-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.go-face
More file actions
68 lines (53 loc) · 2.33 KB
/
Dockerfile.go-face
File metadata and controls
68 lines (53 loc) · 2.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
ARG BUILDER_IMAGE="ghcr.io/andriykalashnykov/go-face/dlib20:0.1.4@sha256:c30c97c5d5a664d5f711f17d81a65d9558e17eeb73c0d7a76ff8dc11f6d1d958"
FROM ${BUILDER_IMAGE} AS builder
# Upstream go-face/dlib{19,20} builder images ship with a non-root default
# USER whose HOME=/nonexistent, which makes `go mod download` / `go build`
# fail with EACCES on the module + build caches. The builder stage produces
# a static binary that is copied into the non-root alpine runtime stage
# below, so running as root *here* has no security impact.
# hadolint ignore=DL3002
USER root
# Set the working directory
WORKDIR /app
# Copy go modules files
COPY ./go.mod .
COPY ./go.sum .
# Copy the source code
COPY ./cmd/ cmd/
COPY ./internal/ internal/
# Copy the resources
COPY ./fonts/ fonts/
COPY ./images/ images/
COPY ./models/ models/
COPY ./persons/ persons/
ENV PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig/
RUN <<EOT
if [ "${TARGETARCH}" = "amd64" ]; then
apt install -y libquadmath0;
export CGO_LDFLAGS="-lcblas -llapack_atlas -lgfortran -lquadmath -lblas -latlas"
else
export CGO_LDFLAGS="-lcblas -llapack_atlas -lgfortran -lblas -latlas"
fi
/usr/local/go/bin/go mod download
CGO_ENABLED=1 /usr/local/go/bin/go build -trimpath -ldflags "-s -w -extldflags -static" -tags "static netgo cgo static_build" -o cmd/main cmd/main.go
EOT
FROM alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS runtime
# Pick up security patches published between alpine image cuts. The apk
# mirror has patched packages even when no new image digest exists.
# Combined with addgroup/adduser into one layer.
# Non-root numeric UID — required for K8s restricted pod security
# (runAsNonRoot: true, allowPrivilegeEscalation: false).
RUN apk --no-cache upgrade && \
addgroup -g 10001 -S app && \
adduser -u 10001 -S -G app app
WORKDIR /app
COPY --from=builder /app/cmd/main .
COPY --from=builder /app/fonts fonts/
# images/ must be writable because the binary saves result.jpg back into it.
COPY --chown=10001:10001 --from=builder /app/images/ images/
COPY --from=builder /app/models/ models/
COPY --from=builder /app/persons/ persons/
USER 10001
# Keep the container running (override with `--entrypoint /app/main` to execute
# the face recognition pipeline against the baked-in test data).
CMD ["tail", "-f", "/dev/null"]