xeoncross · April 9, 2024 05:20 · xeoncross · Mar 13, 2019
diff --git a/Dockerfile1 b/Dockerfile1
 # Sample from @citizen428 https://dev.to/citizen428/comment/6cmh
 FROM golang:alpine as build
 RUN apk add --no-cache ca-certificates
 WORKDIR /build
 ADD . .
 RUN CGO_ENABLED=0 GOOS=linux \
    go build -ldflags '-extldflags "-static"' -o app

 FROM scratch
 COPY --from=build /etc/ssl/certs/ca-certificates.crt \
     /etc/ssl/certs/ca-certificates.crt
 COPY --from=build /build/app /app
 ENTRYPOINT ["/app"]
diff --git a/Dockerfile2 b/Dockerfile2
 # https://www.reddit.com/r/golang/comments/9u7qnl/deploying_go_apps_on_docker_scratch_images/

 # This is the first stage, for building things that will be required by the
 # final stage (notably the binary)
 FROM golang

 # Copy in just the go.mod and go.sum files, and download the dependencies. By
 # doing this before copying in the other dependencies, the Docker build cache
 # can skip these steps so long as neither of these two files change.
 COPY go.mod go.sum ./
 RUN go mod download

 # Assuming the source code is collocated to this Dockerfile
 COPY . .

 # Build the Go app with CGO_ENABLED=0 so we use the pure-Go implementations for
 # things like DNS resolution (so we don't build a binary that depends on system
 # libraries)
 RUN CGO_ENABLED=0 go build -o /myapp

 # Create a "nobody" non-root user for the next image by crafting an /etc/passwd
 # file that the next image can copy in. This is necessary since the next image
 # is based on scratch, which doesn't have adduser, cat, echo, or even sh.
 RUN echo "nobody:x:65534:65534:Nobody:/:" > /etc_passwd

 # The second and final stage
 FROM scratch

 # Copy the binary from the builder stage
 COPY --from=0 /myapp /myapp

 # Copy the certs from the builder stage
 COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

 # Copy the /etc/passwd file we created in the builder stage. This creates a new
 # non-root user as a security best practice.
 COPY --from=0 /etc/passwd /etc/passwd

 # Run as the new non-root by default
 USER nobody
diff --git a/Dockerfile3 b/Dockerfile3
 # https://medium.com/@pierreprinetti/the-go-1-11-dockerfile-a3218319d191

 # Accept the Go version for the image to be set as a build argument.
 # Default to Go 1.11
 ARG GO_VERSION=1.11

 # First stage: build the executable.
 FROM golang:${GO_VERSION}-alpine AS builder

 # Create the user and group files that will be used in the running container to
 # run the process an unprivileged user.
 RUN mkdir /user && \
    echo 'nobody:x:65534:65534:nobody:/:' > /user/passwd && \
    echo 'nobody:x:65534:' > /user/group

 # Install the Certificate-Authority certificates for the app to be able to make
 # calls to HTTPS endpoints.
 RUN apk add --no-cache ca-certificates

 # Set the environment variables for the go command:
 # * CGO_ENABLED=0 to build a statically-linked executable
 # * GOFLAGS=-mod=vendor to force `go build` to look into the `/vendor` forlder.
 ENV CGO_ENABLED=0 GOFLAGS=-mod=vendor

 # Set the working directory outside $GOPATH to enable the support for modules.
 WORKDIR /src

 # Import the code from the context.
 COPY ./ ./

 # Build the executable to `/app`. Mark the build as statically linked.
 RUN go build \
    -installsuffix 'static' \
    -o /app .

 # Final stage: the running container.
 FROM scratch AS final

 # Import the user and group files from the first stage.
 COPY --from=builder /user/group /user/passwd /etc/

 # Import the Certificate-Authority certificates for enabling HTTPS.
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

 # Import the compiled executable from the second stage.
 COPY --from=builder /app /app

 # Declare the port on which the webserver will be exposed.
 # As we're going to run the executable as an unprivileged user, we can't bind
 # to ports below 1024.
 EXPOSE 8080

 # Perform any further action as an unprivileged user.
 USER nobody:nobody

 # Run the compiled binary.
 ENTRYPOINT ["/app"]
diff --git a/Dockerfile4 b/Dockerfile4
 # https://raw.githubusercontent.com/syntaqx/sandbox/
 # Use Alphine instead of Scratch as it's be hardened
 # Accept image version tags to be set as a build arguments
 ARG GO_VERSION=1.11
 ARG ALPINE_VERSION=3.8

