DataGenX - Atul's Scratchpad

My scrapbook about anything which I learned or want to remember, Sometime about tech tips, thoughts and rambling. If you find anything useful don't forget to give thumbs-up :)

Breaking

Wednesday, August 21, 2024

Home / binary / Container / Docker / Dockerfile / Go / Golang / Image / Production / Ready / Let’s Build Production Ready Go Docker Image

Let’s Build Production Ready Go Docker Image

by on in , , , , , , , ,
This is the one thing I like about Golang, You can create a packages binary which can run on the system without any other dependencies and this property enable us to create a secured Go app docker image. 

From Scratch Image:

- Most Secure and Restricted Image
We know that production images should be hardened, reproducible and tiny as much as possible. Below Dockerfile fulfill all that requirements - 
FROM scratch                                                                                                                                                       
COPY /local/path/bin/api /                                                                                                                                         
CMD ["/api"]
In above Dockerfile, the base image is scratch, so No user, No permission, only the go binary which works well.  You have to compile the binary outside the docker, then we simply copy that binary to "scratch" image where system (orchestrator/k8s/nomad) run the go binary hence, this minimalist docker file work great. 

From a Base Image: 

- Have to work on restrictions
But, if you want run the binary with an pre existing image which may have shell or other commands, you have to restrict the permissions to build a more secure container.  

FROM alpine:3.20                                                                                                                                                       
COPY /local/path/bin/api /                                                                                                                                         
RUN chmod +x /api
USER 65534
CMD ["/api"]

Multi-Stage Build for multi-platform:

- Enable the docker build on any OS/Architecture
Being able to build and run the Image on any platform is actually what we need and Multi-Stage Dockerfile is the solution which also answer most trivial statement of software industry - "Things are running fine on my machine".
It enables you to share Dockerfile to multiple user to run/test the application irrespective of the platform they are building.

# Build the binary
FROM golang:1.22.6 as build                                                                                                                                        
WORKDIR /build                                                                                                                                                     
COPY . .                                                                                                                                                           
RUN go install -v ./...                                                                                                                                                         
RUN CGO_ENABLED=0 go build -o api                                                                                                                                          
                                                                                                                                                                   
# Unprivileged users can execute                                                                                                                                   
RUN chgrp 0 api                                                                                                                                          
RUN chmod g+x api                                                                                                                                   

# Final Image                                                                                                                                                                   
FROM scratch                                                                                                                                                       
COPY --from=build /build/api /
USER 65534                                                                                                                                                         
CMD ["/api"]

Above multi-stage dockerfile is building the binary within docker in stage 1 and then copying the binary to final image. To run this dockerfile, user do not need to setup their machine with any additional tooling except the Docker itself.  

We can follow the same approach with other image build as well. 
Happy Learning !!
Author Image

About Atul Singh
I am a Data Consultant at a Canadian financial firm. My keen interests varies from Data Analytics, ML, Kubernetes, NLP to ETL. I love to blog and travel in my spare time. If you’d like to get in touch, feel free to say hello through any of the social links.

Related Posts:
By at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Disclaimer

The postings on this site are my own and don't necessarily represent IBM's or other companies positions, strategies or opinions. All content provided on this blog is for informational purposes and knowledge sharing only.
The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of his information.