feat: harden Docker image — distroless, rootless, multi-arch#212
Open
nayrosk wants to merge 4 commits intomultiversx:mainfrom
Open
feat: harden Docker image — distroless, rootless, multi-arch#212nayrosk wants to merge 4 commits intomultiversx:mainfrom
nayrosk wants to merge 4 commits intomultiversx:mainfrom
Conversation
- Switch runtime base from ubuntu:22.04 to gcr.io/distroless/cc-debian13:nonroot - Run container as non-root user (UID 65532) - Use multi-stage build: config-fetcher (pre-fetches configs at build time), builder (compiles binary + extracts Wasmer libs), distroless runtime - Use --platform=$BUILDPLATFORM on config-fetcher stage to fix cross-arch builds - Auto-detect target arch for Wasmer .so extraction via dpkg --print-architecture - Add OCI labels (title, description, source, license) - Remove runtime git/curl dependency (configs embedded at build time) - Strip debug symbols (-ldflags="-s -w" -trimpath) for smaller binary
- Add docker-build-push target for multi-arch (amd64/arm64) with --push - Add qemu-setup target to register QEMU for cross-platform builds - Add docker-run target with --read-only and --tmpfs /tmp - Add docker-stop target for cleanup - Add docker-info and docker-scan (trivy) targets - Add configurable variables (IMAGE_NAME, REGISTRY, PLATFORMS) - Add help target listing all available commands - Add build target with -ldflags="-s -w" -trimpath - Add fetch-configs target
- Update prerequisites to include Docker with BuildKit and Buildx - Add Makefile build alternative in Install section - Replace Docker section with new build/push/run instructions - Document distroless base image, non-root user, and read-only mode - Document QEMU setup for cross-platform builds - Reference make help for full list of targets
feat: harden Docker image, distroless, rootless, multi-arch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Overhaul the Docker build pipeline to produce a hardened, minimal container image.
Changes
Dockerfile, rewritten as a 3-stage multi-arch build:
Makefile, new targets and configurable variables:
README
Why
Reduced attack surface: distroless has no shell, no package manager, no unnecessary binaries. Smaller CVE footprint.
Non-root by default: follows container security best practices (CIS Docker Benchmark, Pod Security Standards restricted).
Read-only filesystem: runtime container is immutable, limits impact of potential exploits.
Smaller image: distroless/cc (~30MB) vs ubuntu:22.04 + git + curl (~150MB+).
Breaking changes
None. The entrypoint, exposed port (8085), and CLI flags remain identical. Existing docker-compose setups and CI pipelines work without modification.
Notes
A fully static build (CGO_ENABLED=0, scratch base) is not possible because the binary depends on Wasmer VM shared libraries (.so) loaded via CGo at runtime. distroless/cc is the smallest viable base that provides the required glibc + libstdc++.