Skip to content

Commit

Permalink
[3ad0f41] Update Dockerfiles and .goreleaser.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
@jnovack
jnovack committed Mar 31, 2021
1 parent 09209bb commit bc29733
Show file tree
Hide file tree
Showing 4 changed files with 91 additions and 8 deletions.
2 changes: 2 additions & 0 deletions .dockerignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Dockerfile*
.*ignore
4 changes: 2 additions & 2 deletions .goreleaser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ brews:
- name: govc
ids:
- govc
github:
tap:
owner: govmomi
name: homebrew-tap
commit_author:
Expand All @@ -84,7 +84,7 @@ brews:
- name: vcsim
ids:
- vcsim
github:
tap:
owner: govmomi
name: homebrew-tap
commit_author:
Expand Down
45 changes: 42 additions & 3 deletions Dockerfile.govc
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,43 @@
# Create a builder container
# golang:1.16.0-buster amd64
FROM golang@sha256:f254180c5defa2653955e963fb0626e3d4fbbb162f7cff6490e94607d1d867ff AS build
WORKDIR /go/src/app

# Create appuser to isolate potential vulnerabilities
# See https://stackoverflow.com/a/55757473/12429735
ENV USER=appuser
ENV UID=10001
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
"${USER}"

# Create a new tmp directory so no bad actors can manipulate it
RUN mkdir /temporary-tmp-directory && chmod 777 /temporary-tmp-directory

###############################################################################
# Final stage
FROM scratch
LABEL maintainer="[email protected]"
COPY govc /
ENTRYPOINT [ "/govc" ]

# Run all commands as non-root
USER appuser:appuser

# Allow container to use latest TLS certificates
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# Copy over appuser to run as non-root
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group

# Copy over the /tmp directory for golang/os.TmpDir
COPY --chown=appuser --from=build /temporary-tmp-directory /tmp

# Copy application from external build
COPY govc /govc

# Set CMD to application with container defaults
CMD ["/govc"]
48 changes: 45 additions & 3 deletions Dockerfile.vcsim
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,46 @@
# Create a builder container
# golang:1.16.0-buster amd64
FROM golang@sha256:f254180c5defa2653955e963fb0626e3d4fbbb162f7cff6490e94607d1d867ff AS build
WORKDIR /go/src/app

# Create appuser to isolate potential vulnerabilities
# See https://stackoverflow.com/a/55757473/12429735
ENV USER=appuser
ENV UID=10001
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
"${USER}"

# Create a new tmp directory so no bad actors can manipulate it
RUN mkdir /temporary-tmp-directory && chmod 777 /temporary-tmp-directory

###############################################################################
# Final stage
FROM scratch
LABEL maintainer="[email protected]"
COPY vcsim /
ENTRYPOINT [ "/vcsim" ]

# Run all commands as non-root
USER appuser:appuser

# Allow container to use latest TLS certificates
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# Copy over appuser to run as non-root
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group

# Copy over the /tmp directory for golang/os.TmpDir
COPY --chown=appuser --from=build /temporary-tmp-directory /tmp

# Expose application port
EXPOSE 8989

# Copy application from external build
COPY vcsim /vcsim

# Set entrypoint to application with container defaults
ENTRYPOINT ["/vcsim", "-l", "0.0.0.0:8989"]

0 comments on commit bc29733

Please sign in to comment.