From eaee0fabd17ffb6e3463205423144df328dc95b1 Mon Sep 17 00:00:00 2001 From: Lin Yang Date: Sun, 1 Jan 2023 20:14:48 +0800 Subject: [PATCH] feat: use nonroot distroless as base image of ingress-pipy Signed-off-by: Lin Yang --- dockerfiles/ingress-pipy/Dockerfile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/dockerfiles/ingress-pipy/Dockerfile b/dockerfiles/ingress-pipy/Dockerfile index aa932a0..17f0d9f 100644 --- a/dockerfiles/ingress-pipy/Dockerfile +++ b/dockerfiles/ingress-pipy/Dockerfile @@ -1,6 +1,7 @@ # syntax = docker/dockerfile:1.4 ARG TARGETOS ARG TARGETARCH +ARG DISTROLESS_TAG # Build the ingress-pipy binary FROM --platform=$BUILDPLATFORM golang:1.19-alpine3.15 as builder @@ -21,8 +22,15 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg \ CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH make build/ingress-pipy -FROM flomesh/pipy:0.70.0-46 +# Builder image, pipy +FROM flomesh/pipy:0.70.0-46-nonroot as pipy + +# Build the final image +FROM gcr.io/distroless/base-debian11:$DISTROLESS_TAG WORKDIR / COPY --from=builder /workspace/bin/ingress-pipy . +COPY --from=pipy /usr/local/bin/pipy /usr/local/bin/pipy + +USER 65532:65532 ENTRYPOINT ["/ingress-pipy"]