improvement: - use a distroless base image (#125)

floriankoch · Florian Koch · web-flow · commit e6555f7ea0a2 · 2020-04-13T14:27:28.000+05:30
- Add a debug image

Signed-off-by: Florian Koch &lt;flo@ctrl.wtf&gt;

Co-authored-by: Florian Koch &lt;flo@ctrl.wtf&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -59,15 +59,12 @@ COPY third_party/ third_party/
 # build metacontroller binary
 RUN make bins
 
-# Use debian as minimal base image to package the final binary
-FROM debian:stretch-slim
+# Use a distroless image
+# Sort the instructions to be more effective for caching 
 
-WORKDIR /
-
-RUN apt-get update && \
-  apt-get install --no-install-recommends -y ca-certificates && \
-  rm -rf /var/lib/apt/lists/*
-
-COPY --from=builder /go/src/openebs.io/metac/metac /usr/bin/
+FROM gcr.io/distroless/base-debian10:nonroot
 
+WORKDIR /
+USER nonroot:nonroot
 CMD ["/usr/bin/metac"]
+COPY --from=builder --chown=nonroot /go/src/openebs.io/metac/metac /usr/bin/
diff --git a/Dockerfile.debug b/Dockerfile.debug
@@ -0,0 +1,70 @@
+# Tester image
+FROM golang:1.13.5 as tester
+
+WORKDIR /go/src/openebs.io/metac/
+
+# copy go modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# copy build manifests
+COPY Makefile Makefile
+
+# ensure vendoring is up-to-date by running make vendor in your local
+# setup
+#
+# we cache the vendored dependencies before building and copying source
+# so that we don't need to re-download when source changes don't invalidate
+# our downloaded layer
+RUN make vendor
+
+# copy build manifests
+COPY . .
+
+RUN make integration-test
+
+# Build metac binary
+FROM golang:1.13.5 as builder
+
+WORKDIR /go/src/openebs.io/metac/
+
+# copy go modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# copy build manifests
+COPY Makefile Makefile
+
+# ensure vendoring is up-to-date by running make vendor in your local
+# setup
+#
+# we cache the vendored dependencies before building and copying source
+# so that we don't need to re-download when source changes don't invalidate
+# our downloaded layer
+RUN make vendor
+
+# copy source files
+COPY *.go ./
+COPY apis/ apis/
+COPY client/ client/
+COPY config/ config/
+COPY hack/ hack/
+COPY controller/ controller/
+COPY dynamic/ dynamic/
+COPY hooks/ hooks/
+COPY server/ server/
+COPY start/ start/
+COPY third_party/ third_party/
+
+# build metacontroller binary
+RUN make bins
+
+# Use a distroless image
+# Sort the instructions to be more effective for caching 
+
+FROM gcr.io/distroless/base-debian10:debug-nonroot
+
+WORKDIR /
+USER nonroot:nonroot
+CMD ["/usr/bin/metac"]
+COPY --from=builder --chown=nonroot /go/src/openebs.io/metac/metac /usr/bin/
diff --git a/Makefile b/Makefile
@@ -71,10 +71,12 @@ vendor: go.mod go.sum
 .PHONY: image
 image:
 	docker build -t $(REGISTRY)/$(IMG_NAME):$(PACKAGE_VERSION) .
+	docker build -t $(REGISTRY)/$(IMG_NAME):$(PACKAGE_VERSION)_debug -f Dockerfile.debug .
 
 .PHONY: push
 push: image
 	docker push $(REGISTRY)/$(IMG_NAME):$(PACKAGE_VERSION)
+	docker push $(REGISTRY)/$(IMG_NAME):$(PACKAGE_VERSION)_debug
 
 .PHONY: unit-test
 unit-test: generated_files
