docker: added distroless image

2024-11-21 15:10:23 +00:00 · 2021-09-06 19:10:28 +02:00 · 2021-09-06 19:10:28 +02:00 · c106498dd8
commit c106498dd8
parent 7bad65a43e
3 changed files with 88 additions and 4 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -21,6 +21,7 @@ jobs:
        docker_pkg:
          - debian
          - alpine
+          - distroless
        optional_deps:
          - true
          - false
@ -65,7 +66,10 @@ jobs:
            VERSION_SLIM="${VERSION}-slim"
            DOCKERFILE=Dockerfile.alpine
          fi
-
+          if [[ $DOCKER_PKG == distroless ]]; then
+            VERSION_SLIM="${VERSION}-distroless-slim"
+            DOCKERFILE=Dockerfile.distroless
+          fi
          DOCKER_IMAGES=("drakkan/sftpgo" "ghcr.io/drakkan/sftpgo")
          TAGS="${DOCKER_IMAGES[0]}:${VERSION}"
          TAGS_SLIM="${DOCKER_IMAGES[0]}:${VERSION_SLIM}"
@ -83,6 +87,11 @@ jobs:
                fi
                TAGS="${TAGS},${DOCKER_IMAGE}:latest"
                TAGS_SLIM="${TAGS_SLIM},${DOCKER_IMAGE}:slim"
+              elif [[ $DOCKER_PKG == distroless ]]; then
+                if [[ -n $MAJOR && -n $MINOR ]]; then
+                  TAGS_SLIM="${TAGS_SLIM},${DOCKER_IMAGE}:${MINOR}-distroless-slim,${DOCKER_IMAGE}:${MAJOR}-distroless-slim"
+                fi
+                TAGS_SLIM="${TAGS_SLIM},${DOCKER_IMAGE}:slim"
              else
                if [[ -n $MAJOR && -n $MINOR ]]; then
                  TAGS="${TAGS},${DOCKER_IMAGE}:${MINOR}-alpine,${DOCKER_IMAGE}:${MAJOR}-alpine"
@ -95,9 +104,14 @@ jobs:
          done

          if [[ $OPTIONAL_DEPS == true ]]; then
-            echo ::set-output name=version::${VERSION}
-            echo ::set-output name=tags::${TAGS}
-            echo ::set-output name=full::true
+            if [[ $DOCKER_PKG != distroless ]]; then
+              echo ::set-output name=version::${VERSION}
+              echo ::set-output name=tags::${TAGS}
+              echo ::set-output name=full::true
+            else
+              # skip for distroless no slim
+              echo ::set-output name=skip_build_and_push_step::true
+            fi
          else
            echo ::set-output name=version::${VERSION_SLIM}
            echo ::set-output name=tags::${TAGS_SLIM}
@ -154,3 +168,5 @@ jobs:
            org.opencontainers.image.created=${{ steps.info.outputs.created }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.licenses=${{ fromJson(steps.repo.outputs.result).license.spdx_id }}
+        # skip for distroless no slim
+        if: ${{ steps.info.outputs.skip_build_and_push_step != 'true' }}
--- a/Dockerfile.distroless
+++ b/Dockerfile.distroless
@ -0,0 +1,55 @@
+FROM golang:1.17-bullseye as builder
+
+ENV CGO_ENABLED=0 GOFLAGS="-mod=readonly"
+
+RUN mkdir -p /workspace
+WORKDIR /workspace
+
+ARG GOPROXY
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+ARG COMMIT_SHA
+
+# This ARG allows to disable some optional features and it might be useful if you build the image yourself.
+# For example you can disable S3 and GCS support like this:
+# --build-arg FEATURES=nos3,nogcs
+ARG FEATURES=nosqlite
+
+COPY . .
+
+RUN set -xe && \
+    export COMMIT_SHA=${COMMIT_SHA:-$(git describe --always --dirty)} && \
+    go build $(if [ -n "${FEATURES}" ]; then echo "-tags ${FEATURES}"; fi) -trimpath -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/version.commit=${COMMIT_SHA} -X github.com/drakkan/sftpgo/v2/version.date=`date -u +%FT%TZ`" -v -o sftpgo
+
+# Modify the default configuration file
+RUN sed -i "s|\"users_base_dir\": \"\",|\"users_base_dir\": \"/srv/sftpgo/data\",|" sftpgo.json && \
+    sed -i "s|\"backups\"|\"/srv/sftpgo/backups\"|" sftpgo.json && \
+    sed -i "s|\"sqlite\"|\"bolt\"|" sftpgo.json
+
+RUN apt-get update && apt-get install --no-install-recommends -y mime-support && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /etc/sftpgo /var/lib/sftpgo /srv/sftpgo
+
+FROM gcr.io/distroless/static-debian11
+
+COPY --from=builder --chown=1000:1000 /etc/sftpgo /etc/sftpgo
+COPY --from=builder --chown=1000:1000 /srv/sftpgo /srv/sftpgo
+COPY --from=builder --chown=1000:1000 /var/lib/sftpgo /var/lib/sftpgo
+COPY --from=builder --chown=1000:1000 /workspace/sftpgo.json /etc/sftpgo/sftpgo.json
+COPY --from=builder /workspace/templates /usr/share/sftpgo/templates
+COPY --from=builder /workspace/static /usr/share/sftpgo/static
+COPY --from=builder /workspace/sftpgo /usr/local/bin/
+COPY --from=builder /etc/mime.types /etc/mime.types
+
+# Log to the stdout so the logs will be available using docker logs
+ENV SFTPGO_LOG_FILE_PATH=""
+# templates and static paths are inside the container
+ENV SFTPGO_HTTPD__TEMPLATES_PATH=/usr/share/sftpgo/templates
+ENV SFTPGO_HTTPD__STATIC_FILES_PATH=/usr/share/sftpgo/static
+
+WORKDIR /var/lib/sftpgo
+USER 1000:1000
+
+CMD ["sftpgo", "serve"]
--- a/docker/README.md
+++ b/docker/README.md
@ -12,6 +12,7 @@ SFTPGo provides an official Docker image, it is available on both [Docker Hub](h
 - [edge-alpine](../Dockerfile.alpine)
 - [edge-slim](../Dockerfile)
 - [edge-alpine-slim](../Dockerfile.alpine)
+- [edge-distroless-slim](../Dockerfile.distroless)

