-
Notifications
You must be signed in to change notification settings - Fork 4
/
Dockerfile
62 lines (48 loc) · 2.13 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Start by building the application.
FROM mcr.microsoft.com/oss/go/microsoft/golang:1.20-fips-cbl-mariner1.0 as build
RUN tdnf install -y ca-certificates procps-ng
# create an empty directory that we will use as a COPY source from the final stage
# so that the nonroot owns the /data directory (there is no mkdir in distroless)
WORKDIR /empty
# create files with default connections strings for the runtime image
WORKDIR /defaults
RUN echo "/data/metadata.db" > /defaults/database_connection_string \
&& echo "/data/blobs" > /defaults/storage_connection_string
WORKDIR /go/src/app
COPY ./go.mod .
RUN go mod download
COPY . .
RUN --mount=type=cache,target=/root/.cache/go-build go build -o /go/bin/app
# Create a non-root user that will be used in the runtime image
FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 as user_creator
RUN mkdir -p /staging/etc \
&& tdnf install -y shadow-utils \
&& tdnf clean all \
&& groupadd \
--system \
--gid=101 \
nonroot \
&& adduser \
--uid 101 \
--gid nonroot \
--shell /bin/false \
--no-create-home \
--system \
nonroot
# Now create the runtime image.
FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0
# Copy in user and group files
COPY --from=user_creator /etc/passwd /etc/group /etc/
# Set up /data as the default storage directory for filesystem-based providers.
COPY --from=build --chown=nonroot:nonroot /empty/ /data
# Set up defaults for the database and storage connections strings.
# Here we use the _FILE suffix for the environment variables, which can be overridden
# by setting the variable to the path of a mounted secret. This is often more secure than
# providing connection string directly in the variables without the _FILE suffix, but either
# approach will override the defaults set here.
COPY --from=build --chown=nonroot:nonroot /defaults/ /defaults/
ENV MRD_STORAGE_SERVER_DATABASE_CONNECTION_STRING_FILE=/defaults/database_connection_string
ENV MRD_STORAGE_SERVER_STORAGE_CONNECTION_STRING_FILE=/defaults/storage_connection_string
COPY --from=build /go/bin/app /
USER nonroot:nonroot
ENTRYPOINT ["/app"]