Image build

1. 介绍

2. 多阶段镜像构建

root@master:~/cks/image_footprint# cat Dockerfile 
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN CGO_ENABLED=0 go build app.go
CMD ["./app"]



root@master:~/cks/image_footprint# cat app.go 
package main

import (
    "fmt"
    "time"
    "os/user"
)

func main () {
    user, err := user.Current()
    if err != nil {
        panic(err)
    }

    for {
        fmt.Println("user: " + user.Username + " id: " + user.Uid)
        time.Sleep(1 * time.Second)
    }
}

root@master:~/cks/image_footprint# docker  build  -t app .

如果报错Docker build “Could not resolve ‘archive.ubuntu.com’” apt-get fails to install anything 执行

root@master:~/cks/image_footprint# docker  build --network=host -t app .
....
....
Step 4/6 : COPY app.go .
 ---> 3e1402a9aa76
Step 5/6 : RUN CGO_ENABLED=0 go build app.go
 ---> Running in 40d3a61c48c1
Removing intermediate container 40d3a61c48c1
 ---> badcd4b100b5
Step 6/6 : CMD ["./app"]
 ---> Running in 90bf3a7cd05b
Removing intermediate container 90bf3a7cd05b
 ---> 847a0ea160db
Successfully built 847a0ea160db
Successfully tagged app:latest




root@master:~/cks/image_footprint# docker run app
user: root id: 0
user: root id: 0
user: root id: 0
user: root id: 0
^Cuser: root id: 0


root@master:~/cks/image_footprint# docker images  |grep app
app                                    latest              5acf9df3a2ee        About a minute ago   678MB


#利用上一个镜像构建下一个镜像
root@node1:~/cks/image_footprint# cat Dockerfile 
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN CGO_ENABLED=0 go build app.go


FROM alpine
COPY --from=0 /app .
CMD ["./app"]


oot@node1:~/cks/image_footprint# docker  build --network=host -t app .
Sending build context to Docker daemon  3.072kB
Step 1/8 : FROM ubuntu
 ---> 7e0aa2d69a15
Step 2/8 : ARG DEBIAN_FRONTEND=noninteractive
 ---> Using cache
 ---> ca181f94a1d8
Step 3/8 : RUN apt-get update && apt-get install -y golang-go
 ---> Using cache
 ---> 2b8ae7feb9d3
Step 4/8 : COPY app.go .
 ---> Using cache
 ---> 2bfae84136e8
Step 5/8 : RUN CGO_ENABLED=0 go build app.go
 ---> Using cache
 ---> 396e81b07b04
Step 6/8 : FROM alpine
latest: Pulling from library/alpine
540db60ca938: Pull complete 
Digest: sha256:69e70a79f2d41ab5d637de98c1e0b055206ba40a8145e7bddb55ccc04e13cf8f
Status: Downloaded newer image for alpine:latest
 ---> 6dbb9cc54074
Step 7/8 : COPY --from=0 /app .
 ---> 82a88cf8bdaa
Step 8/8 : CMD ["./app"]
 ---> Running in 4bfb018ccea7
Removing intermediate container 4bfb018ccea7
 ---> 3a81c4f3f3dc
Successfully built 3a81c4f3f3dc
Successfully tagged app:latest

功能正常
root@node1:~/cks/image_footprint# docker run app
user: root id: 0
user: root id: 0
user: root id: 0
user: root id: 0

#镜像变得超级小了
^Croot@node1:~/cks/image_footprint# docker images |grep app
app                                                                            latest              3a81c4f3f3dc        16 hours ago        7.75MB

3. 安全加固

# 1. 修改镜像版本
# build container stage 1
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.11.6
COPY --from=0 /app .
CMD ["./app"]

# 2. 非roo用户执行
# build container stage 1
FROM ubuntu:20.04
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2
COPY app.go .
RUN pwd
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.12.0
RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
COPY --from=0 /app /home/appuser/
USER appuser
CMD ["/home/appuser/app"]

# 3.配置只读文件
# build container stage 1
FROM ubuntu:20.04
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2
COPY app.go .
RUN pwd
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.12.0
RUN chmod a-w /etc
RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
COPY --from=0 /app /home/appuser/
USER appuser
CMD ["/home/appuser/app"]

# 4. 禁用shell相关命令
# build container stage 1
FROM ubuntu:20.04
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2
COPY app.go .
RUN pwd
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.12.0
RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
RUN rm -rf /bin/*
COPY --from=0 /app /home/appuser/
USER appuser
CMD ["/home/appuser/app"]

更多细节链接: docker build与Dockerfile

上一页Open Policy Agent (OPA)下一页Image Vulnerability Scanning(Trivy)

