Adding support for production grade image in Dockerfile (#180)

I have modified the current Dockerfile to be able to generate a
Production grade Docker Image based on UBI, the new Dockerfile follows
the below good practices for Production.

Multi-stage build: keeps the final image small and clean.
Non-root execution: creates appuser (uid 10001) and runs the service as
non-root.
Minimal runtime dependencies: no extra tools/packages installed (keeps
attack surface small).
Metadata labels: provides traceability (name, version, maintainer,
vendor, etc.).
Deterministic build: dependencies are pulled in the build stage, final
image only has the binary.
Absolute path: in ENTRYPOINT: safer for production.

---------

Signed-off-by: Anushka <[email protected]>
Signed-off-by: pco <[email protected]>
Co-authored-by: pco <[email protected]>

Author: anushka159-a

.github/workflows/ci.yml

@@ -6,15 +6,14 @@ name: CI
 
 on:
   push:
-    branches: [ "**" ]
+    branches: ["**"]
   pull_request:
-    branches: [ "**" ]
+    branches: ["**"]
 
 env:
   DB_DEPLOYMENT: local
 
 jobs:
-
   lint:
     name: Lint and Build
     runs-on: ubuntu-latest

.github/workflows/docker-release.yml

@@ -63,8 +63,10 @@ jobs:
       - name: Build cross-architecture binaries
         run: make build-arch build-test-genesis-block
 
-      - name: Set image prefix
+      - name: Set image build prefix and metadata
         run: |
+          echo "CREATED=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
+          echo "REVISION=$(git rev-parse HEAD)" >> $GITHUB_ENV        
           if [ "$GITHUB_REPOSITORY_OWNER" == "hyperledger" ]; then
            echo "IMAGE_PREFIX=hyperledger" >> $GITHUB_ENV
           else
@@ -88,9 +90,12 @@ jobs:
             BIN=committer
             ARCHBIN_PATH=archbin
             PORTS=4001 2114 9001 2119 5001 2115 6001 2116 7001 2117
+            VERSION=${{ env.VERSION }}
+            CREATED=${{ env.CREATED }}
+            REVISION=${{ env.REVISION }}
           cache-from: type=registry,ref=docker.io/${{ env.IMAGE_PREFIX }}/fabric-x-committer:buildcache
           cache-to: type=registry,ref=docker.io/${{  env.IMAGE_PREFIX  }}/fabric-x-committer:buildcache,mode=max
-        
+
       - name: Build and Push Multi-Platform Docker Image for Loadgen
         uses: docker/build-push-action@v6
         with:
@@ -107,6 +112,9 @@ jobs:
             BIN=loadgen
             ARCHBIN_PATH=archbin
             PORTS=8001 2118
+            VERSION=${{ env.VERSION }}
+            CREATED=${{ env.CREATED }}
+            REVISION=${{ env.REVISION }}
           cache-from: type=registry,ref=docker.io/${{ env.IMAGE_PREFIX }}/fabric-x-loadgen:buildcache
           cache-to: type=registry,ref=docker.io/${{  env.IMAGE_PREFIX  }}/fabric-x-loadgen:buildcache,mode=max
 
@@ -124,5 +132,8 @@ jobs:
             ghcr.io/${{ env.GHCR_PREFIX }}/fabric-x-committer-test-node:latest
           build-args: |
             ARCHBIN_PATH=archbin
+            VERSION=${{ env.VERSION }}
+            CREATED=${{ env.CREATED }}
+            REVISION=${{ env.REVISION }}
           cache-from: type=registry,ref=docker.io/${{ env.IMAGE_PREFIX }}/fabric-x-committer-test-node:buildcache
           cache-to: type=registry,ref=docker.io/${{  env.IMAGE_PREFIX  }}/fabric-x-committer-test-node:buildcache,mode=max

