Merge pull request #848 from isucon/feature-update-dockerfiles-and-run-scripts

Refactor Dockerfile to use multi-stage builds and add non-privileged user

Author: catatsuy

.github/workflows/ci.yml

@@ -91,7 +91,7 @@ jobs:
       - name: Run the benchmark
         continue-on-error: true
         run: |
-          docker run --add-host host.docker.internal:host-gateway -p 5678:5678 -p 7890:7890 -i isucari-benchmarker /opt/go/benchmarker -target-url http://host.docker.internal -data-dir /initial-data -static-dir /static -payment-url http://host.docker.internal:5678 -payment-port 5678 -shipment-url http://host.docker.internal:7890 -shipment-port 7890 || echo "BENCHMARK_FAILED=true" >> $GITHUB_ENV
+          docker container run --add-host host.docker.internal:host-gateway -p 5678:5678 -p 7890:7890 -i isucari-benchmarker /bin/benchmarker -target-url http://host.docker.internal -data-dir /initial-data -static-dir /static -payment-url http://host.docker.internal:5678 -payment-port 5678 -shipment-url http://host.docker.internal:7890 -shipment-port 7890 || echo "BENCHMARK_FAILED=true" >> $GITHUB_ENV
 
       - name: Show logs
         run: |

README.md

@@ -251,7 +251,7 @@ docker compose up
 docker build -t isucari-benchmarker -f bench/Dockerfile .
 