 # Throw-away builder container
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS builder

 # Install build and runtime dependencies
 # - Git is required for fetching Go dependencies
 # - Certificate-Authority certificates are required to call HTTPs endpoints
 RUN apk add --no-cache git ca-certificates

 # Normalize the base environment
 # - CGO_ENABLED: to build a statically linked executable
 # - GO111MODULE: force go module behavior and ignore any vendor directories
 ENV CGO_ENABLED=0 GO111MODULE=on

 # Set the builder working directory
 WORKDIR /go/src/github.com/syntaqx/sandbox

 # Fetch modules first. Module dependencies are less likely to change per build,
 # so we benefit from layer caching
 ADD ./go.mod ./go.sum* ./
 RUN go mod download

 # Import the remaining source from the context
 COPY . /go/src/github.com/syntaqx/sandbox

 # Build a statically linked executable
 RUN go build -installsuffix cgo -ldflags '-s -w' -o ./bin/app ./cmd/app

 # Runtime container
 FROM alpine:${ALPINE_VERSION}

 # Copy the binary and sources from the builder stage
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /go/src/github.com/syntaqx/sandbox/bin/app ./app

 # Create a non-root runtime user
 RUN addgroup -S sandbox && adduser -S -G sandbox sandbox && chown -R sandbox:sandbox ./app
 USER sandbox

 # Document the service listening port(s)
 EXPOSE 8080

 # Define the containers executable entrypoint
 ENTRYPOINT ["./app"]
diff --git a/Dockerfile5 b/Dockerfile5
 # https://github.com/usefathom/fathom/blob/master/Dockerfile
 # Building a Go backend + Javascript UI
 FROM node:alpine AS assetbuilder
 WORKDIR /app
 COPY package*.json ./
 COPY gulpfile.js ./
 COPY assets/ ./assets/
 RUN npm install && NODE_ENV=production ./node_modules/gulp/bin/gulp.js

 FROM golang:latest AS binarybuilder
 WORKDIR /go/src/github.com/usefathom/fathom
 COPY . /go/src/github.com/usefathom/fathom
 COPY --from=assetbuilder /app/assets/build ./assets/build
 RUN make docker

 FROM alpine:latest
 EXPOSE 8080
 HEALTHCHECK --retries=10 CMD ["wget", "-qO-", "http://localhost:8080/health"]
 RUN apk add --update --no-cache bash ca-certificates
 WORKDIR /app
 COPY --from=binarybuilder /go/src/github.com/usefathom/fathom/fathom .
 CMD ["./fathom", "server"]
	# Sample from @citizen428 https://dev.to/citizen428/comment/6cmh
	FROM golang:alpine as build
	RUN apk add --no-cache ca-certificates
	WORKDIR /build
	ADD . .
	RUN CGO_ENABLED=0 GOOS=linux \
	go build -ldflags '-extldflags "-static"' -o app

	FROM scratch
	COPY --from=build /etc/ssl/certs/ca-certificates.crt \
	/etc/ssl/certs/ca-certificates.crt
	COPY --from=build /build/app /app
	ENTRYPOINT ["/app"]
	# https://www.reddit.com/r/golang/comments/9u7qnl/deploying_go_apps_on_docker_scratch_images/

	# This is the first stage, for building things that will be required by the
	# final stage (notably the binary)
	FROM golang

	# Copy in just the go.mod and go.sum files, and download the dependencies. By
	# doing this before copying in the other dependencies, the Docker build cache
	# can skip these steps so long as neither of these two files change.
	COPY go.mod go.sum ./
	RUN go mod download

	# Assuming the source code is collocated to this Dockerfile
	COPY . .

	# Build the Go app with CGO_ENABLED=0 so we use the pure-Go implementations for
	# things like DNS resolution (so we don't build a binary that depends on system
	# libraries)
	RUN CGO_ENABLED=0 go build -o /myapp

	# Create a "nobody" non-root user for the next image by crafting an /etc/passwd
	# file that the next image can copy in. This is necessary since the next image
	# is based on scratch, which doesn't have adduser, cat, echo, or even sh.
	RUN echo "nobody:x:65534:65534:Nobody:/:" > /etc_passwd

	# The second and final stage
	FROM scratch

	# Copy the binary from the builder stage
	COPY --from=0 /myapp /myapp

	# Copy the certs from the builder stage
	COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

	# Copy the /etc/passwd file we created in the builder stage. This creates a new
	# non-root user as a security best practice.
	COPY --from=0 /etc/passwd /etc/passwd

	# Run as the new non-root by default
	USER nobody
	# https://medium.com/@pierreprinetti/the-go-1-11-dockerfile-a3218319d191

