Image build

1. 介绍

2. 多阶段镜像构建

root@master:~/cks/image_footprint# cat Dockerfile 
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN CGO_ENABLED=0 go build app.go
CMD ["./app"]



root@master:~/cks/image_footprint# cat app.go 
package main

import (
    "fmt"
    "time"
    "os/user"
)

func main () {
    user, err := user.Current()
    if err != nil {
        panic(err)
    }

    for {
        fmt.Println("user: " + user.Username + " id: " + user.Uid)
        time.Sleep(1 * time.Second)
    }
}

root@master:~/cks/image_footprint# docker  build  -t app .

如果报错Docker build “Could not resolve ‘archive.ubuntu.com’” apt-get fails to install anything 执行

root@master:~/cks/image_footprint# docker  build --network=host -t app .
....
....
Step 4/6 : COPY app.go .
 ---> 3e1402a9aa76
Step 5/6 : RUN CGO_ENABLED=0 go build app.go
 ---> Running in 40d3a61c48c1
Removing intermediate container 40d3a61c48c1
 ---> badcd4b100b5
Step 6/6 : CMD ["./app"]
 ---> Running in 90bf3a7cd05b
Removing intermediate container 90bf3a7cd05b
 ---> 847a0ea160db
Successfully built 847a0ea160db
Successfully tagged app:latest




root@master:~/cks/image_footprint# docker run app
user: root id: 0
user: root id: 0
user: root id: 0
user: root id: 0
^Cuser: root id: 0


root@master:~/cks/image_footprint# docker images  |grep app
app                                    latest              5acf9df3a2ee        About a minute ago   678MB


#利用上一个镜像构建下一个镜像
root@node1:~/cks/image_footprint# cat Dockerfile 
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN CGO_ENABLED=0 go build app.go


FROM alpine
COPY --from=0 /app .
CMD ["./app"]


oot@node1:~/cks/image_footprint# docker  build --network=host -t app .
Sending build context to Docker daemon  3.072kB
Step 1/8 : FROM ubuntu
 ---> 7e0aa2d69a15
Step 2/8 : ARG DEBIAN_FRONTEND=noninteractive
 ---> Using cache
 ---> ca181f94a1d8
Step 3/8 : RUN apt-get update && apt-get install -y golang-go
 ---> Using cache
 ---> 2b8ae7feb9d3
Step 4/8 : COPY app.go .
 ---> Using cache
 ---> 2bfae84136e8
Step 5/8 : RUN CGO_ENABLED=0 go build app.go
 ---> Using cache
 ---> 396e81b07b04
Step 6/8 : FROM alpine
latest: Pulling from library/alpine
540db60ca938: Pull complete 
Digest: sha256:69e70a79f2d41ab5d637de98c1e0b055206ba40a8145e7bddb55ccc04e13cf8f
Status: Downloaded newer image for alpine:latest
 ---> 6dbb9cc54074
Step 7/8 : COPY --from=0 /app .
 ---> 82a88cf8bdaa
Step 8/8 : CMD ["./app"]
 ---> Running in 4bfb018ccea7
Removing intermediate container 4bfb018ccea7
 ---> 3a81c4f3f3dc
Successfully built 3a81c4f3f3dc
Successfully tagged app:latest

功能正常
root@node1:~/cks/image_footprint# docker run app
user: root id: 0
user: root id: 0
user: root id: 0
user: root id: 0

#镜像变得超级小了
^Croot@node1:~/cks/image_footprint# docker images |grep app
app                                                                            latest              3a81c4f3f3dc        16 hours ago        7.75MB

3. 安全加固

配置Dockerfile

# 1. 修改镜像版本
# build container stage 1
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.11.6
COPY --from=0 /app .
CMD ["./app"]

# 2. 非roo用户执行
# build container stage 1
FROM ubuntu:20.04
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2
COPY app.go .
RUN pwd
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.12.0
RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
COPY --from=0 /app /home/appuser/
USER appuser
CMD ["/home/appuser/app"]

# 3.配置只读文件
# build container stage 1
FROM ubuntu:20.04
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2
COPY app.go .
RUN pwd
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.12.0
RUN chmod a-w /etc
RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
COPY --from=0 /app /home/appuser/
USER appuser
CMD ["/home/appuser/app"]

# 4. 禁用shell相关命令
# build container stage 1
FROM ubuntu:20.04
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2
COPY app.go .
RUN pwd
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.12.0
RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
RUN rm -rf /bin/*
COPY --from=0 /app /home/appuser/
USER appuser
CMD ["/home/appuser/app"]

更多细节链接: docker build与Dockerfile

上一页Open Policy Agent (OPA)下一页Image Vulnerability Scanning(Trivy)

最后更新于2年前