Merge pull request #9 from StevenACoffman/master

chemidy · web-flow · commit 86acf99c298d · 2020-01-14T22:24:23.000+01:00
Add static distroless and specify uid/gid for alpine static
diff --git a/Dockerfile b/Dockerfile
@@ -3,22 +3,35 @@
 ############################
 # golang alpine 1.13.5
 FROM golang@sha256:0991060a1447cf648bab7f6bb60335d1243930e38420bee8fec3db1267b84cfa as builder
+
 # Install git + SSL ca certificates.
 # Git is required for fetching the dependencies.
 # Ca-certificates is required to call HTTPS endpoints.
 RUN apk update && apk add --no-cache git ca-certificates tzdata && update-ca-certificates
 
 # Create appuser
-RUN adduser -D -g '' appuser
-
+ENV USER=appuser
+ENV UID=10001
+
+# See https://stackoverflow.com/a/55757473/12429735
+RUN adduser \
+    --disabled-password \
+    --gecos "" \
+    --home "/nonexistent" \
+    --shell "/sbin/nologin" \
+    --no-create-home \
+    --uid "${UID}" \
+    "${USER}"
 WORKDIR $GOPATH/src/mypackage/myapp/
 COPY . .
 
 # Fetch dependencies.
 RUN go get -d -v
 
 # Build the binary
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -a -installsuffix cgo -o /go/bin/hello .
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+      -ldflags='-w -s -extldflags "-static"' -a \
+      -o /go/bin/hello .
 
 ############################
 # STEP 2 build a small image
@@ -29,12 +42,13 @@ FROM scratch
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
 
 # Copy our static executable
 COPY --from=builder /go/bin/hello /go/bin/hello
 
 # Use an unprivileged user.
-USER appuser
+USER appuser:appuser
 
 # Run the hello binary.
 ENTRYPOINT ["/go/bin/hello"]
diff --git a/go_module/Dockerfile b/go_module/Dockerfile
@@ -10,7 +10,18 @@ FROM golang@sha256:0991060a1447cf648bab7f6bb60335d1243930e38420bee8fec3db1267b84
 RUN apk update && apk add --no-cache git ca-certificates tzdata && update-ca-certificates
 
 # Create appuser
-RUN adduser -D -g '' appuser
+ENV USER=appuser
+ENV UID=10001
+
+# See https://stackoverflow.com/a/55757473/12429735
+RUN adduser \
+    --disabled-password \
+    --gecos "" \
+    --home "/nonexistent" \
+    --shell "/sbin/nologin" \
+    --no-create-home \
+    --uid "${UID}" \
+    "${USER}"
 WORKDIR $GOPATH/src/mypackage/myapp/
 
 # use modules
@@ -23,7 +34,9 @@ RUN go mod verify
 COPY . .
 
 # Build the binary
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -a -installsuffix cgo -o /go/bin/hello .
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+      -ldflags='-w -s -extldflags "-static"' -a \
+      -o /go/bin/hello .
 
 ############################
 # STEP 2 build a small image
@@ -34,12 +47,13 @@ FROM scratch
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
 
 # Copy our static executable
 COPY --from=builder /go/bin/hello /go/bin/hello
 
 # Use an unprivileged user.
-USER appuser
+USER appuser:appuser
 
 # Run the hello binary.
 ENTRYPOINT ["/go/bin/hello"]
diff --git a/go_module_distroless/Dockerfile b/go_module_distroless/Dockerfile
@@ -1,16 +1,13 @@
 ############################
 # STEP 1 build executable binary
 ############################
-# golang alpine 1.13.5
-FROM golang@sha256:0991060a1447cf648bab7f6bb60335d1243930e38420bee8fec3db1267b84cfa as builder
+# golang debian buster 1.13.6 linux/amd64
+# https://github.com/docker-library/golang/blob/master/1.13/buster/Dockerfile
+FROM golang@sha256:93a56423351235e070b3630e0a8b3e27d5e868883d4dff591f676315f208a574 as builder
 
-# Install git + SSL ca certificates.
-# Git is required for fetching the dependencies.
-# Ca-certificates is required to call HTTPS endpoints.
-RUN apk update && apk add --no-cache git ca-certificates tzdata && update-ca-certificates
+# Ensure ca-certficates are up to date
+RUN update-ca-certificates
 
-# Create appuser
-RUN adduser -D -g '' appuser
 WORKDIR $GOPATH/src/mypackage/myapp/
 
