建立最小的golang容器鏡像

這是一個建立於 的文章，其中的資訊可能已經有所發展或是發生改變。

Create the smallest and secured golang docker image based on scratch

When we are building a docker Image, the first idea is using the default official image.

FROM golangFROM nginxFROM openjdk

There is an official Docker image for Go.

$ docker image listgolang    latest       1c1309ff8e0d        10 days ago         779MB

Ouch 779 MB just for an empty image … this is crazy

There is lightweight Alpine Docker image for Go.

Check the Alpine linux page for more informations.

FROM golang:alpine

This is smaller but too large for a production image with nothing

$ docker image listgolang     alpine      bbab7aea1231        7 weeks ago         269MB

Use Multi-stage builds

Thanks to docker multi-stage builds, we can build our application in a docker alpine image an produce a small image with only a binary in a scratch image.

Use multi-stage builds
Multi-stage builds are a new feature requiring Docker 17.05 or higher on the daemon and client. Multistage builds are…docs.docker.com

OK, it’s time to build a smaller image with multi-stage build

Before that we gonna see docker scratch image, only 2MB image. Perfect for our go static binary.

# STEP 1 build executable binary

FROM golang:alpine as builderCOPY . $GOPATH/src/mypackage/myapp/WORKDIR $GOPATH/src/mypackage/myapp/

#get dependanciesRUN go get -d -v

#build the binaryRUN go build -o /go/bin/hello

# STEP 2 build a small image

# start from scratchFROM scratch

# Copy our static executableCOPY --from=builder /go/bin/hello /go/bin/helloENTRYPOINT ["/go/bin/hello"]

Oh cool only 21.2MB with everything i need for my go app.

$ docker image listhello    latest        bbab7aea1234       3 hours ago         21.2MB

But we can optimize it, by removing debug informations and compile only for linux target and disabling cross compilation.

RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags=”-w -s” -o /go/bin/backoffice

Now we have a small image only 13.6MB, almost ready for production

$ docker image listhello    latest        bbab7aea1234       2hours ago         13.6MB

Let’s build a more secure docker image

Just some reminders :

• Run only one process in a container.
• Never run a process as root in a container.
• Never store data in a container, do it in a volume
• Never store credentials in a container, do it in a volume
• Keep your image up to date
• Verify third-party container repositories
• Use tool like docker-security-scanning
• May the force be with you

OK, let’s do that with scratch image.

We have to create a new user on the builder image and copy the /etc/passwd file from the builder to te scratch image. Finally we can use appuser to launch the binary.

# STEP 1 build executable binary

FROM golang:alpine as builder

# Create appuserRUN adduser -D -g '' appuser

COPY . $GOPATH/src/mypackage/myapp/WORKDIR $GOPATH/src/mypackage/myapp/

#get dependanciesRUN go get -d -v

#build the binaryRUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags=”-w -s” -o /go/bin/backoffice

# STEP 2 build a small image

# start from scratchFROM scratch

COPY --from=builder /etc/passwd /etc/passwd# Copy our static executableCOPY --from=builder /go/bin/hello /go/bin/helloUSER appuser

ENTRYPOINT ["/go/bin/hello"]

Always export with port > 1024 as possible

OK, now we have a more secure image. But if we expose our docker with a port < 1024, we need some privileges for that.

OK so let’s expose always our binary with a port > 1024

COPY --from=builder /etc/passwd /etc/passwd# Copy our static executableCOPY --from=builder /go/bin/hello /go/bin/helloUSER appuser

EXPOSE 9292ENTRYPOINT ["/go/bin/hello"]

Add SSL ca certificates

Perfect, but to be secure we need to expose our services with SSL isn’t it ?

By default scratch image is not provided with SSL CA certificates. But with multi-step we can provide it.

# STEP 1 build executable binary

FROM golang:alpine as builder

# Install SSL ca certificatesRUN apk update && apk add git && apk add ca-certificates

# Create appuserRUN adduser -D -g '' appuser

COPY . $GOPATH/src/mypackage/myapp/WORKDIR $GOPATH/src/mypackage/myapp/

#get dependanciesRUN go get -d -v

#build the binaryRUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags=”-w -s” -o /go/bin/backoffice

# STEP 2 build a small image

# start from scratchFROM scratch

COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/COPY --from=builder /etc/passwd /etc/passwd# Copy our static executableCOPY --from=builder /go/bin/hello /go/bin/helloUSER appuser

ENTRYPOINT ["/go/bin/hello"]

If you have any advice about security, please let me know :)