Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add distroless #1348

Merged
merged 4 commits into from
Jun 29, 2023
Merged

feat: add distroless #1348

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b603a95
feat: add distroless
adamwalach Jun 22, 2023
584f8bb
Update Dockerfile-build
Demonsthere Jun 27, 2023
c1483a2
Merge branch 'master' into add-distroless
Demonsthere Jun 27, 2023
cbae983
Update Dockerfile-distroless-static
Demonsthere Jun 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 8 additions & 20 deletions .docker/Dockerfile-build
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
FROM golang:1.20-alpine3.18 AS builder

RUN apk -U --no-cache add build-base git gcc bash
FROM golang:1.20 AS builder

WORKDIR /go/src/github.com/ory/keto

RUN apt-get update && apt-get upgrade -y &&\
mkdir -p /var/lib/sqlite &&\
mkdir -p ./internal/httpclient

COPY go.mod go.mod
COPY go.sum go.sum

Expand All @@ -18,30 +20,16 @@ COPY . .

RUN go build -buildvcs=false -tags sqlite -o /usr/bin/keto .

FROM alpine:3.18

RUN addgroup -S ory; \
adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \
chown -R ory:ory /home/ory
#########################

RUN apk --no-cache --latest upgrade &&\
apk --no-cache --upgrade --latest add ca-certificates
FROM gcr.io/distroless/base-nossl-debian11:nonroot AS runner
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this come with CGO? We need it for SQLite

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the image comes with glibc -> https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md :)


COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
COPY --from=builder /usr/bin/keto /usr/bin/keto

# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
# is required for read/write of SQLite.
RUN mkdir -p /var/lib/sqlite
RUN chown ory:ory /var/lib/sqlite
VOLUME /var/lib/sqlite

# Exposing the ory home directory to simplify passing in the configuration.
VOLUME /home/ory

EXPOSE 4466 4467

USER ory

ENTRYPOINT ["keto"]

CMD ["serve"]
8 changes: 8 additions & 0 deletions .docker/Dockerfile-distroless-static
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
FROM gcr.io/distroless/static-debian11:nonroot

COPY keto /usr/bin/keto
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this image being used for? How will the keto binary be built? In this case it needs to be for linux-x86 with CGO=0. Will this be guaranteed?

# Declare the standard ports used by keto (4433 for read service endpoint, 4434 for write service endpoint)
EXPOSE 4433 4434

ENTRYPOINT ["keto"]
CMD ["serve"]
3 changes: 2 additions & 1 deletion .goreleaser.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,5 @@ variables:
buildinfo_hash: "github.com/ory/keto/internal/driver/config.Commit"
buildinfo_tag: "github.com/ory/keto/internal/driver/config.Version"
buildinfo_date: "github.com/ory/keto/internal/driver/config.Date"
dockerfile: ".docker/Dockerfile-alpine"
dockerfile_alpine: ".docker/Dockerfile-alpine"
dockerfile_static: ".docker/Dockerfile-distroless-static"