feat: change to distroless docker builds (#26)

Swapped to gcr.io/distroless/static-debian12 Removed unnecessary packages. Reduced file size from 21.2MB to 9.94MB.
s0up4200 · Apr 5, 2024 · fab6ae9 · fab6ae9
1 parent 7ff9bc8
commit fab6ae9
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 19 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,6 @@
+.github/
+distrib/
+.gitignore
+.goreleaser.yml
+ci.Dockerfile
+Makefile
diff --git a/Dockerfile b/Dockerfile
@@ -5,9 +5,6 @@ ARG VERSION=dev
 ARG REVISION=dev
 ARG BUILDTIME
 
-# Install only necessary packages for the build
-RUN apk add --no-cache git tzdata
-
 ENV SERVICE=redactedhook
 
 WORKDIR /src
@@ -22,16 +19,12 @@ COPY . ./
 RUN go build -ldflags "-s -w -X main.version=${VERSION} -X main.commit=${REVISION} -X main.date=${BUILDTIME}" -o bin/redactedhook cmd/redactedhook/main.go
 
 # build runner
-FROM alpine:latest
-
-LABEL org.opencontainers.image.source = "https://github.com/s0up4200/redactedhook"
+FROM gcr.io/distroless/static-debian12
 
 ENV HOME="/redactedhook" \
     XDG_CONFIG_HOME="/redactedhook" \
     XDG_DATA_HOME="/redactedhook"
 
-# Install runtime dependencies
-RUN apk --no-cache add ca-certificates curl tzdata jq
 
 WORKDIR /redactedhook
 

diff --git a/ci.Dockerfile b/ci.Dockerfile
@@ -1,9 +1,6 @@
 # build app
 FROM --platform=$BUILDPLATFORM golang:1.20-alpine3.16 AS app-builder
 
-# Install necessary tools
-RUN apk add --no-cache git tzdata
-
 # Set work directory
 WORKDIR /src
 
@@ -29,17 +26,14 @@ RUN --mount=target=. \
     -o /out/bin/redactedhook cmd/redactedhook/main.go
 
 # build runner
-FROM alpine:latest
+FROM gcr.io/distroless/static-debian12
 
 # Set metadata and environment variables
 LABEL org.opencontainers.image.source = "https://github.com/s0up4200/redactedhook"
 ENV HOME="/redactedhook" \
     XDG_CONFIG_HOME="/redactedhook" \
     XDG_DATA_HOME="/redactedhook"
 
-# Install runtime dependencies
-RUN apk --no-cache add ca-certificates curl tzdata jq
-
 # Set work directory and expose necessary ports
 WORKDIR /redactedhook
 VOLUME /redactedhook

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,15 +1,24 @@
-version: "3.8"
 services:
   redactedhook:
     container_name: redactedhook
     image: ghcr.io/s0up4200/redactedhook:latest
-    user: 1000:1000
+    #build:
+      #context: .
+      #dockerfile: Dockerfile
+    #runtime: runsc-ptrace
+    #network_mode: bridge
+    user: nobody
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
     environment:
       - SERVER_ADDRESS=0.0.0.0 # binds to 127.0.0.1 by default
       - SERVER_PORT=42135 # defaults to 42135
       - TZ=UTC
     ports:
-      - "127.0.0.1:42135:42135"
+      - 127.0.0.1:42135:42135
     volumes:
-      - /redactedhook:/redactedhook:rw
+      - ./:/redactedhook
     restart: unless-stopped