update dockerfile to add user

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

update dockerfile to add user
86b37aca · Carlos Panato · Alex Ellis · 6d8ebc65 · 86b37aca
Commit 86b37aca authored 5 years ago by Carlos Panato Committed by Alex Ellis 5 years ago
--- a/sample-functions/ApiKeyProtected-Secrets/Dockerfile
+++ b/sample-functions/ApiKeyProtected-Secrets/Dockerfile
-FROM golang:1.9.7-alpine as builder
+FROM golang:1.10.4-alpine3.8 as builder

-MAINTAINER alex@openfaas.com
-ENTRYPOINT []
+# Allows you to add additional packages via build-arg
+ARG ADDITIONAL_PACKAGE
+ARG CGO_ENABLED=0

-RUN apk --no-cache add make curl \
-    && curl -sL https://github.com/openfaas/faas/releases/download/0.13.0/fwatchdog > /usr/bin/fwatchdog \
-    && chmod +x /usr/bin/fwatchdog
+RUN apk --no-cache add curl ${ADDITIONAL_PACKAGE} \
+  && echo "Pulling watchdog binary from Github." \
+  && curl -sSL https://github.com/openfaas/faas/releases/download/0.13.0/fwatchdog > /usr/bin/fwatchdog \
+  && chmod +x /usr/bin/fwatchdog \
+  && apk del curl --no-cache

-WORKDIR /go/src/github.com/openfaas/faas/sample-functions/ApiKeyProtected
+WORKDIR /go/src/handler
+COPY . .

-COPY handler.go .
-# COPY vendor vendor
+# Run a gofmt and exclude all vendored code.
+RUN test -z "$(gofmt -l $(find . -type f -name '*.go' -not -path "./vendor/*" -not -path "./function/vendor/*"))" || { echo "Run \"gofmt -s -w\" on your Golang code"; exit 1; }

-RUN go install
+RUN CGO_ENABLED=${CGO_ENABLED} GOOS=linux \
+  go build --ldflags "-s -w" -a -installsuffix cgo -o handler . && \
+  go test $(go list ./... | grep -v /vendor/) -cover

 FROM alpine:3.8
+RUN apk --no-cache add ca-certificates

-# Needed to reach the hub
-RUN apk --no-cache add ca-certificates 
+# Add non root user
+RUN addgroup -S app && adduser -S -g app app
+RUN mkdir -p /home/app
+
+WORKDIR /home/app
+
+COPY --from=builder /usr/bin/fwatchdog         .
+
+COPY --from=builder /go/src/handler/function/  .
+COPY --from=builder /go/src/handler/handler    .

-COPY --from=builder /usr/bin/fwatchdog  /usr/bin/fwatchdog
-COPY --from=builder /go/bin/ApiKeyProtected  /usr/bin/ApiKeyProtected
 ENV fprocess "/usr/bin/ApiKeyProtected"

-CMD ["/usr/bin/fwatchdog"]
+RUN chown -R app /home/app
+
+USER app
+
+ENV fprocess="./handler"
+EXPOSE 8080
+
+HEALTHCHECK --interval=3s CMD [ -e /tmp/.lock ] || exit 1
+
+CMD ["./fwatchdog"]