-
Notifications
You must be signed in to change notification settings - Fork 13
Expand file tree
/
Copy pathDockerfile.dev
More file actions
108 lines (88 loc) · 3.82 KB
/
Dockerfile.dev
File metadata and controls
108 lines (88 loc) · 3.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# syntax=docker/dockerfile:1.4
# =============================================================================
# Hawser Development Dockerfile - Security-Hardened Build
# =============================================================================
# Multi-stage Dockerfile for local development that builds Hawser from source
# and uses Wolfi OS for a secure, vulnerability-free runtime.
# =============================================================================
# -----------------------------------------------------------------------------
# Stage 1: Go Builder
# -----------------------------------------------------------------------------
FROM golang:1.24-alpine AS builder
WORKDIR /src
# Install git for go mod (some dependencies may need it)
RUN apk add --no-cache git
# Download dependencies first (better caching)
COPY go.mod go.sum ./
RUN go mod download
# Copy source and build
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -trimpath -o /hawser ./cmd/hawser
# -----------------------------------------------------------------------------
# Stage 2: OS Generator (Alpine + apko tool)
# -----------------------------------------------------------------------------
FROM alpine:3.21 AS os-builder
ARG TARGETARCH
WORKDIR /work
# Install apko tool (latest stable release)
ARG APKO_VERSION=0.30.34
RUN apk add --no-cache curl \
&& ARCH=$([ "$TARGETARCH" = "arm64" ] && echo "arm64" || echo "amd64") \
&& curl -sL "https://github.com/chainguard-dev/apko/releases/download/v${APKO_VERSION}/apko_${APKO_VERSION}_linux_${ARCH}.tar.gz" \
| tar -xz --strip-components=1 -C /usr/local/bin \
&& chmod +x /usr/local/bin/apko
# Generate apko.yaml for current target architecture only
RUN APKO_ARCH=$([ "$TARGETARCH" = "arm64" ] && echo "aarch64" || echo "x86_64") \
&& printf '%s\n' \
"contents:" \
" repositories:" \
" - https://packages.wolfi.dev/os" \
" keyring:" \
" - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub" \
" packages:" \
" - wolfi-base" \
" - ca-certificates" \
" - busybox" \
" - docker-cli" \
" - docker-compose" \
" - wget" \
"entrypoint:" \
" command: /bin/sh -l" \
"archs:" \
" - ${APKO_ARCH}" \
> apko.yaml
# Build the OS tarball and extract rootfs
RUN apko build apko.yaml hawser-base:latest output.tar \
&& mkdir -p rootfs \
&& tar -xf output.tar \
&& LAYER=$(tar -tf output.tar | grep '.tar.gz$' | head -1) \
&& tar -xzf "$LAYER" -C rootfs
# -----------------------------------------------------------------------------
# Stage 3: Final Image (Scratch + Custom Wolfi OS)
# -----------------------------------------------------------------------------
FROM scratch
# Install our custom-built Wolfi OS
COPY --from=os-builder /work/rootfs/ /
WORKDIR /app
# Set up environment variables
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
PORT=2376 \
DOCKER_SOCKET=/var/run/docker.sock \
HEARTBEAT_INTERVAL=30 \
REQUEST_TIMEOUT=30 \
RECONNECT_DELAY=1 \
MAX_RECONNECT_DELAY=60
# Create docker compose plugin symlink
RUN mkdir -p /usr/libexec/docker/cli-plugins \
&& ln -s /usr/bin/docker-compose /usr/libexec/docker/cli-plugins/docker-compose
# Copy binary from builder
COPY --from=builder /hawser /usr/local/bin/hawser
RUN chmod +x /usr/local/bin/hawser
# Expose default port
EXPOSE 2376
# Health check - auto-detects TLS mode
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
CMD if [ -n "$TLS_CERT" ]; then wget -q --spider --no-check-certificate https://localhost:${PORT}/_hawser/health; else wget -q --spider http://localhost:${PORT}/_hawser/health; fi || exit 1
# Run as root to access Docker socket (can be changed with --user flag)
ENTRYPOINT ["/usr/local/bin/hawser"]