github.com/vmware/govmomi@v0.43.0/Dockerfile.govc

github.com/vmware/govmomi@v0.43.0/Dockerfile.govc (about)

     1  # Create a builder container
     2  # golang:1.18.0-buster amd64
     3  FROM golang@sha256:7d39537344486528f8cdb3bd8adb98ab7f0f4236044b6944fed8631da35a4ce5 AS build
     4  WORKDIR /go/src/app
     5  
     6  # Create appuser to isolate potential vulnerabilities
     7  # See https://stackoverflow.com/a/55757473/12429735
     8  ENV USER=appuser
     9  ENV UID=10001
    10  RUN adduser \
    11      --disabled-password \
    12      --gecos "" \
    13      --shell "/sbin/nologin" \
    14      --no-create-home \
    15      --uid "${UID}" \
    16      "${USER}"
    17  
    18  # Create a new tmp directory so no bad actors can manipulate it
    19  RUN mkdir /temporary-tmp-directory && chmod 777 /temporary-tmp-directory
    20  
    21  ###############################################################################
    22  # Final stage
    23  FROM scratch
    24  
    25  # Allow container to use latest TLS certificates
    26  COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
    27  
    28  # Copy over appuser to run as non-root
    29  COPY --from=build /etc/passwd /etc/passwd
    30  COPY --from=build /etc/group /etc/group
    31  
    32  # Copy over the /tmp directory for golang/os.TmpDir
    33  COPY --chown=appuser --from=build /temporary-tmp-directory /tmp
    34  
    35  # Copy application from external build
    36  COPY govc /govc
    37  
    38  # Run all commands as non-root
    39  USER appuser:appuser
    40  
    41  # session cache, etc
    42  ENV GOVMOMI_HOME=/tmp
    43  
    44  # Set CMD to application with container defaults
    45  CMD ["/govc"]