最后更新于3年前

root@master:~/cks/image_footprint# cat Dockerfile FROM ubuntu ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y golang-go COPY app.go . RUN CGO_ENABLED=0 go build app.go CMD ["./app"] root@master:~/cks/image_footprint# cat app.go package main import ( "fmt" "time" "os/user" ) func main () { user, err := user.Current() if err != nil { panic(err) } for { fmt.Println("user: " + user.Username + " id: " + user.Uid) time.Sleep(1 * time.Second) } }

root@master:~/cks/image_footprint# docker build --network=host -t app . .... .... Step 4/6 : COPY app.go . ---> 3e1402a9aa76 Step 5/6 : RUN CGO_ENABLED=0 go build app.go ---> Running in 40d3a61c48c1 Removing intermediate container 40d3a61c48c1 ---> badcd4b100b5 Step 6/6 : CMD ["./app"] ---> Running in 90bf3a7cd05b Removing intermediate container 90bf3a7cd05b ---> 847a0ea160db Successfully built 847a0ea160db Successfully tagged app:latest root@master:~/cks/image_footprint# docker run app user: root id: 0 user: root id: 0 user: root id: 0 user: root id: 0 ^Cuser: root id: 0 root@master:~/cks/image_footprint# docker images |grep app app latest 5acf9df3a2ee About a minute ago 678MB #利用上一个镜像构建下一个镜像 root@node1:~/cks/image_footprint# cat Dockerfile FROM ubuntu ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y golang-go COPY app.go . RUN CGO_ENABLED=0 go build app.go FROM alpine COPY --from=0 /app . CMD ["./app"] oot@node1:~/cks/image_footprint# docker build --network=host -t app . Sending build context to Docker daemon 3.072kB Step 1/8 : FROM ubuntu ---> 7e0aa2d69a15 Step 2/8 : ARG DEBIAN_FRONTEND=noninteractive ---> Using cache ---> ca181f94a1d8 Step 3/8 : RUN apt-get update && apt-get install -y golang-go ---> Using cache ---> 2b8ae7feb9d3 Step 4/8 : COPY app.go . ---> Using cache ---> 2bfae84136e8 Step 5/8 : RUN CGO_ENABLED=0 go build app.go ---> Using cache ---> 396e81b07b04 Step 6/8 : FROM alpine latest: Pulling from library/alpine 540db60ca938: Pull complete Digest: sha256:69e70a79f2d41ab5d637de98c1e0b055206ba40a8145e7bddb55ccc04e13cf8f Status: Downloaded newer image for alpine:latest ---> 6dbb9cc54074 Step 7/8 : COPY --from=0 /app . ---> 82a88cf8bdaa Step 8/8 : CMD ["./app"] ---> Running in 4bfb018ccea7 Removing intermediate container 4bfb018ccea7 ---> 3a81c4f3f3dc Successfully built 3a81c4f3f3dc Successfully tagged app:latest 功能正常 root@node1:~/cks/image_footprint# docker run app user: root id: 0 user: root id: 0 user: root id: 0 user: root id: 0 #镜像变得超级小了 ^Croot@node1:~/cks/image_footprint# docker images |grep app app latest 3a81c4f3f3dc 16 hours ago 7.75MB

# 1. 修改镜像版本 # build container stage 1 FROM ubuntu ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y golang-go COPY app.go . RUN CGO_ENABLED=0 go build app.go # app container stage 2 FROM alpine:3.11.6 COPY --from=0 /app . CMD ["./app"]

# 2. 非roo用户执行 # build container stage 1 FROM ubuntu:20.04 ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2 COPY app.go . RUN pwd RUN CGO_ENABLED=0 go build app.go # app container stage 2 FROM alpine:3.12.0 RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser COPY --from=0 /app /home/appuser/ USER appuser CMD ["/home/appuser/app"]

# 3.配置只读文件 # build container stage 1 FROM ubuntu:20.04 ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2 COPY app.go . RUN pwd RUN CGO_ENABLED=0 go build app.go # app container stage 2 FROM alpine:3.12.0 RUN chmod a-w /etc RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser COPY --from=0 /app /home/appuser/ USER appuser CMD ["/home/appuser/app"]

# 4. 禁用shell相关命令 # build container stage 1 FROM ubuntu:20.04 ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2 COPY app.go . RUN pwd RUN CGO_ENABLED=0 go build app.go # app container stage 2 FROM alpine:3.12.0 RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser RUN rm -rf /bin/* COPY --from=0 /app /home/appuser/ USER appuser CMD ["/home/appuser/app"]