refactor: upgrade Dockerfile to zero-dependency scratch image
Some checks failed
Go Build & Release / build (amd64, imagehost-linux-amd64, linux) (push) Has been cancelled
Go Build & Release / build (amd64, imagehost-macos-amd64, darwin) (push) Has been cancelled
Go Build & Release / build (amd64, imagehost-windows-amd64.exe, windows) (push) Has been cancelled
Go Build & Release / build (arm64, imagehost-linux-arm64, linux) (push) Has been cancelled
Go Build & Release / build (arm64, imagehost-macos-arm64, darwin) (push) Has been cancelled
Go Build & Release / docker (push) Has been cancelled
Some checks failed
Go Build & Release / build (amd64, imagehost-linux-amd64, linux) (push) Has been cancelled
Go Build & Release / build (amd64, imagehost-macos-amd64, darwin) (push) Has been cancelled
Go Build & Release / build (amd64, imagehost-windows-amd64.exe, windows) (push) Has been cancelled
Go Build & Release / build (arm64, imagehost-linux-arm64, linux) (push) Has been cancelled
Go Build & Release / build (arm64, imagehost-macos-arm64, darwin) (push) Has been cancelled
Go Build & Release / docker (push) Has been cancelled
This commit is contained in:
22
Dockerfile
22
Dockerfile
@@ -1,7 +1,10 @@
|
||||
# ==== 第一阶段: 编译打包层 ====
|
||||
FROM golang:alpine AS builder
|
||||
|
||||
# 释放跨平台交叉编译的限制 (移除了大陆专供的 GOPROXY,避免在 Github 官方机房海外服务器中产生网络不兼容报错)
|
||||
# 第一时间安装最详尽的根证书与时域数据源,这是最后提取所必须的物质
|
||||
RUN apk add --no-cache ca-certificates tzdata
|
||||
|
||||
# 开启 CGO_ENABLED=0,这是逃逸出系统依赖,实现真正的静态单文件极限打包的关键
|
||||
ENV GO111MODULE=on \
|
||||
CGO_ENABLED=0 \
|
||||
GOOS=linux \
|
||||
@@ -9,30 +12,27 @@ ENV GO111MODULE=on \
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
# 优先缓存和下载项目依赖
|
||||
COPY go.mod go.sum ./
|
||||
RUN go mod download
|
||||
|
||||
# 载入完整代码并执行剥离调试信息的极限压缩静态编译 (-ldflags="-w -s")
|
||||
COPY . .
|
||||
RUN go build -ldflags="-w -s" -o imagehost ./cmd/main.go
|
||||
|
||||
# ==== 第二阶段: 纯净运行环境层 ====
|
||||
FROM alpine:latest
|
||||
# ==== 第二阶段: 绝对物理真空层 (Scratch) ====
|
||||
# 既然 Alpine 的组件总能被扫出各种各样的零日陈旧漏洞,那么最好的防御就是不要任何组件系统!
|
||||
# Scratch 中连 Shell / Bash / busybox 都没有,真正从物理维度杜绝了各类越权注入与 CVE 扫描报警。
|
||||
FROM scratch
|
||||
|
||||
# 123云盘采用硬 TLS 协议,必须拉取 ca-certificates,否则网络连接拦截报错
|
||||
# TZdata 用于纠正容器运行内的时间对齐,保障授权握手不过期
|
||||
RUN apk --no-cache add ca-certificates tzdata
|
||||
# 从刚才的工厂层提炼出我们的核心支撑数据(时间树与 HTTPS 证书)
|
||||
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
|
||||
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
|
||||
|
||||
ENV TZ=Asia/Shanghai
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
# 将上一阶段萃取好的精华可执行程序抓取过来
|
||||
COPY --from=builder /app/imagehost .
|
||||
|
||||
# 暴露对外的 HTTP 接口
|
||||
EXPOSE 8080
|
||||
|
||||
# 触发点火
|
||||
CMD ["./imagehost"]
|
||||
|
||||
Reference in New Issue
Block a user