 # benchmarkerの実行（Linuxは --add-host host.docker.internal:host-gateway を追加）
-docker run -p 5678:5678 -p 7890:7890 -i isucari-benchmarker /opt/go/benchmarker -target-url http://host.docker.internal -data-dir /initial-data -static-dir /static -payment-url http://host.docker.internal:5678 -payment-port 5678 -shipment-url http://host.docker.internal:7890 -shipment-port 7890
+docker container run -p 5678:5678 -p 7890:7890 -i isucari-benchmarker /bin/benchmarker -target-url http://host.docker.internal -data-dir /initial-data -static-dir /static -payment-url http://host.docker.internal:5678 -payment-port 5678 -shipment-url http://host.docker.internal:7890 -shipment-port 7890
 ```
 
 ### external service

bench/Dockerfile

@@ -1,18 +1,46 @@
-FROM golang:1.22
+# syntax=docker/dockerfile:1
 
-RUN mkdir -p /opt/go
-WORKDIR /opt/go
+FROM --platform=$BUILDPLATFORM golang:1.22 AS build
+WORKDIR /src
+
+RUN --mount=type=cache,target=/go/pkg/mod/ \
+  --mount=type=bind,source=go.sum,target=go.sum \
+  --mount=type=bind,source=go.mod,target=go.mod \
+  go mod download -x
+
+RUN --mount=type=cache,target=/go/pkg/mod/ \
+  --mount=type=bind,target=. \
+  CGO_ENABLED=0 go build -o /bin/benchmarker cmd/bench/main.go
+
+
+FROM alpine:latest AS final
+
+RUN --mount=type=cache,target=/var/cache/apk \
+  apk --update add \
+  ca-certificates \
+  tzdata \
+  && \
+  update-ca-certificates
+
+# Create a non-privileged user that the app will run under.
+# See https://docs.docker.com/go/dockerfile-user-best-practices/
+ARG UID=10001
+RUN adduser \
+  --disabled-password \
+  --gecos "" \
+  --home "/nonexistent" \
+  --shell "/sbin/nologin" \
+  --no-create-home \
+  --uid "${UID}" \
+  appuser
+USER appuser
 
 COPY initial-data /initial-data
 COPY webapp/public/static /static
 
-COPY go.mod /opt/go/go.mod
-COPY go.sum /opt/go/go.sum
-RUN go mod download
-
-COPY cmd/ /opt/go/cmd
-COPY bench/ /opt/go/bench
+COPY bench/run.sh /run.sh
 
-RUN go build -o benchmarker cmd/bench/main.go
+# Copy the executable from the "build" stage.
+COPY --from=build /bin/benchmarker /bin/
 
-ENTRYPOINT ["/opt/go/bench/run.sh"]
+ENTRYPOINT ["/run.sh"]

bench/Dockerfile-payment

@@ -1,15 +1,43 @@
-FROM golang:1.22
+# syntax=docker/dockerfile:1
 
-RUN mkdir -p /opt/go
-WORKDIR /opt/go
+FROM --platform=$BUILDPLATFORM golang:1.22 AS build
+WORKDIR /src
 
-COPY go.mod /opt/go/go.mod
-COPY go.sum /opt/go/go.sum
-RUN go mod download
+RUN --mount=type=cache,target=/go/pkg/mod/ \
+  --mount=type=bind,source=go.sum,target=go.sum \
+  --mount=type=bind,source=go.mod,target=go.mod \
+  go mod download -x
 
-COPY cmd/ /opt/go/cmd
-COPY bench/ /opt/go/bench
+RUN --mount=type=cache,target=/go/pkg/mod/ \
+  --mount=type=bind,target=. \
+  CGO_ENABLED=0 go build -o /bin/server cmd/payment/main.go
 
-RUN go build -o bin/payment cmd/payment/main.go
+FROM alpine:latest AS final
 
-CMD [ "/opt/go/bin/payment", "-port", "5556" ]
+RUN --mount=type=cache,target=/var/cache/apk \
+  apk --update add \
+  ca-certificates \
+  tzdata \
+  && \
+  update-ca-certificates
+
+# Create a non-privileged user that the app will run under.
+# See https://docs.docker.com/go/dockerfile-user-best-practices/
+ARG UID=10001
+RUN adduser \
+  --disabled-password \
+  --gecos "" \
+  --home "/nonexistent" \
+  --shell "/sbin/nologin" \
+  --no-create-home \
+  --uid "${UID}" \
+  appuser
+USER appuser
+
+# Copy the executable from the "build" stage.
+COPY --from=build /bin/server /bin/
+
+EXPOSE 5556
+
+# What the container should run when it is started.
+ENTRYPOINT [ "/bin/server", "-port", "5556" ]

bench/Dockerfile-shipment

@@ -1,17 +1,45 @@
-FROM golang:1.22
+# syntax=docker/dockerfile:1
 
-RUN mkdir -p /opt/go
-WORKDIR /opt/go
+FROM --platform=$BUILDPLATFORM golang:1.22 AS build
+WORKDIR /src
 
-COPY initial-data /initial-data
+RUN --mount=type=cache,target=/go/pkg/mod/ \
+  --mount=type=bind,source=go.sum,target=go.sum \
+  --mount=type=bind,source=go.mod,target=go.mod \
+  go mod download -x
+
+RUN --mount=type=cache,target=/go/pkg/mod/ \
+  --mount=type=bind,target=. \
+  CGO_ENABLED=0 go build -o /bin/server cmd/shipment/main.go
+
+FROM alpine:latest AS final
 
-COPY go.mod /opt/go/go.mod
-COPY go.sum /opt/go/go.sum
-RUN go mod download
+RUN --mount=type=cache,target=/var/cache/apk \
+  apk --update add \
+  ca-certificates \
+  tzdata \
+  && \
+  update-ca-certificates
+
+# Create a non-privileged user that the app will run under.
+# See https://docs.docker.com/go/dockerfile-user-best-practices/
+ARG UID=10001
+RUN adduser \
+  --disabled-password \
+  --gecos "" \
+  --home "/nonexistent" \
+  --shell "/sbin/nologin" \
+  --no-create-home \
+  --uid "${UID}" \
+  appuser
+USER appuser
+
+COPY initial-data /initial-data
 
-COPY cmd/ /opt/go/cmd
-COPY bench/ /opt/go/bench
+# Copy the executable from the "build" stage.
+COPY --from=build /bin/server /bin/
 
-RUN go build -o bin/shipment cmd/shipment/main.go
+EXPOSE 7002
 
-CMD [ "/opt/go/bin/shipment", "-data-dir", "/initial-data", "-port", "7002" ]
+# What the container should run when it is started.
+ENTRYPOINT [ "/bin/server", "-data-dir", "/initial-data", "-port", "7002" ]

bench/run.sh

@@ -1,3 +1,3 @@
-#!/bin/bash
+#!/bin/sh
 
 exec "$@"

compose.yml

@@ -4,12 +4,14 @@ services:
     build:
       context: .
       dockerfile: bench/Dockerfile-payment
+      target: final
     ports:
       - "5556:5556"
 
   shipment:
     build:
       context: .
       dockerfile: bench/Dockerfile-shipment
+      target: final
     ports:
       - "7002:7002"