From 3e1ab02fa514fd9b086cd4eb1779904d0cc1b6a8 Mon Sep 17 00:00:00 2001 From: Scott Merrill Date: Sun, 25 Jan 2026 17:36:39 -0500 Subject: [PATCH 1/2] add Dockerfile --- Dockerfile | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..5e253f5 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,15 @@ +FROM golang:alpine AS builder +RUN adduser -D -u 1001 appuser +WORKDIR /app +COPY . . +RUN go mod download && go mod verify +RUN CGO_ENABLED=0 go build -ldflags="-w -s" + +#--- +FROM scratch +COPY --from=builder /etc/passwd /etc/passwd +COPY --from=builder /etc/ssl /etc/ssl +COPY --from=builder /app/Sn /Sn +USER 1001 +EXPOSE 8080 +ENTRYPOINT ["/Sn"] From 493bc9cb92691d2e4e5756ea3e18346a5f2af598 Mon Sep 17 00:00:00 2001 From: Scott Merrill Date: Sat, 27 Jun 2026 18:15:49 -0400 Subject: [PATCH 2/2] build non-root Docker image --- Dockerfile | 73 ++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 62 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5e253f5..e68ecd5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,66 @@ -FROM golang:alpine AS builder -RUN adduser -D -u 1001 appuser -WORKDIR /app +FROM --platform=$BUILDPLATFORM golang:alpine AS builder + +ARG TARGETOS +ARG TARGETARCH + +ENV GONOPROXY="none" \ + CGO_ENABLED=0 \ + GOFLAGS="-mod=readonly -trimpath -modcacherw" + +# git is needed for go modules, ca-certificates for system CAs. +RUN apk add --no-cache git ca-certificates && update-ca-certificates + +WORKDIR /src + +RUN mkdir -p /output + +# --- Create Non-Root User --- +RUN addgroup --gid "1337" app && \ + adduser --disabled-password --gecos "" --no-create-home --uid 1337 --ingroup app --shell /bin/false app && \ + cat /etc/passwd | grep app > "/etc/passwd_app" && \ + cat /etc/group | grep app > "/etc/group_app" + +COPY go.mod go.sum /src/ +RUN go mod download + +# === CACHE BREAKS HERE ON CODE CHANGE === +# --- Copy Source Code --- COPY . . -RUN go mod download && go mod verify -RUN CGO_ENABLED=0 go build -ldflags="-w -s" -#--- +RUN --mount=type=cache,target=/root/.cache/go-build \ + --mount=type=cache,target=/go/pkg/mod \ + GOOS=${TARGETOS} GOARCH=${TARGETARCH} \ + go build -tags timetzdata -buildvcs=false \ + -ldflags "-s -w" \ + -o /output/sn + FROM scratch -COPY --from=builder /etc/passwd /etc/passwd -COPY --from=builder /etc/ssl /etc/ssl -COPY --from=builder /app/Sn /Sn -USER 1001 + +# Copy minimal user and group files for the non-root user +# This is necessary because scratch has no users defined +COPY --from=builder /etc/passwd_app /etc/passwd +COPY --from=builder /etc/group_app /etc/group + +## /server executable +COPY --from=builder --chown=1337:1337 /output/ /app/ +COPY --from=builder --chown=1337:1337 /etc/ssl/certs/ca-certificates.crt /app/certs/ + +# Set SSL cert environment variables +ENV SSL_CERT_DIR="/app/certs" \ + SSL_CERT_FILE="/app/certs/ca-certificates.crt" + +WORKDIR /app + +# --- Metadata & Security --- +LABEL security.read-only-root-filesystem="true" \ + security.non-root-user="1337" \ + security.capabilities.drop="ALL" + +# Create and switch to non-root user +USER 1337:1337 + +# Expose port (documentation only - doesn't actually open ports) EXPOSE 8080 -ENTRYPOINT ["/Sn"] + +# Use exec form to avoid shell and ensure proper signal handling +ENTRYPOINT ["/app/sn"]