 # use modules
@@ -28,8 +25,9 @@ RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -a -installsuffix cgo -o
 ############################
 # STEP 2 build a small image
 ############################
-#using nonroot image
-FROM gcr.io/distroless/static@sha256:08322afd57db6c2fd7a4264bf0edd9913176835585493144ee9ffe0c8b576a76
+# using base nonroot image
+# user:group is nobody:nobody, uid:gid = 65534:65534
+FROM gcr.io/distroless/base@sha256:2b177fbc9a31b85254d264e1fc9a65accc6636d6f1033631b9b086ee589d1fe2
 
 # Copy our static executable
 COPY --from=builder /go/bin/hello /go/bin/hello
diff --git a/go_module_distroless/Makefile b/go_module_distroless/Makefile
@@ -8,8 +8,8 @@ help: ## - Show help message
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
 .PHONY: build
-build:	## - Build the smallest and secured golang docker image based on scratch
-	@printf "\033[32m\xE2\x9c\x93 Build the smallest and secured golang docker image based on scratch\n\033[0m"
+build:	## - Build the smallest and secured golang docker image based on distroless
+	@printf "\033[32m\xE2\x9c\x93 Build the smallest and secured golang docker image based on distroless\n\033[0m"
 	@export DOCKER_CONTENT_TRUST=1 && docker build -f Dockerfile -t smallest-secured-golang-distroless .
 
 .PHONY: build-no-cache
@@ -23,7 +23,7 @@ ls: ## - List 'smallest-secured-golang' docker images
 	@docker image ls smallest-secured-golang-distroless
 
 .PHONY: run
-run:	## - Run the smallest and secured golang docker image based on scratch
+run:	## - Run the smallest and secured golang docker image based on distroless
 	@printf "\033[32m\xE2\x9c\x93 Run the smallest and secured golang docker image based on scratch\n\033[0m"
 	@docker run smallest-secured-golang-distroless:latest
 
diff --git a/go_module_distroless/README.md b/go_module_distroless/README.md
@@ -1,17 +1,17 @@
-# Create the smallest secured golang docker image base on scratch
+# Create the smallest secured golang docker image base on distroless
 
 Read the related article : [Create the smallest and secured golang docker image based on scratch](https://medium.com/@chemidy/create-the-smallest-and-secured-golang-docker-image-based-on-scratch-4752223b7324)
 
 ```
 ✓ usage: make [target]
 
-build-no-cache                 - Build the smallest and secured golang docker image based on scratch with no cache
-build                          - Build the smallest and secured golang docker image based on scratch
+build-no-cache                 - Build the smallest and secured golang docker image based on distroless with no cache
+build                          - Build the smallest and secured golang docker image based on distroless
 help                           - Show help message
 ls                             - List 'smallest-secured-golang' docker images
 push-to-azure                  - Push docker image to azurecr.io container registry
 push-to-gcp                    - Push docker image to gcr.io container registry
-run                            - Run the smallest and secured golang docker image based on scratch
+run                            - Run the smallest and secured golang docker image based on distroless
 ```
 