 ## How to use the SFTPGo image

@ -87,6 +88,8 @@ The logs are available through Docker's container log:
 docker logs some-sftpgo
 ```

+**Note:** [distroless](../Dockerfile.distroless) image contains only application and its runtime dependencies. Shell access is not available on this image.
+
 ### Where to Store Data

 Important note: There are several ways to store data used by applications that run in Docker containers. We encourage users of the SFTPGo images to familiarize themselves with the options available, including:
@ -166,6 +169,8 @@ RUN chown -R 1100:1100 /etc/sftpgo && chown 1100:1100 /var/lib/sftpgo /srv/sftpg
 USER 1100:1100
 ```

+**Note:** the above Dockerfile will not work for [distroless](../Dockerfile.distroless) image since the `chown` command is not available there.
+
 ## Image Variants

 The `sftpgo` images comes in many flavors, each designed for a specific use case. The `edge` and `edge-alpine`tags are updated after each new commit.
@ -180,6 +185,14 @@ This image is based on the popular [Alpine Linux project](https://alpinelinux.or

 This variant is highly recommended when final image size being as small as possible is desired. The main caveat to note is that it does use [musl libc](https://musl.libc.org/) instead of [glibc and friends](https://www.etalabs.net/compare_libcs.html), so certain software might run into issues depending on the depth of their libc requirements. However, most software doesn't have an issue with this, so this variant is usually a very safe choice. See [this Hacker News comment thread](https://news.ycombinator.com/item?id=10782897) for more discussion of the issues that might arise and some pro/con comparisons of using Alpine-based images.

+### `sftpgo:<version>-distroless`
+
+This image is based on the popular [Distroless project](https://github.com/GoogleContainerTools/distroless). We use the latest Debian based distroless image as base.
+
+Distroless image contains only application and its runtime dependencies and so it doesn't allow shell access (no shell is installed).
+SQLite support is disabled since it requires CGO and so a C runtime. We use a statically linked SFTPGo binary here.
+The default data-provider is `bolt`, all the supported data providers expect `sqlite` work.
+
 ### `sftpgo:<suite>-slim`

 These tags provide a slimmer image that does not include the optional `git` and `rsync` dependencies.