My scrapbook about anything which I learned or want to remember, Sometime about tech tips, thoughts and rambling. If you find anything useful don't forget to give thumbs-up :)

Breaking

Wednesday, August 21, 2024

Let’s Build Production Ready Go Docker Image

This is the one thing I like about Golang, You can create a packages binary which can run on the system without any other dependencies and this property enable us to create a secured Go app docker image. 

From Scratch Image:

- Most Secure and Restricted Image
We know that production images should be hardened, reproducible and tiny as much as possible. Below Dockerfile fulfill all that requirements - 
FROM scratch
COPY /local/path/bin/api /
CMD ["/api"]
In above Dockerfile, the base image is scratch, so No user, No permission, only the go binary which works well.  You have to compile the binary outside the docker, then we simply copy that binary to "scratch" image where system (orchestrator/k8s/nomad) run the go binary hence, this minimalist docker file work great. 

From a Base Image: 

- Have to work on restrictions
But, if you want run the binary with an pre existing image which may have shell or other commands, you have to restrict the permissions to build a more secure container.  

FROM alpine:3.20
COPY /local/path/bin/api /
RUN chmod +x /api USER 65534 CMD ["/api"]

Multi-Stage Build for multi-platform:

- Enable the docker build on any OS/Architecture
Being able to build and run the Image on any platform is actually what we need and Multi-Stage Dockerfile is the solution which also answer most trivial statement of software industry - "Things are running fine on my machine".
It enables you to share Dockerfile to multiple user to run/test the application irrespective of the platform they are building.

# Build the binary FROM golang:1.22.6 as build
WORKDIR /build
COPY . .
RUN go install -v ./...
RUN CGO_ENABLED=0 go build -o api
# Unprivileged users can execute
RUN chgrp 0 api
RUN chmod g+x api
# Final Image
FROM scratch
COPY --from=build /build/api /
USER 65534
CMD ["/api"]

Above multi-stage dockerfile is building the binary within docker in stage 1 and then copying the binary to final image. To run this dockerfile, user do not need to setup their machine with any additional tooling except the Docker itself.  

We can follow the same approach with other image build as well. 
Happy Learning !!

No comments:

Post a Comment

Disclaimer

The postings on this site are my own and don't necessarily represent IBM's or other companies positions, strategies or opinions. All content provided on this blog is for informational purposes and knowledge sharing only.
The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of his information.