 # Quickstart 
diff --git a/go_module_distroless_static/Dockerfile b/go_module_distroless_static/Dockerfile
@@ -0,0 +1,38 @@
+############################
+# STEP 1 build executable binary
+############################
+# golang debian buster 1.13.6 linux/amd64
+# https://github.com/docker-library/golang/blob/master/1.13/buster/Dockerfile
+FROM golang@sha256:93a56423351235e070b3630e0a8b3e27d5e868883d4dff591f676315f208a574 as builder
+
+# Ensure ca-certficates are up to date
+RUN update-ca-certificates
+
+WORKDIR $GOPATH/src/mypackage/myapp/
+
+# use modules
+COPY go.mod .
+
+ENV GO111MODULE=on
+RUN go mod download
+RUN go mod verify
+
+COPY . .
+
+# Build the static binary
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+      -ldflags='-w -s -extldflags "-static"' -a \
+      -o /go/bin/hello .
+
+############################
+# STEP 2 build a small image
+############################
+# using static nonroot image
+# user:group is nobody:nobody, uid:gid = 65534:65534
+FROM gcr.io/distroless/static@sha256:08322afd57db6c2fd7a4264bf0edd9913176835585493144ee9ffe0c8b576a76
+
+# Copy our static executable
+COPY --from=builder /go/bin/hello /go/bin/hello
+
+# Run the hello binary.
+ENTRYPOINT ["/go/bin/hello"]
diff --git a/go_module_distroless_static/Makefile b/go_module_distroless_static/Makefile
@@ -0,0 +1,39 @@
+VERSION=`git rev-parse HEAD`
+BUILD=`date +%FT%T%z`
+LDFLAGS=-ldflags "-X main.Version=${VERSION} -X main.Build=${BUILD}"
+
+.PHONY: help
+help: ## - Show help message
+	@printf "\033[32m\xE2\x9c\x93 usage: make [target]\n\n\033[0m"
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: build
+build:	## - Build the smallest and secured golang docker image based on distroless static
+	@printf "\033[32m\xE2\x9c\x93 Build the smallest and secured golang docker image based on distroless static\n\033[0m"
+	@export DOCKER_CONTENT_TRUST=1 && docker build -f Dockerfile -t smallest-secured-golang-distroless-static .
+
+.PHONY: build-no-cache
+build-no-cache:	## - Build the smallest and secured golang docker image based on scratch with no cache
+	@printf "\033[32m\xE2\x9c\x93 Build the smallest and secured golang docker image based on scratch\n\033[0m"
+	@export DOCKER_CONTENT_TRUST=1 && docker build --no-cache -f Dockerfile -t smallest-secured-golang-distroless-static .
+
+.PHONY: ls
+ls: ## - List 'smallest-secured-golang' docker images
+	@printf "\033[32m\xE2\x9c\x93 Look at the size dude !\n\033[0m"
+	@docker image ls smallest-secured-golang-distroless-static
+
+.PHONY: run
+run:	## - Run the smallest and secured golang docker image based on distroless static
+	@printf "\033[32m\xE2\x9c\x93 Run the smallest and secured golang docker image based on scratch\n\033[0m"
+	@docker run smallest-secured-golang-distroless-static:latest
+
+.PHONY: push-to-azure
+push-to-azure:	## - Push docker image to azurecr.io container registry
+	@az acr login --name chemidy
+	@docker push chemidy.azurecr.io/smallest-secured-golang-docker-image:$(VERSION)
+
+.PHONY: push-to-gcp
+push-to-gcp:	## - Push docker image to gcr.io container registry
+	@gcloud auth application-default login
+	@gcloud auth configure-docker
+	@docker push gcr.io/chemidy/smallest-secured-golang-docker-image:$(VERSION)
diff --git a/go_module_distroless_static/README.md b/go_module_distroless_static/README.md
@@ -0,0 +1,21 @@
+# Create the smallest secured golang docker image base on distroless static
+
+Read the related article : [Create the smallest and secured golang docker image based on scratch](https://medium.com/@chemidy/create-the-smallest-and-secured-golang-docker-image-based-on-scratch-4752223b7324)
+
+```
+✓ usage: make [target]
+
+build-no-cache                 - Build the smallest and secured golang docker image based on distroless static with no cache
+build                          - Build the smallest and secured golang docker image based on distroless static
+help                           - Show help message
+ls                             - List 'smallest-secured-golang-distroless-static' docker images
+push-to-azure                  - Push docker image to azurecr.io container registry
+push-to-gcp                    - Push docker image to gcr.io container registry
+run                            - Run the smallest and secured golang docker image based on distroless static
+```
+
+# Quickstart 
+
+```
+make build && make run
+```
diff --git a/go_module_distroless_static/go.mod b/go_module_distroless_static/go.mod
@@ -0,0 +1,3 @@
+module github.com/chemidy/smallest-secured-golang-docker-image/go_module
+
+go 1.12
diff --git a/go_module_distroless_static/main.go b/go_module_distroless_static/main.go
@@ -0,0 +1,32 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+)
+
+func checkWebsite(website string) error {
+
+	tz, _ := time.LoadLocation("Europe/Paris")
+	now := time.Now()
+	parisTime := now.In(tz)
+
+	resp, err := http.Get(website)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode >= 200 && resp.StatusCode <= 299 {
+		fmt.Println("Website :", website, "is Up", "HTTP Response Status:", resp.StatusCode, http.StatusText(resp.StatusCode))
+	} else {
+		fmt.Println("Website :", website, " Broken", "HTTP Response Status:", resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+	fmt.Println("Paris is magic : what time is it in Paris ?", parisTime)
+
+	return err
+}
+
+func main() {
+	checkWebsite("https://chemidy.cloud")
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+module github.com/chemidy/smallest-secured-golang-docker-image/go_module`
	`2`	`+`
	`3`	`+go 1.12`