github.com/vmware/govmomi@v0.43.0/Dockerfile.vcsim

github.com/vmware/govmomi@v0.43.0/Dockerfile.vcsim (about)

     1  # Create a builder container
     2  # golang:1.18.0-buster amd64
     3  FROM golang@sha256:7d39537344486528f8cdb3bd8adb98ab7f0f4236044b6944fed8631da35a4ce5 AS build
     4  WORKDIR /go/src/app
     5  
     6  # Create appuser to isolate potential vulnerabilities
     7  # See https://stackoverflow.com/a/55757473/12429735
     8  ENV USER=appuser
     9  ENV UID=10001
    10  RUN adduser \
    11      --disabled-password \
    12      --gecos "" \
    13      --home "/nonexistent" \
    14      --shell "/sbin/nologin" \
    15      --no-create-home \
    16      --uid "${UID}" \
    17      "${USER}"
    18  
    19  # Create a new tmp directory so no bad actors can manipulate it
    20  RUN mkdir /temporary-tmp-directory && chmod 777 /temporary-tmp-directory
    21  
    22  ###############################################################################
    23  # Final stage
    24  FROM scratch
    25  
    26  # Run all commands as non-root
    27  USER appuser:appuser
    28  
    29  # Allow container to use latest TLS certificates
    30  COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
    31  
    32  # Copy over appuser to run as non-root
    33  COPY --from=build /etc/passwd /etc/passwd
    34  COPY --from=build /etc/group /etc/group
    35  
    36  # Copy over the /tmp directory for golang/os.TmpDir
    37  COPY --chown=appuser --from=build /temporary-tmp-directory /tmp
    38  
    39  # Expose application port
    40  EXPOSE 8989
    41  
    42  # Copy application from external build
    43  COPY vcsim /vcsim
    44  
    45  # Set entrypoint to application with container defaults
    46  ENTRYPOINT [ "/vcsim" ]
    47  CMD ["-l", "0.0.0.0:8989"]