kubernetes
/
git-sync
mirror of https://github.com/kubernetes/git-sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Dockerfile: use multi-stage for cleaner result

This commit is contained in:
Tim Hockin 2021-05-27 09:56:29 -07:00
parent 0222a95f29
commit 48bc7fbbf9
1 changed files with 25 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
Dockerfile.in
View File

@ -44,19 +44,22 @@
# => either add the git-sync GID or else set --root, mount a volume, # => either add the git-sync GID or else set --root, mount a volume,
# and manage volume permissions to access that volume # and manage volume permissions to access that volume
FROM {ARG_FROM} #############################################################################
# First we prepare the image that we want, regardless of build layers.
#############################################################################
FROM {ARG_FROM} as prep
RUN echo "deb http://deb.debian.org/debian/ buster-backports main contrib" > \ RUN echo "deb http://deb.debian.org/debian/ buster-backports main contrib" > \
/etc/apt/sources.list.d/backports.list \ /etc/apt/sources.list.d/backports.list
&& apt update \ RUN apt update
&& apt -y upgrade \ RUN apt -y upgrade
&& apt -y install \ RUN apt -y install \
ca-certificates \ ca-certificates \
coreutils \ coreutils \
socat \ socat \
openssh-client \ openssh-client
&& apt -y -t buster-backports install git \ RUN apt -y -t buster-backports install git
&& rm -rf /var/lib/apt/lists/* RUN rm -rf /var/lib/apt/lists/*
# Add the default UID to /etc/passwd so SSH is satisfied. # Add the default UID to /etc/passwd so SSH is satisfied.
RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd RUN echo "git-sync:x:65533:65533::/tmp:/sbin/nologin" >> /etc/passwd
@ -74,9 +77,20 @@ RUN echo "git-sync:x:65533:git-sync" >> /etc/group
# they use our git-sync group. If the user needs a different group or sets # they use our git-sync group. If the user needs a different group or sets
# $GIT_SYNC_ROOT or --root, their values will override this, and we assume they # $GIT_SYNC_ROOT or --root, their values will override this, and we assume they
# are handling permissions themselves. # are handling permissions themselves.
ENV GIT_SYNC_ROOT=/git
RUN mkdir -m 02775 /git && chown 65533:65533 /git RUN mkdir -m 02775 /git && chown 65533:65533 /git
# Add the platform-specific binary.
COPY bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}
# Add third-party licenses.
COPY .licenses/ /LICENSES/
#############################################################################
# Now we make a "clean" final image.
#############################################################################
FROM scratch
COPY --from=prep / /
# Run as non-root by default. There's simply no reason to run as root. # Run as non-root by default. There's simply no reason to run as root.
USER 65533:65533 USER 65533:65533
@ -85,10 +99,7 @@ USER 65533:65533
ENV HOME=/tmp ENV HOME=/tmp
WORKDIR /tmp WORKDIR /tmp
# Add the platform-specific binary. # Default values for flags.
COPY bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN} ENV GIT_SYNC_ROOT=/tmp/git
# Add third-party licenses.
COPY .licenses/ /LICENSES/
ENTRYPOINT ["/{ARG_BIN}"] ENTRYPOINT ["/{ARG_BIN}"]