Makefile

@@ -21,7 +21,7 @@
 #########################
 
 go_cmd          ?= go
-version         := 0.0.2
+version         := latest
 project_dir     := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 output_dir      ?= $(project_dir)/bin
 arch_output_dir ?= $(project_dir)/archbin
@@ -43,7 +43,7 @@ cmd            ?=
 # An error will occur if neither container engine is installed.
 docker_cmd ?= $(shell command -v docker >/dev/null 2>&1 && echo docker || \
 							echo podman || { echo "Error: Neither Docker nor Podman is installed." >&2; exit 1; })
-image_namespace=icr.io/cbdc
+image_namespace=docker.io/hyperledger
 
 # Set these parameters to compile to a specific os/arch
 # E.g., make build-local os=linux arch=amd64

docker/images/release/Dockerfile

@@ -1,13 +1,55 @@
+#
 # Copyright IBM Corp. All Rights Reserved.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
-FROM registry.access.redhat.com/ubi9/ubi-micro:9.4 AS prod
+
+###########################################
+# Stage 1: Production runtime image
+###########################################
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6 AS prod
+
 ARG BIN
 ARG ARCHBIN_PATH
-ARG PORTS
 ARG TARGETOS
 ARG TARGETARCH
+ARG PORTS
+
+# Label args
+ARG VERSION=1.0
+ARG CREATED
+ARG REVISION=1.0
 
+# Add non-root user (10001) using BIN argument
+RUN /usr/sbin/useradd -u 10001 -r -g root -s /sbin/nologin -c "Hyperledger Fabric-X ${BIN} user" ${BIN} && \
+    mkdir -p /home/${BIN} && \
+    chown -R 10001:0 /home/${BIN} && \
+    chmod 0755 /home/${BIN}
+
+# Copy binaries
 COPY ${ARCHBIN_PATH}/${TARGETOS}-${TARGETARCH}/${BIN} /bin/${BIN}
+
+# Create fixed entrypoint since args are not replaced
+# within ENTRYPOINT or CMD
+RUN ln -s /bin/${BIN} /bin/entrypoint
+
+# Expose ports
 EXPOSE ${PORTS}
+
+# OCI metadata labels
+LABEL org.opencontainers.image.created="${CREATED}" \
+    org.opencontainers.image.description="Hyperledger Fabric-X ${BIN} packaged in a UBI image." \
+    org.opencontainers.image.licenses="Apache-2.0" \
+    org.opencontainers.image.ref.name="ubi9/ubi-minimal" \
+    org.opencontainers.image.revision="${REVISION}" \
+    org.opencontainers.image.source="https://github.com/hyperledger/fabric-x-committer" \
+    org.opencontainers.image.title="fabric-x-${BIN}" \
+    org.opencontainers.image.url="https://github.com/hyperledger/fabric-x-committer" \
+    org.opencontainers.image.version="${VERSION}"
+
+# Use non-root user and set workdir using BIN argument
+USER 10001
+WORKDIR /home/${BIN}
+
+# Default Entrypoint
+ENTRYPOINT ["/bin/entrypoint"]

docker/images/test_node/Dockerfile

@@ -1,12 +1,18 @@
+#
 # Copyright IBM Corp. All Rights Reserved.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
+
+###########################################
+# Stage 1: Production runtime image
+###########################################
 FROM postgres:16.9-alpine3.21 AS node
 
 ARG ARCHBIN_PATH
 ARG TARGETOS
 ARG TARGETARCH
+ARG VERSION
 
 ENV CONFIGS_PATH=/root/config
 ENV BINS_PATH=/root/bin
@@ -33,6 +39,19 @@ COPY ./cmd/config/samples $CONFIGS_PATH
 COPY ./bin/sc-genesis-block.proto.bin $CONFIGS_PATH/
 RUN chmod a+x ${BINS_PATH}/*
 
