-
Notifications
You must be signed in to change notification settings - Fork 78
/
Dockerfile
69 lines (61 loc) · 3.13 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# This first stage of the build uses go-toolset to build the portieris binary creates
# a simplified operating system image that satisfies vulnerability scanning requirements
FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi8/go-toolset:1.21.13 AS builder
ARG PORTIERIS_VERSION=undefined
# switch to root user as we need to run yum and rpm to ensure packages are up to date
USER root
RUN yum update -y
# Work within the /opt/app-root/src working directory of the UBI go-toolset image
WORKDIR /opt/app-root/src/github.com/IBM/portieris
RUN mkdir -p /opt/app-root/src/github.com/IBM/portieris
# Create directory to store the built binary
RUN mkdir -p /opt/app-root/bin
COPY . ./
RUN go mod download
ARG TARGETOS TARGETARCH
RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
-ldflags="-X github.com/IBM/portieris/internal/info.Version=$PORTIERIS_VERSION" -a \
-tags containers_image_openpgp -o /opt/app-root/bin/portieris ./cmd/portieris
RUN go version -m -v /opt/app-root/bin/portieris | (grep dep || true) | awk '{print "{\"Path\": \""$2 "\", \"Version\": \"" $3 "\"}"}' > /deps.jsonl
FROM registry.access.redhat.com/ubi8/go-toolset:1.21.13 AS installer
ARG TARGETOS TARGETARCH
USER root
RUN yum update -y
# prep target rootfs for scratch container
WORKDIR /
RUN mkdir /image && \
ln -s usr/bin /image/bin && \
ln -s usr/sbin /image/sbin && \
ln -s usr/lib64 /image/lib64 && \
ln -s usr/lib /image/lib && \
mkdir -p /image/{usr/bin,usr/lib64,usr/lib,root,home,proc,etc,sys,var,dev}
# see files-{amd64,s390x}.txt for a list of needed files from the UBI image to copy into our
# final "FROM scratch" image; this would need to be modified if any additional
# content was required from UBI for the Portieris binary to function.
COPY files-${TARGETARCH}.txt /tmp
RUN tar cf /tmp/files.tar -T /tmp/files-${TARGETARCH}.txt && tar xf /tmp/files.tar -C /image/ \
&& strip --strip-unneeded /image/usr/lib64/*[0-9].so
RUN rpm --root /image --initdb \
&& PACKAGES=$(rpm -qf $(cat /tmp/files-${TARGETARCH}.txt) | grep -v "is not owned by any package" | sort -u) \
&& echo dnf install -y 'dnf-command(download)' \
&& dnf download --destdir / ${PACKAGES} \
&& rpm --root /image -ivh --justdb --nodeps `for i in ${PACKAGES}; do echo $i.rpm; done`
# Check dependencies for vulnerabilities
FROM --platform=$BUILDPLATFORM sonatypecommunity/nancy:alpine AS nancy
COPY --from=builder /deps.jsonl /
COPY /.nancy-ignore /
RUN cat /deps.jsonl | nancy --skip-update-check --loud sleuth --no-color
RUN echo true> /nancy-checked
#################################################################################
# Finally, copy the minimal image contents and the built binary into the scratch image
FROM scratch
COPY --from=installer /image/ /
COPY --from=builder /opt/app-root/bin/portieris /portieris
# buildkit skips stages which dont contribute to the final image
COPY --from=nancy /nancy-checked /nancy-checked
# Create /tmp for logs and /run for working directory
RUN [ "/portieris", "--mkdir", "/tmp,/run" ]
WORKDIR /run
# quiet image config checkers, this is the default runAsUser in the deployment
USER 1000060001
CMD ["/portieris","--alsologtostderr","-v=4","2>&1"]