	# Accept the Go version for the image to be set as a build argument.
	# Default to Go 1.11
	ARG GO_VERSION=1.11

	# First stage: build the executable.
	FROM golang:${GO_VERSION}-alpine AS builder

	# Create the user and group files that will be used in the running container to
	# run the process an unprivileged user.
	RUN mkdir /user && \
	echo 'nobody:x:65534:65534:nobody:/:' > /user/passwd && \
	echo 'nobody:x:65534:' > /user/group

	# Install the Certificate-Authority certificates for the app to be able to make
	# calls to HTTPS endpoints.
	RUN apk add --no-cache ca-certificates

	# Set the environment variables for the go command:
	# * CGO_ENABLED=0 to build a statically-linked executable
	# * GOFLAGS=-mod=vendor to force `go build` to look into the `/vendor` forlder.
	ENV CGO_ENABLED=0 GOFLAGS=-mod=vendor

	# Set the working directory outside $GOPATH to enable the support for modules.
	WORKDIR /src

	# Import the code from the context.
	COPY ./ ./

	# Build the executable to `/app`. Mark the build as statically linked.
	RUN go build \
	-installsuffix 'static' \
	-o /app .

	# Final stage: the running container.
	FROM scratch AS final

	# Import the user and group files from the first stage.
	COPY --from=builder /user/group /user/passwd /etc/

	# Import the Certificate-Authority certificates for enabling HTTPS.
	COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

	# Import the compiled executable from the second stage.
	COPY --from=builder /app /app

	# Declare the port on which the webserver will be exposed.
	# As we're going to run the executable as an unprivileged user, we can't bind
	# to ports below 1024.
	EXPOSE 8080

	# Perform any further action as an unprivileged user.
	USER nobody:nobody

	# Run the compiled binary.
	ENTRYPOINT ["/app"]
	# https://raw.githubusercontent.com/syntaqx/sandbox/
	# Use Alphine instead of Scratch as it's be hardened
	# Accept image version tags to be set as a build arguments
	ARG GO_VERSION=1.11
	ARG ALPINE_VERSION=3.8

	# Throw-away builder container
	FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS builder

	# Install build and runtime dependencies
	# - Git is required for fetching Go dependencies
	# - Certificate-Authority certificates are required to call HTTPs endpoints
	RUN apk add --no-cache git ca-certificates

	# Normalize the base environment
	# - CGO_ENABLED: to build a statically linked executable
	# - GO111MODULE: force go module behavior and ignore any vendor directories
	ENV CGO_ENABLED=0 GO111MODULE=on

	# Set the builder working directory
	WORKDIR /go/src/github.com/syntaqx/sandbox

	# Fetch modules first. Module dependencies are less likely to change per build,
	# so we benefit from layer caching
	ADD ./go.mod ./go.sum* ./
	RUN go mod download

	# Import the remaining source from the context
	COPY . /go/src/github.com/syntaqx/sandbox

	# Build a statically linked executable
	RUN go build -installsuffix cgo -ldflags '-s -w' -o ./bin/app ./cmd/app

	# Runtime container
	FROM alpine:${ALPINE_VERSION}

	# Copy the binary and sources from the builder stage
	COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
	COPY --from=builder /go/src/github.com/syntaqx/sandbox/bin/app ./app

	# Create a non-root runtime user
	RUN addgroup -S sandbox && adduser -S -G sandbox sandbox && chown -R sandbox:sandbox ./app
	USER sandbox

	# Document the service listening port(s)
	EXPOSE 8080

	# Define the containers executable entrypoint
	ENTRYPOINT ["./app"]
	# https://github.com/usefathom/fathom/blob/master/Dockerfile
	# Building a Go backend + Javascript UI
	FROM node:alpine AS assetbuilder
	WORKDIR /app
	COPY package*.json ./
	COPY gulpfile.js ./
	COPY assets/ ./assets/
	RUN npm install && NODE_ENV=production ./node_modules/gulp/bin/gulp.js

	FROM golang:latest AS binarybuilder
	WORKDIR /go/src/github.com/usefathom/fathom
	COPY . /go/src/github.com/usefathom/fathom
	COPY --from=assetbuilder /app/assets/build ./assets/build
	RUN make docker

	FROM alpine:latest
	EXPOSE 8080
	HEALTHCHECK --retries=10 CMD ["wget", "-qO-", "http://localhost:8080/health"]
	RUN apk add --update --no-cache bash ca-certificates
	WORKDIR /app
	COPY --from=binarybuilder /go/src/github.com/usefathom/fathom/fathom .
	CMD ["./fathom", "server"]