Harden Docker image: switch to Chainguard static, run as non-root

user00265 · user00265 · commit d227b4dd7b7a · 2026-03-08T01:24:38.000-06:00
- Replace gcr.io/distroless/static:latest with cgr.dev/chainguard/static
  (zero known CVEs, rebuilt nightly, non-root by default)
- Pre-create /data directory with non-root ownership (UID 65532)
- Add -s -w ldflags to strip debug symbols for smaller binary
- Remove unnecessary CGO_ENABLED=0 from go mod download step
diff --git a/Dockerfile b/Dockerfile
@@ -12,42 +12,45 @@ WORKDIR /app
 COPY go.mod go.sum ./
 
 # Download dependencies. This step is cached if go.mod/go.sum don't change.
-# CGO_ENABLED=0 is important for static binaries compatible with distroless/static
-RUN CGO_ENABLED=0 go mod download
+RUN go mod download
 
 # Copy the source code
 COPY . .
 
-# Build the main application binary
-# -ldflags to embed version info into the binary
-# Output binary to /dxcluster-go-api for easy copying in the next stage
-RUN CGO_ENABLED=0 go build -ldflags "-X 'github.com/user00265/dxclustergoapi/version.BuildVersion=${BUILD_VERSION}' \
+# Build a fully static binary (CGO_ENABLED=0)
+# -ldflags to embed version info and strip debug symbols (-s -w) for smaller binary
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+  -X 'github.com/user00265/dxclustergoapi/version.BuildVersion=${BUILD_VERSION}' \
   -X 'github.com/user00265/dxclustergoapi/version.GitCommit=${GIT_COMMIT}'" \
   -o /dxcluster-go-api ./
 
-# Stage 2: Create the final Distroless image
-FROM gcr.io/distroless/static:latest
+# Create the /data directory with correct ownership for the non-root user.
+# Chainguard static uses UID 65532 (nonroot).
+RUN mkdir -p /data && chown 65532:65532 /data
+
+# Stage 2: Hardened runtime image
+# Chainguard static: zero known CVEs, rebuilt nightly, non-root by default,
+# includes CA certificates for HTTPS. No shell, no package manager.
+FROM cgr.dev/chainguard/static:latest
 
 # Set working directory for the application
 WORKDIR /app
 
 # Copy the built executable from the builder stage
 COPY --from=builder /dxcluster-go-api /app/dxcluster-go-api
 
+# Copy the pre-created /data directory with correct ownership
+COPY --from=builder /data /data
+
 # Expose the web port
 EXPOSE 8192
 
 # Define the HEALTHCHECK using the binary's subcommand.
-# --start-period: gives the container time to initialize without failing the health check.
-# --interval: how often to run the check.
-# --timeout: how long to wait for the command to return.
-# --retries: how many consecutive failures before marking as unhealthy.
 HEALTHCHECK --start-period=60s --interval=60s --timeout=5s --retries=3 \
   CMD ["/app/dxcluster-go-api", "healthcheck"]
 
 # Set the entry point to run our application
-# The entrypoint will always be our main binary.
 ENTRYPOINT ["/app/dxcluster-go-api"]
 
 # Default command: run the main 'serve' subcommand.
-CMD ["serve"]
+CMD ["serve"]
