From 4b4d761b19481213d7734a0625e784332b40475a Mon Sep 17 00:00:00 2001
From: Wolfgang Welz <welzwo@gmail.com>
Date: Mon, 16 Mar 2020 15:46:55 +0100
Subject: [PATCH] harden docker image (#290)

---
 .dockerignore      | 12 ++++++++++++
 Dockerfile         | 45 ++++++++++++++++++++++++++++-----------------
 docker-compose.yml |  2 +-
 3 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index f860d2cf..8e8d2930 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,2 +1,14 @@
+.git
+.gitignore
+
+LICENSE
+README.md
+CHANGELOG.md
+images/
+docker-compose.yml
+
+tools/
+client/
+
 # Database directory
 mainnetdb/
diff --git a/Dockerfile b/Dockerfile
index b786c918..89d34179 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,36 +1,47 @@
-# we need to use alpine to build since cgo is required
-FROM golang:1.14-alpine AS build
-RUN apk add --no-cache git gcc g++
+############################
+# Build
+############################
+# golang:1.14.0-buster
+FROM golang@sha256:fc7e7c9c4b0f6d2d5e8611ee73b9d1d3132750108878517bbf988aa772359ae4 AS build
+
+# Ensure ca-certficates are up to date
+RUN update-ca-certificates
 
 # Set the current Working Directory inside the container
 RUN mkdir /goshimmer
 WORKDIR /goshimmer
 
-# Download dependencies
-COPY go.mod . 
+# Use Go Modules
+COPY go.mod .
 COPY go.sum .
+
+ENV GO111MODULE=on
 RUN go mod download
+RUN go mod verify
 
 # Copy everything from the current directory to the PWD(Present Working Directory) inside the container
 COPY . .
 
-# Build
-RUN CGO_ENABLED=1 GOOS=linux go build -o /go/bin/goshimmer
-
-FROM alpine:latest  
-
-RUN apk --no-cache add ca-certificates
+# Build the binary
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+      -ldflags='-w -s -extldflags "-static"' -a \
+       -o /go/bin/goshimmer
 
-WORKDIR /app
+############################
+# Image
+############################
+# using static nonroot image
+# user:group is nonroot:nonroot, uid:gid = 65532:65532
+FROM gcr.io/distroless/static@sha256:23aa732bba4c8618c0d97c26a72a32997363d591807b0d4c31b0bbc8a774bddf
 
-VOLUME /app/mainnetdb
+VOLUME /mainnetdb
 
 EXPOSE 14666/tcp
 EXPOSE 14626/udp
 
 # Copy the Pre-built binary file from the previous stage
-COPY --from=build /go/bin/goshimmer .
-# Copy the docker config
-COPY config.json config.json
+COPY --from=build /go/bin/goshimmer /run/goshimmer
+# Copy the default config
+COPY config.default.json config.json
 
-ENTRYPOINT ["./goshimmer"] 
+ENTRYPOINT ["/run/goshimmer", "--database.directory=/mainnetdb"]
diff --git a/docker-compose.yml b/docker-compose.yml
index c119216f..564c10f3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,7 +11,7 @@ services:
     container_name: iota_goshimmer
     restart: unless-stopped
     volumes:
-      - ./mainnetdb:/app/mainnetdb:rw
+      - ./mainnetdb/:/mainnetdb/:rw
     ports:
       - "14666:14666/tcp"
       - "14626:14626/udp"
-- 
GitLab