docker: added distroless image

.github/workflows/docker.yml

@@ -21,6 +21,7 @@ jobs:
         docker_pkg:
           - debian
           - alpine
+          - distroless
         optional_deps:
           - true
           - false
@@ -65,7 +66,10 @@ jobs:
             VERSION_SLIM="${VERSION}-slim"
             DOCKERFILE=Dockerfile.alpine
           fi
-
+          if [[ $DOCKER_PKG == distroless ]]; then
+            VERSION_SLIM="${VERSION}-distroless-slim"
+            DOCKERFILE=Dockerfile.distroless
+          fi
           DOCKER_IMAGES=("drakkan/sftpgo" "ghcr.io/drakkan/sftpgo")
           TAGS="${DOCKER_IMAGES[0]}:${VERSION}"
           TAGS_SLIM="${DOCKER_IMAGES[0]}:${VERSION_SLIM}"
@@ -83,6 +87,11 @@ jobs:
                 fi
                 TAGS="${TAGS},${DOCKER_IMAGE}:latest"
                 TAGS_SLIM="${TAGS_SLIM},${DOCKER_IMAGE}:slim"
+              elif [[ $DOCKER_PKG == distroless ]]; then
+                if [[ -n $MAJOR && -n $MINOR ]]; then
+                  TAGS_SLIM="${TAGS_SLIM},${DOCKER_IMAGE}:${MINOR}-distroless-slim,${DOCKER_IMAGE}:${MAJOR}-distroless-slim"
+                fi
+                TAGS_SLIM="${TAGS_SLIM},${DOCKER_IMAGE}:slim"
               else
                 if [[ -n $MAJOR && -n $MINOR ]]; then
                   TAGS="${TAGS},${DOCKER_IMAGE}:${MINOR}-alpine,${DOCKER_IMAGE}:${MAJOR}-alpine"
@@ -95,9 +104,14 @@ jobs:
           done
 
           if [[ $OPTIONAL_DEPS == true ]]; then
-            echo ::set-output name=version::${VERSION}
-            echo ::set-output name=tags::${TAGS}
-            echo ::set-output name=full::true
+            if [[ $DOCKER_PKG != distroless ]]; then
+              echo ::set-output name=version::${VERSION}
+              echo ::set-output name=tags::${TAGS}
+              echo ::set-output name=full::true
+            else
+              # skip for distroless no slim
+              echo ::set-output name=skip_build_and_push_step::true
+            fi
           else
             echo ::set-output name=version::${VERSION_SLIM}
             echo ::set-output name=tags::${TAGS_SLIM}
@@ -154,3 +168,5 @@ jobs:
             org.opencontainers.image.created=${{ steps.info.outputs.created }}
             org.opencontainers.image.revision=${{ github.sha }}
             org.opencontainers.image.licenses=${{ fromJson(steps.repo.outputs.result).license.spdx_id }}
+        # skip for distroless no slim
+        if: ${{ steps.info.outputs.skip_build_and_push_step != 'true' }}

