-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
114 lines (89 loc) · 3.13 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# === Pre Stages global arguments ===========================================
# --- Project Name ---
ARG PROJECT_NAME="bezuncapi"
# --- Create auth ---
ARG USERNAME="bezunca"
# === Stage 1 - Build go project ===========================================
FROM golang:1.14.4-buster AS builder
ARG PROJECT_NAME
ARG USERNAME
# --- Environment Variables ---
# Don't allow APT to make question
ENV DEBIAN_FRONTEND=noninteractive
# Add APT config file
ADD "https://gist.githubusercontent.com/HeavenVolkoff/ff7b77b9087f956b8df944772e93c071/raw" /etc/apt/apt.conf.d/99custom
# Update APT
RUN apt-get update -qq \
&& \
# Install build requirements
apt-get install \
git \
ssh \
curl \
upx \
build-essential \
openssh-client \
ca-certificates \
tzdata \
zip \
&& \
git config --global url."[email protected]:".insteadOf "https://github.com/"
# Setting up GOPRIVATE env so we can download from gitlab's private repositories
ENV GOPRIVATE="github.com/Bezunca/*"
# Create build directory
WORKDIR /src/proj
# Build argument. Link for the tar file containing the git ssh key.
ARG SSH_KEY_LINK
ARG SSH_KEY
# Ensure SSH_KEY_LINK link is not empty
RUN test -n "$SSH_KEY_LINK" || test -n "$SSH_KEY" || ( echo "You must provide SSH_KEY_LINK or SSH_KEY" && exit 1 )
# Get SSH keys
RUN test -n "$SSH_KEY_LINK" && ( curl -k -# -L ${SSH_KEY_LINK} | tar -C /root -x || exit 1 ) || true
RUN test -n "$SSH_KEY" \
&& ( \
mkdir -p ~/.ssh \
&& \
chmod 700 ~/.ssh \
&& \
echo "$SSH_KEY" | tr -d '\r' > ~/.ssh/id_rsa \
&& \
chmod 600 ~/.ssh/id_rsa \
) || true
RUN ssh-keyscan -p 22 github.com > ~/.ssh/known_hosts \
&& \
chmod 644 ~/.ssh/known_hosts
# Copy project sources
COPY . .
# Downloading dependencies
RUN go mod download
# Building project executable, cleaning useless stuff and compressing binary
RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags='-w -s -extldflags "-static"' -o "executable" ./cmd/${PROJECT_NAME}
# Compress executable size
RUN upx --best --ultra-brute "executable"
# Fix permissions and create unprivileged auth
RUN useradd -b /home -s /bin/sh -u 1001 -g 65534 ${USERNAME}
# Setup data volumes directories
RUN install -g 65534 -o 1001 -d /home/${USERNAME}/logs
# Remove setuid and setgid permissions
RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
RUN zip -q -r -0 /usr/share/zoneinfo/zoneinfo.zip /usr/share/zoneinfo/
# === Stage 2 - Setup runtime ==================================================
FROM scratch
ARG PROJECT_NAME
ARG USERNAME
# Copy project data
COPY --from=builder /src/proj/executable /usr/local/bin/executable
## Import the auth and group files from the builder.
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/group /etc/group
COPY --from=builder /home/ /home/
COPY --from=builder /usr/share/zoneinfo/zoneinfo.zip /
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# Setup runtime
USER ${USERNAME}
VOLUME /home/${USERNAME}/logs
WORKDIR /home/${USERNAME}
# Exposed ports
EXPOSE 8080
# Run application
ENTRYPOINT ["/usr/local/bin/executable"]