-
Notifications
You must be signed in to change notification settings - Fork 189
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #848 from isucon/feature-update-dockerfiles-and-ru…
…n-scripts Refactor Dockerfile to use multi-stage builds and add non-privileged user
- Loading branch information
Showing
7 changed files
with
121 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,18 +1,46 @@ | ||
| FROM golang:1.22 | ||
| # syntax=docker/dockerfile:1 | ||
|
|
||
| RUN mkdir -p /opt/go | ||
| WORKDIR /opt/go | ||
| FROM --platform=$BUILDPLATFORM golang:1.22 AS build | ||
| WORKDIR /src | ||
|
|
||
| RUN --mount=type=cache,target=/go/pkg/mod/ \ | ||
| --mount=type=bind,source=go.sum,target=go.sum \ | ||
| --mount=type=bind,source=go.mod,target=go.mod \ | ||
| go mod download -x | ||
|
|
||
| RUN --mount=type=cache,target=/go/pkg/mod/ \ | ||
| --mount=type=bind,target=. \ | ||
| CGO_ENABLED=0 go build -o /bin/benchmarker cmd/bench/main.go | ||
|
|
||
|
|
||
| FROM alpine:latest AS final | ||
|
|
||
| RUN --mount=type=cache,target=/var/cache/apk \ | ||
| apk --update add \ | ||
| ca-certificates \ | ||
| tzdata \ | ||
| && \ | ||
| update-ca-certificates | ||
|
|
||
| # Create a non-privileged user that the app will run under. | ||
| # See https://docs.docker.com/go/dockerfile-user-best-practices/ | ||
| ARG UID=10001 | ||
| RUN adduser \ | ||
| --disabled-password \ | ||
| --gecos "" \ | ||
| --home "/nonexistent" \ | ||
| --shell "/sbin/nologin" \ | ||
| --no-create-home \ | ||
| --uid "${UID}" \ | ||
| appuser | ||
| USER appuser | ||
|
|
||
| COPY initial-data /initial-data | ||
| COPY webapp/public/static /static | ||
|
|
||
| COPY go.mod /opt/go/go.mod | ||
| COPY go.sum /opt/go/go.sum | ||
| RUN go mod download | ||
|
|
||
| COPY cmd/ /opt/go/cmd | ||
| COPY bench/ /opt/go/bench | ||
| COPY bench/run.sh /run.sh | ||
|
|
||
| RUN go build -o benchmarker cmd/bench/main.go | ||
| # Copy the executable from the "build" stage. | ||
| COPY --from=build /bin/benchmarker /bin/ | ||
|
|
||
| ENTRYPOINT ["/opt/go/bench/run.sh"] | ||
| ENTRYPOINT ["/run.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,15 +1,43 @@ | ||
| FROM golang:1.22 | ||
| # syntax=docker/dockerfile:1 | ||
|
|
||
| RUN mkdir -p /opt/go | ||
| WORKDIR /opt/go | ||
| FROM --platform=$BUILDPLATFORM golang:1.22 AS build | ||
| WORKDIR /src | ||
|
|
||
| COPY go.mod /opt/go/go.mod | ||
| COPY go.sum /opt/go/go.sum | ||
| RUN go mod download | ||
| RUN --mount=type=cache,target=/go/pkg/mod/ \ | ||
| --mount=type=bind,source=go.sum,target=go.sum \ | ||
| --mount=type=bind,source=go.mod,target=go.mod \ | ||
| go mod download -x | ||
|
|
||
| COPY cmd/ /opt/go/cmd | ||
| COPY bench/ /opt/go/bench | ||
| RUN --mount=type=cache,target=/go/pkg/mod/ \ | ||
| --mount=type=bind,target=. \ | ||
| CGO_ENABLED=0 go build -o /bin/server cmd/payment/main.go | ||
|
|
||
| RUN go build -o bin/payment cmd/payment/main.go | ||
| FROM alpine:latest AS final | ||
|
|
||
| CMD [ "/opt/go/bin/payment", "-port", "5556" ] | ||
| RUN --mount=type=cache,target=/var/cache/apk \ | ||
| apk --update add \ | ||
| ca-certificates \ | ||
| tzdata \ | ||
| && \ | ||
| update-ca-certificates | ||
|
|
||
| # Create a non-privileged user that the app will run under. | ||
| # See https://docs.docker.com/go/dockerfile-user-best-practices/ | ||
| ARG UID=10001 | ||
| RUN adduser \ | ||
| --disabled-password \ | ||
| --gecos "" \ | ||
| --home "/nonexistent" \ | ||
| --shell "/sbin/nologin" \ | ||
| --no-create-home \ | ||
| --uid "${UID}" \ | ||
| appuser | ||
| USER appuser | ||
|
|
||
| # Copy the executable from the "build" stage. | ||
| COPY --from=build /bin/server /bin/ | ||
|
|
||
| EXPOSE 5556 | ||
|
|
||
| # What the container should run when it is started. | ||
| ENTRYPOINT [ "/bin/server", "-port", "5556" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,45 @@ | ||
| FROM golang:1.22 | ||
| # syntax=docker/dockerfile:1 | ||
|
|
||
| RUN mkdir -p /opt/go | ||
| WORKDIR /opt/go | ||
| FROM --platform=$BUILDPLATFORM golang:1.22 AS build | ||
| WORKDIR /src | ||
|
|
||
| COPY initial-data /initial-data | ||
| RUN --mount=type=cache,target=/go/pkg/mod/ \ | ||
| --mount=type=bind,source=go.sum,target=go.sum \ | ||
| --mount=type=bind,source=go.mod,target=go.mod \ | ||
| go mod download -x | ||
|
|
||
| RUN --mount=type=cache,target=/go/pkg/mod/ \ | ||
| --mount=type=bind,target=. \ | ||
| CGO_ENABLED=0 go build -o /bin/server cmd/shipment/main.go | ||
|
|
||
| FROM alpine:latest AS final | ||
|
|
||
| COPY go.mod /opt/go/go.mod | ||
| COPY go.sum /opt/go/go.sum | ||
| RUN go mod download | ||
| RUN --mount=type=cache,target=/var/cache/apk \ | ||
| apk --update add \ | ||
| ca-certificates \ | ||
| tzdata \ | ||
| && \ | ||
| update-ca-certificates | ||
|
|
||
| # Create a non-privileged user that the app will run under. | ||
| # See https://docs.docker.com/go/dockerfile-user-best-practices/ | ||
| ARG UID=10001 | ||
| RUN adduser \ | ||
| --disabled-password \ | ||
| --gecos "" \ | ||
| --home "/nonexistent" \ | ||
| --shell "/sbin/nologin" \ | ||
| --no-create-home \ | ||
| --uid "${UID}" \ | ||
| appuser | ||
| USER appuser | ||
|
|
||
| COPY initial-data /initial-data | ||
|
|
||
| COPY cmd/ /opt/go/cmd | ||
| COPY bench/ /opt/go/bench | ||
| # Copy the executable from the "build" stage. | ||
| COPY --from=build /bin/server /bin/ | ||
|
|
||
| RUN go build -o bin/shipment cmd/shipment/main.go | ||
| EXPOSE 7002 | ||
|
|
||
| CMD [ "/opt/go/bin/shipment", "-data-dir", "/initial-data", "-port", "7002" ] | ||
| # What the container should run when it is started. | ||
| ENTRYPOINT [ "/bin/server", "-data-dir", "/initial-data", "-port", "7002" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| #!/bin/bash | ||
| #!/bin/sh | ||
|
|
||
| exec "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters