git a/docker-compose.yml b/docker-compose.yml index c119216f..564c10f3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,7 +11,7 @@ services: container_name: iota_goshimmer restart: unless-stopped volumes: - - ./mainnetdb:/app/mainnetdb:rw + - ./mainnetdb/:/mainnetdb/:rw ports: - "14666:14666/tcp" - "14626:14626/udp" -- GitLab