+# Expose ports
 EXPOSE 7050 4001 2114 7001 2117 2110
 
+# OCI metadata labels
+LABEL org.opencontainers.image.created="${CREATED}" \
+    org.opencontainers.image.description="Hyperledger Fabric-X Committer Test Node." \
+    org.opencontainers.image.licenses="Apache-2.0" \
+    org.opencontainers.image.ref.name="postgres" \
+    org.opencontainers.image.revision="${REVISION}" \
+    org.opencontainers.image.source="https://github.com/hyperledger/fabric-x-committer" \
+    org.opencontainers.image.title="fabric-x-committer-test-node" \
+    org.opencontainers.image.url="https://github.com/hyperledger/fabric-x-committer" \
+    org.opencontainers.image.version="${VERSION}"
+
+# Default CMD
 CMD ["run"]

docker/test/common.go

@@ -50,9 +50,10 @@ func (p *startNodeParameters) asNode(node string) startNodeParameters {
 }
 
 const (
-	channelName     = "mychannel"
-	monitoredMetric = "loadgen_transaction_committed_total"
-	testNodeImage   = "icr.io/cbdc/committer-test-node:0.0.2"
+	channelName         = "mychannel"
+	monitoredMetric     = "loadgen_transaction_committed_total"
+	containerPrefixName = "sc_test"
+	testNodeImage       = "docker.io/hyperledger/committer-test-node:latest"
 )
 
 func createAndStartContainerAndItsLogs(

docker/test/container_release_image_test.go

@@ -28,8 +28,8 @@ import (
 )
 
 const (
-	committerReleaseImage = "icr.io/cbdc/committer:0.0.2"
-	loadgenReleaseImage   = "icr.io/cbdc/loadgen:0.0.2"
+	committerReleaseImage = "docker.io/hyperledger/fabric-x-committer:latest"
+	loadgenReleaseImage   = "docker.io/hyperledger/fabric-x-loadgen:latest"
 	networkPrefixName     = test.DockerNamesPrefix + "_network"
 	genBlockFile          = "sc-genesis-block.proto.bin"
 	// containerConfigPath is the path to the config directory inside the container.
@@ -179,16 +179,18 @@ func startCommitterNodeWithReleaseImage(ctx context.Context, t *testing.T, param
 	t.Helper()
 
 	configPath := filepath.Join(containerConfigPath, params.node)
+	containerUser := "0:0"
+	t.Logf("Starting %s as container with user %s.\n", committerReleaseImage, containerUser)
 	createAndStartContainerAndItsLogs(ctx, t, createAndStartContainerParameters{
 		config: &container.Config{
 			Image: committerReleaseImage,
 			Cmd: []string{
-				"committer",
 				fmt.Sprintf("start-%s", params.node),
 				"--config",
 				fmt.Sprintf("%s.yaml", configPath),
 			},
 			Hostname: params.node,
+			User:     containerUser,
 			Env: []string{
 				"SC_COORDINATOR_SERVER_TLS_MODE=" + params.tlsMode,
 				"SC_COORDINATOR_VERIFIER_TLS_MODE=" + params.tlsMode,
@@ -225,16 +227,18 @@ func startLoadgenNodeWithReleaseImage(
 	t.Helper()
 
 	configPath := filepath.Join(containerConfigPath, params.node)
+	containerUser := "0:0"
+	t.Logf("Starting %s as container with user %s.\n", loadgenReleaseImage, containerUser)
 	createAndStartContainerAndItsLogs(ctx, t, createAndStartContainerParameters{
 		config: &container.Config{
 			Image: loadgenReleaseImage,
 			Cmd: []string{
-				params.node,
 				"start",
 				"--config",
 				fmt.Sprintf("%s.yaml", configPath),
 			},
 			Hostname: params.node,
+			User:     containerUser,
 			ExposedPorts: nat.PortSet{
 				loadGenMetricsPort + "/tcp": {},
 			},

scripts/build-release-image.sh

@@ -18,13 +18,16 @@ function build_image() {
   local image_name=$1
   local bin=$2
   local service_ports=$3
-  local manifest_name=${namespace}/${image_name}:${version}
+  local manifest_name=${namespace}/fabric-x-${image_name}:${version}
   local cmd=(
     "${docker_cmd}" build
     -f "${dockerfile_release_dir}/Dockerfile"
     --build-arg BIN="${bin}"
     --build-arg PORTS="${service_ports}"
     --build-arg ARCHBIN_PATH="${arch_bin_dir}"
+    --build-arg VERSION="${version}"
+    --build-arg CREATED="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+    --build-arg REVISION="$(git rev-parse HEAD)"
   )
 
   if [ "${multiplatform}" = true ]; then