-
Notifications
You must be signed in to change notification settings - Fork 1
/
Dockerfile
93 lines (73 loc) · 2.73 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
FROM --platform=$BUILDPLATFORM golang:1.21-alpine AS build-env
RUN apk add --update --no-cache curl make git libc-dev bash gcc linux-headers eudev-dev
ARG TARGETARCH
ARG BUILDARCH
RUN if [ "${TARGETARCH}" = "arm64" ] && [ "${BUILDARCH}" != "arm64" ]; then \
wget -c https://musl.cc/aarch64-linux-musl-cross.tgz -O - | tar -xzvv --strip-components 1 -C /usr; \
elif [ "${TARGETARCH}" = "amd64" ] && [ "${BUILDARCH}" != "amd64" ]; then \
wget -c https://musl.cc/x86_64-linux-musl-cross.tgz -O - | tar -xzvv --strip-components 1 -C /usr; \
fi
WORKDIR /src
ADD . .
RUN if [ "${TARGETARCH}" = "arm64" ] && [ "${BUILDARCH}" != "arm64" ]; then \
export CC=aarch64-linux-musl-gcc CXX=aarch64-linux-musl-g++;\
elif [ "${TARGETARCH}" = "amd64" ] && [ "${BUILDARCH}" != "amd64" ]; then \
export CC=x86_64-linux-musl-gcc CXX=x86_64-linux-musl-g++; \
fi; \
GOOS=linux GOARCH=$TARGETARCH CGO_ENABLED=1 LDFLAGS='-linkmode external -extldflags "-static"' make install
RUN if [ -d "/go/bin/linux_${TARGETARCH}" ]; then mv /go/bin/linux_${TARGETARCH}/* /go/bin/; fi
# Use minimal busybox from infra-toolkit image for final scratch image
FROM ghcr.io/strangelove-ventures/infra-toolkit:v0.0.8 AS busybox-min
RUN addgroup --gid 1000 -S strangelove && adduser --uid 100 -S strangelove -G strangelove
# Use ln and rm from full featured busybox for assembling final image
FROM busybox:1.34.1-musl AS busybox-full
# Build final image from scratch
FROM scratch
LABEL org.opencontainers.image.source="https://github.com/strangelove-ventures/horcrux-proxy"
WORKDIR /bin
# Install ln (for making hard links) and rm (for cleanup) from full busybox image (will be deleted, only needed for image assembly)
COPY --from=busybox-full /bin/ln /bin/rm ./
# Install minimal busybox image as shell binary (will create hardlinks for the rest of the binaries to this data)
COPY --from=busybox-min /busybox/busybox /bin/sh
# Add hard links for read-only utils
# Will then only have one copy of the busybox minimal binary file with all utils pointing to the same underlying inode
RUN for b in \
cat \
date \
df \
du \
env \
grep \
head \
less \
ls \
md5sum \
nc \
nslookup \
ping \
ping6 \
pwd \
sha1sum \
sha256sum \
sha3sum \
sha512sum \
sleep \
stty \
tail \
tar \
tee \
tr \
watch \
which \
; do ln sh $b; done
# Remove write utils
RUN rm ln rm
# Install chain binaries
COPY --from=build-env /go/bin/horcrux-proxy /bin
# Install trusted CA certificates
COPY --from=busybox-min /etc/ssl/cert.pem /etc/ssl/cert.pem
# Install strangelove user
COPY --from=busybox-min /etc/passwd /etc/passwd
COPY --from=busybox-min --chown=100:1000 /home/strangelove /home/strangelove
WORKDIR /home/strangelove
USER strangelove