From 77206edccbab240c8aa2d5753c4aad3bb786afca Mon Sep 17 00:00:00 2001 From: daniele Date: Mon, 8 May 2023 22:27:08 +0300 Subject: [PATCH] Split docker build in latest and latest-rootless One more job added to the publish Github Action, to build and push TAG-rootless images. --- Dockerfile | 18 ++++++--------- Dockerfile.rootless | 53 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 11 deletions(-) create mode 100644 Dockerfile.rootless diff --git a/Dockerfile b/Dockerfile index d637070..8734c66 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,22 +25,20 @@ COPY --from=frontend-builder /app/.output/public ./app/api/static/public RUN CGO_ENABLED=0 GOOS=linux go build \ -ldflags "-s -w -X main.commit=$COMMIT -X main.buildTime=$BUILD_TIME -X main.version=$VERSION" \ -o /go/bin/api \ - -v ./app/api/*.go && \ - chmod +x /go/bin/api && \ - # create a directory so that we can copy it in the next stage - mkdir /data + -v ./app/api/*.go # Production Stage -FROM gcr.io/distroless/static +FROM alpine:latest ENV HBOX_MODE=production ENV HBOX_STORAGE_DATA=/data/ ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_fk=1 -# Copy the binary and the (empty) /data dir and -# change the ownership to the low-privileged user -COPY --from=builder --chown=nonroot /go/bin/api /app/api -COPY --from=builder --chown=nonroot /data /data +RUN apk --no-cache add ca-certificates +RUN mkdir /app +COPY --from=builder /go/bin/api /app + +RUN chmod +x /app/api LABEL Name=homebox Version=0.0.1 LABEL org.opencontainers.image.source="https://github.com/hay-kot/homebox" @@ -48,7 +46,5 @@ EXPOSE 7745 WORKDIR /app VOLUME [ "/data" ] -# Drop root and run as low-privileged user -USER nonroot ENTRYPOINT [ "/app/api" ] CMD [ "/data/config.yml" ] diff --git a/Dockerfile.rootless b/Dockerfile.rootless new file mode 100644 index 0000000..e1c98aa --- /dev/null +++ b/Dockerfile.rootless @@ -0,0 +1,53 @@ + +# Build Nuxt +FROM node:17-alpine as frontend-builder +WORKDIR /app +RUN npm install -g pnpm +COPY frontend/package.json frontend/pnpm-lock.yaml ./ +RUN pnpm install --frozen-lockfile --shamefully-hoist +COPY frontend . +RUN pnpm build + +# Build API +FROM golang:alpine AS builder +ARG BUILD_TIME +ARG COMMIT +ARG VERSION +RUN apk update && \ + apk upgrade && \ + apk add --update git build-base gcc g++ + +WORKDIR /go/src/app +COPY ./backend . +RUN go get -d -v ./... +RUN rm -rf ./app/api/public +COPY --from=frontend-builder /app/.output/public ./app/api/static/public +RUN CGO_ENABLED=0 GOOS=linux go build \ + -ldflags "-s -w -X main.commit=$COMMIT -X main.buildTime=$BUILD_TIME -X main.version=$VERSION" \ + -o /go/bin/api \ + -v ./app/api/*.go && \ + chmod +x /go/bin/api && \ + # create a directory so that we can copy it in the next stage + mkdir /data + +# Production Stage +FROM gcr.io/distroless/static + +ENV HBOX_MODE=production +ENV HBOX_STORAGE_DATA=/data/ +ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_fk=1 + +# Copy the binary and the (empty) /data dir and +# change the ownership to the low-privileged user +COPY --from=builder --chown=nonroot /go/bin/api /app +COPY --from=builder --chown=nonroot /data /data + +LABEL Name=homebox Version=0.0.1 +LABEL org.opencontainers.image.source="https://github.com/hay-kot/homebox" +EXPOSE 7745 +VOLUME [ "/data" ] + +# Drop root and run as low-privileged user +USER nonroot +ENTRYPOINT [ "/app" ] +CMD [ "/data/config.yml" ]