Gitiles
Code Review Sign In
gerrit.opencord.org / ofagent-go / 0ee1865976b0e80ab195457916fb7d428303edcc^! / .
commit0ee1865976b0e80ab195457916fb7d428303edcc[log] [tgz]
authorDavid K. Bainbridge <dbainbri@ciena.com>Thu Apr 01 18:29:23 2021 +0000
committerDavid K. Bainbridge <dbainbri@ciena.com>Mon Apr 05 17:27:35 2021 +0000
treeb0e8985cc53c5290e825dff3f4a54dd56b0be75a
parentee4198431f1b471639e9d6e11d2c0c1ca1795277 [diff]
VOL-3970 lock down deploy image

- use distroless base image for deployment
- use nonroot user/group for image

Change-Id: If7b6f660c42fc81b51bdad2681413af759f02ed9

diff --git a/docker/Dockerfile.ofagent-go b/docker/Dockerfile.ofagent-go
index dff2d99..8de0b9b 100644
--- a/docker/Dockerfile.ofagent-go
+++ b/docker/Dockerfile.ofagent-go

@@ -15,7 +15,12 @@
 # -------------
 # Build stage
 
-FROM golang:1.13.8-alpine3.11 AS build-env
+ARG GOLANG_IMAGE=golang:1.13.8-alpine3.11
+ARG DEPLOY_IMAGE=gcr.io/distroless/static:nonroot
+ARG IMAGE_OS=linux
+ARG IMAGE_ARCH=amd64
+# hadolint ignore=DL3006
+FROM --platform=$IMAGE_OS/$IMAGE_ARCH  $GOLANG_IMAGE AS build-env
 
 WORKDIR /src/
 COPY . /src/
@@ -31,21 +36,23 @@
 
 # Build ofagent-go
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
-RUN go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /build/ofagent \
-	-ldflags \
-	"-X github.com/opencord/voltha-lib-go/v2/pkg/version.version=$org_label_schema_version \
-	 -X github.com/opencord/voltha-lib-go/v2/pkg/version.vcsRef=$org_label_schema_vcs_ref  \
-	 -X github.com/opencord/voltha-lib-go/v2/pkg/version.vcsDirty=$org_opencord_vcs_dirty \
-	 -X github.com/opencord/voltha-lib-go/v2/pkg/version.goVersion=$(go version 2>&1 | sed -E  's/.*go([0-9]+\.[0-9]+\.[0-9]+).*/\1/g') \
-	 -X github.com/opencord/voltha-lib-go/v2/pkg/version.os=$(go env GOHOSTOS) \
-	 -X github.com/opencord/voltha-lib-go/v2/pkg/version.arch=$(go env GOHOSTARCH) \
-	 -X github.com/opencord/voltha-lib-go/v2/pkg/version.buildTime=$org_label_schema_build_date" \
-	./cmd/ofagent
+RUN \
+CGO_ENABLED=0 GOOS=$IMAGE_OS GOARCH=$IMAGE_ARCH \
+go build $EXTRA_GO_BUILD_TAGS -mod=vendor -o /build/ofagent \
+-ldflags \
+"-X github.com/opencord/voltha-lib-go/v2/pkg/version.version=$org_label_schema_version \
+-X github.com/opencord/voltha-lib-go/v2/pkg/version.vcsRef=$org_label_schema_vcs_ref \
+-X github.com/opencord/voltha-lib-go/v2/pkg/version.vcsDirty=$org_opencord_vcs_dirty \
+-X github.com/opencord/voltha-lib-go/v2/pkg/version.goVersion=$(go version 2>&1 | sed -E  's/.*go([0-9]+\.[0-9]+\.[0-9]+).*/\1/g') \
+-X github.com/opencord/voltha-lib-go/v2/pkg/version.os=$(go env GOHOSTOS) \
+-X github.com/opencord/voltha-lib-go/v2/pkg/version.arch=$(go env GOHOSTARCH) \
+-X github.com/opencord/voltha-lib-go/v2/pkg/version.buildTime=$org_label_schema_build_date" \
+./cmd/ofagent
 
 # -------------
 # Image creation stage
-
-FROM alpine:3.11.3
+# hadolint ignore=DL3006
+FROM --platform=$IMAGE_OS/$IMAGE_ARCH $DEPLOY_IMAGE
 
 # Set the working directory
 WORKDIR /app
@@ -60,12 +67,17 @@
 ARG org_label_schema_build_date=unknown
 ARG org_opencord_vcs_commit_date=unknown
 ARG org_opencord_vcs_dirty=unknown
+ARG IMAGE_USER=nonroot
+ARG IMAGE_GROUP=nonroot
 
-LABEL org.label-schema.schema-version=1.0 \
-      org.label-schema.name=voltha-ofagent-go \
-      org.label-schema.version=$org_label_schema_version \
-      org.label-schema.vcs-url=$org_label_schema_vcs_url \
-      org.label-schema.vcs-ref=$org_label_schema_vcs_ref \
-      org.label-schema.build-date=$org_label_schema_build_date \
-      org.opencord.vcs-commit-date=$org_opencord_vcs_commit_date \
-      org.opencord.vcs-dirty=$org_opencord_vcs_dirty
+LABEL \
+org.label-schema.schema-version=1.0 \
+org.label-schema.name=voltha-ofagent-go \
+org.label-schema.version=$org_label_schema_version \
+org.label-schema.vcs-url=$org_label_schema_vcs_url \
+org.label-schema.vcs-ref=$org_label_schema_vcs_ref \
+org.label-schema.build-date=$org_label_schema_build_date \
+org.opencord.vcs-commit-date=$org_opencord_vcs_commit_date \
+org.opencord.vcs-dirty=$org_opencord_vcs_dirty
+
+USER $IMAGE_USER:$IMAGE_GROUP