diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build index 1f488d212..92fda3f40 100644 --- a/.docker/Dockerfile-build +++ b/.docker/Dockerfile-build @@ -1,9 +1,12 @@ -FROM golang:1.20-alpine3.18 AS builder - -RUN apk -U --no-cache add build-base git gcc bash +# Workaround for https://github.com/GoogleContainerTools/distroless/issues/1342 +FROM golang:1.20-bullseye AS builder WORKDIR /go/src/github.com/ory/keto +RUN apt-get update && apt-get upgrade -y &&\ + mkdir -p /var/lib/sqlite &&\ + mkdir -p ./internal/httpclient + COPY go.mod go.mod COPY go.sum go.sum @@ -18,30 +21,16 @@ COPY . . RUN go build -buildvcs=false -tags sqlite -o /usr/bin/keto . -FROM alpine:3.18 - -RUN addgroup -S ory; \ - adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \ - chown -R ory:ory /home/ory +######################### -RUN apk --no-cache --latest upgrade &&\ - apk --no-cache --upgrade --latest add ca-certificates +FROM gcr.io/distroless/base-nossl-debian11:nonroot AS runner +COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite COPY --from=builder /usr/bin/keto /usr/bin/keto -# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which -# is required for read/write of SQLite. -RUN mkdir -p /var/lib/sqlite -RUN chown ory:ory /var/lib/sqlite VOLUME /var/lib/sqlite -# Exposing the ory home directory to simplify passing in the configuration. -VOLUME /home/ory - EXPOSE 4466 4467 -USER ory - ENTRYPOINT ["keto"] - CMD ["serve"] diff --git a/.docker/Dockerfile-distroless-static b/.docker/Dockerfile-distroless-static new file mode 100644 index 000000000..2cc2b08c5 --- /dev/null +++ b/.docker/Dockerfile-distroless-static @@ -0,0 +1,7 @@ +FROM gcr.io/distroless/static-debian11:nonroot + +COPY keto /usr/bin/keto +EXPOSE 4466 4467 + +ENTRYPOINT ["keto"] +CMD ["serve"] diff --git a/.goreleaser.yml b/.goreleaser.yml index a2c8facf8..f8a3d8570 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -10,4 +10,5 @@ variables: buildinfo_hash: "github.com/ory/keto/internal/driver/config.Commit" buildinfo_tag: "github.com/ory/keto/internal/driver/config.Version" buildinfo_date: "github.com/ory/keto/internal/driver/config.Date" - dockerfile: ".docker/Dockerfile-alpine" + dockerfile_alpine: ".docker/Dockerfile-alpine" + dockerfile_static: ".docker/Dockerfile-distroless-static"