refact: Dockerfile is now a multistage scratch build #83
Conversation
Signed-off-by: wilmardo <[email protected]>
|
If I have some time left someday I might take a stab at releasing multi-arch(amd64/arm64) images with Drone. Are you open for a change like this? |
|
Hey thanks for the contribution. The Go binary is actually compiled outside of Docker and then only copied into the Docker image. Thus the image size should be alpine + static binary. |
True but now it is nothing but the Go binary, no Alpine (FROM scratch is a container with nothing). Saves 5MB in the image size (just a tad) but the most important thing is that there is no shell or tools available. Nobody can use the container to break into the cluster whatsoever.
The question above is referring to building/releasing Docker images for amd64 and arm64 from within DroneCI. It is meant as a seperate question for a future PR, not related to this change, sorry for the confusion :) |
|
I actually often go into containers to debug things... |
This moves the Go binary in a Docker scratch container for minimal footprint and better security (no shell available and running as non-root).
See this article for the rationale behind these changes:
https://weberc2.bitbucket.io/posts/golang-docker-scratch-app.html
Also adds a .dockerignore that excludes all the files except the ones used within the Dockerfile. Running docker build after
make releasesends 198.2MB to the Docker daemon, this is now reduced to 13.4MB.On my system it was a noticeable speed improvement of 42 seconds :)