Go's Dockerfile journey
Creeping complexity in packaging Go with Docker
Published: Friday, Aug 11, 2023 Last modified: Monday, Dec 9, 2024
Once upon a time all you needed to Dockerize an app was the 2016 deprecated onbuild:
FROM golang:onbuild
EXPOSE 8080
Then we went multistage:
FROM alpine:latest
RUN apk --no-cache add ca-certificates
COPY --from=builder /go/bin/app /app
ENTRYPOINT ./app
Building a #golang container image for production
— Matt Boyle (@MattJamesBoyle) August 10, 2023
One of the many reasons I love GO is how easy it is to build and containerise. However, it's also important to ensure your production application has the smallest attack surface possible, is portable, and small in size.
Let's… pic.twitter.com/WcFOttzMRW
Now distroless is said to be 50% smaller than Alpine, since it doesn’t have a shell, though distroless has:
- CA certs: no need to copy them from stage 1
- /etc/passwd: contains users and groups such as nonroot
- /tmp
- tzdata: in case you want to set the timezone other than UTC
https://github.com/GoogleContainerTools/distroless/blob/main/examples/go/Dockerfile
https://gist.github.com/MatthewJamesBoyle/598538dd1c8d38f9dc70575b1be5958a
Then often you need curl to run health checks.