| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647 |
- # Create a builder container
- # golang:1.18.0-buster amd64
- FROM golang@sha256:7d39537344486528f8cdb3bd8adb98ab7f0f4236044b6944fed8631da35a4ce5 AS build
- WORKDIR /go/src/app
- # Create appuser to isolate potential vulnerabilities
- # See https://stackoverflow.com/a/55757473/12429735
- ENV USER=appuser
- ENV UID=10001
- RUN adduser \
- --disabled-password \
- --gecos "" \
- --home "/nonexistent" \
- --shell "/sbin/nologin" \
- --no-create-home \
- --uid "${UID}" \
- "${USER}"
- # Create a new tmp directory so no bad actors can manipulate it
- RUN mkdir /temporary-tmp-directory && chmod 777 /temporary-tmp-directory
- ###############################################################################
- # Final stage
- FROM scratch
- # Run all commands as non-root
- USER appuser:appuser
- # Allow container to use latest TLS certificates
- COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
- # Copy over appuser to run as non-root
- COPY --from=build /etc/passwd /etc/passwd
- COPY --from=build /etc/group /etc/group
- # Copy over the /tmp directory for golang/os.TmpDir
- COPY --chown=appuser --from=build /temporary-tmp-directory /tmp
- # Expose application port
- EXPOSE 8989
- # Copy application from external build
- COPY vcsim /vcsim
- # Set entrypoint to application with container defaults
- ENTRYPOINT [ "/vcsim" ]
- CMD ["-l", "0.0.0.0:8989"]
|
