harden docker image (#290)

4b4d761b · Wolfgang Welz · GitHub · 1befc3a9 · 4b4d761b · 4b4d761b
Unverified Commit 4b4d761b authored 5 years ago by Wolfgang Welz Committed by GitHub 5 years ago
--- a/.dockerignore
+++ b/.dockerignore
+.git
+.gitignore
+LICENSE
+README.md
+CHANGELOG.md
+images/
+docker-compose.yml
+tools/
+client/
 # Database directory
 mainnetdb/
--- a/Dockerfile
+++ b/Dockerfile
-# we need to use alpine to build since cgo is required
+############################
-FROM golang:1.14-alpine AS build
+# Build
-RUN apk add --no-cache git gcc g++
+############################
+# golang:1.14.0-buster
+FROM golang@sha256:fc7e7c9c4b0f6d2d5e8611ee73b9d1d3132750108878517bbf988aa772359ae4 AS build
+# Ensure ca-certficates are up to date
+RUN update-ca-certificates
 # Set the current Working Directory inside the container
 RUN mkdir /goshimmer
 WORKDIR /goshimmer
-# Download dependencies
+# Use Go Modules
-COPY go.mod . 
+COPY go.mod .
 COPY go.sum .
+ENV GO111MODULE=on
 RUN go mod download
+RUN go mod verify
 # Copy everything from the current directory to the PWD(Present Working Directory) inside the container
 COPY . .
-# Build
+# Build the binary
-RUN CGO_ENABLED=1 GOOS=linux go build -o /go/bin/goshimmer
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+      -ldflags='-w -s -extldflags "-static"' -a \
-FROM alpine:latest  
+       -o /go/bin/goshimmer
-RUN apk --no-cache add ca-certificates
-WORKDIR /app
+############################
+# Image
+############################
+# using static nonroot image
+# user:group is nonroot:nonroot, uid:gid = 65532:65532
+FROM gcr.io/distroless/static@sha256:23aa732bba4c8618c0d97c26a72a32997363d591807b0d4c31b0bbc8a774bddf
-VOLUME /app/mainnetdb
+VOLUME /mainnetdb
 EXPOSE 14666/tcp
 EXPOSE 14626/udp
 # Copy the Pre-built binary file from the previous stage
-COPY --from=build /go/bin/goshimmer .
+COPY --from=build /go/bin/goshimmer /run/goshimmer
-# Copy the docker config
+# Copy the default config
-COPY config.json config.json
+COPY config.default.json config.json
-ENTRYPOINT ["./goshimmer"] 
+ENTRYPOINT ["/run/goshimmer", "--database.directory=/mainnetdb"]
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,7 +11,7 @@ services:
    container_name: iota_goshimmer
    restart: unless-stopped
    volumes:
-      - ./mainnetdb:/app/mainnetdb:rw
+      - ./mainnetdb/:/mainnetdb/:rw
    ports:
      - "14666:14666/tcp"
      - "14626:14626/udp"