Dockerfile.distroless

@@ -0,0 +1,55 @@
+FROM golang:1.17-bullseye as builder
+
+ENV CGO_ENABLED=0 GOFLAGS="-mod=readonly"
+
+RUN mkdir -p /workspace
+WORKDIR /workspace
+
+ARG GOPROXY
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+ARG COMMIT_SHA
+
+# This ARG allows to disable some optional features and it might be useful if you build the image yourself.
+# For example you can disable S3 and GCS support like this:
+# --build-arg FEATURES=nos3,nogcs
+ARG FEATURES=nosqlite
+
+COPY . .
+
+RUN set -xe && \
+    export COMMIT_SHA=${COMMIT_SHA:-$(git describe --always --dirty)} && \
+    go build $(if [ -n "${FEATURES}" ]; then echo "-tags ${FEATURES}"; fi) -trimpath -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/version.commit=${COMMIT_SHA} -X github.com/drakkan/sftpgo/v2/version.date=`date -u +%FT%TZ`" -v -o sftpgo
+
+# Modify the default configuration file
+RUN sed -i "s|\"users_base_dir\": \"\",|\"users_base_dir\": \"/srv/sftpgo/data\",|" sftpgo.json && \
+    sed -i "s|\"backups\"|\"/srv/sftpgo/backups\"|" sftpgo.json && \
+    sed -i "s|\"sqlite\"|\"bolt\"|" sftpgo.json
+
+RUN apt-get update && apt-get install --no-install-recommends -y mime-support && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /etc/sftpgo /var/lib/sftpgo /srv/sftpgo
+
+FROM gcr.io/distroless/static-debian11
+
+COPY --from=builder --chown=1000:1000 /etc/sftpgo /etc/sftpgo
+COPY --from=builder --chown=1000:1000 /srv/sftpgo /srv/sftpgo
+COPY --from=builder --chown=1000:1000 /var/lib/sftpgo /var/lib/sftpgo
+COPY --from=builder --chown=1000:1000 /workspace/sftpgo.json /etc/sftpgo/sftpgo.json
+COPY --from=builder /workspace/templates /usr/share/sftpgo/templates
+COPY --from=builder /workspace/static /usr/share/sftpgo/static
+COPY --from=builder /workspace/sftpgo /usr/local/bin/
+COPY --from=builder /etc/mime.types /etc/mime.types
+
+# Log to the stdout so the logs will be available using docker logs
+ENV SFTPGO_LOG_FILE_PATH=""
+# templates and static paths are inside the container
+ENV SFTPGO_HTTPD__TEMPLATES_PATH=/usr/share/sftpgo/templates
+ENV SFTPGO_HTTPD__STATIC_FILES_PATH=/usr/share/sftpgo/static
+
+WORKDIR /var/lib/sftpgo
+USER 1000:1000
+
+CMD ["sftpgo", "serve"]

docker/README.md

@@ -12,6 +12,7 @@ SFTPGo provides an official Docker image, it is available on both [Docker Hub](h
 - [edge-alpine](../Dockerfile.alpine)
 - [edge-slim](../Dockerfile)
 - [edge-alpine-slim](../Dockerfile.alpine)
+- [edge-distroless-slim](../Dockerfile.distroless)
 
 ## How to use the SFTPGo image
 
@@ -87,6 +88,8 @@ The logs are available through Docker's container log:
 docker logs some-sftpgo
 ```
 
+**Note:** [distroless](../Dockerfile.distroless) image contains only application and its runtime dependencies. Shell access is not available on this image.
+
 ### Where to Store Data
 
 Important note: There are several ways to store data used by applications that run in Docker containers. We encourage users of the SFTPGo images to familiarize themselves with the options available, including:
@@ -166,6 +169,8 @@ RUN chown -R 1100:1100 /etc/sftpgo && chown 1100:1100 /var/lib/sftpgo /srv/sftpg
 USER 1100:1100
 ```
 
+**Note:** the above Dockerfile will not work for [distroless](../Dockerfile.distroless) image since the `chown` command is not available there.
+
 ## Image Variants
 
 The `sftpgo` images comes in many flavors, each designed for a specific use case. The `edge` and `edge-alpine`tags are updated after each new commit.
@@ -180,6 +185,14 @@ This image is based on the popular [Alpine Linux project](https://alpinelinux.or
 
 This variant is highly recommended when final image size being as small as possible is desired. The main caveat to note is that it does use [musl libc](https://musl.libc.org/) instead of [glibc and friends](https://www.etalabs.net/compare_libcs.html), so certain software might run into issues depending on the depth of their libc requirements. However, most software doesn't have an issue with this, so this variant is usually a very safe choice. See [this Hacker News comment thread](https://news.ycombinator.com/item?id=10782897) for more discussion of the issues that might arise and some pro/con comparisons of using Alpine-based images.
 
+### `sftpgo:<version>-distroless`
+
+This image is based on the popular [Distroless project](https://github.com/GoogleContainerTools/distroless). We use the latest Debian based distroless image as base.
+
+Distroless image contains only application and its runtime dependencies and so it doesn't allow shell access (no shell is installed).
+SQLite support is disabled since it requires CGO and so a C runtime. We use a statically linked SFTPGo binary here.
+The default data-provider is `bolt`, all the supported data providers expect `sqlite` work.
+
 ### `sftpgo:<suite>-slim`
 
 These tags provide a slimmer image that does not include the optional `git` and `rsync` dependencies.