Go's Dockerfile journey

Creeping complexity in packaging Go with Docker

Published: Friday, Aug 11, 2023 Last modified: Thursday, Nov 14, 2024

Once upon a time all you needed to Dockerize an app was the 2016 deprecated onbuild:

FROM golang:onbuild
EXPOSE 8080

Then we went multistage:

FROM alpine:latest
RUN apk --no-cache add ca-certificates
COPY --from=builder /go/bin/app /app
ENTRYPOINT ./app

Building a #golang container image for production

One of the many reasons I love GO is how easy it is to build and containerise. However, it's also important to ensure your production application has the smallest attack surface possible, is portable, and small in size.

Let's… pic.twitter.com/WcFOttzMRW
— Matt Boyle (@MattJamesBoyle) August 10, 2023

Now distroless is said to be 50% smaller than Alpine, since it doesn’t have a shell, though distroless has:

CA certs: no need to copy them from stage 1
/etc/passwd: contains users and groups such as nonroot
/tmp
tzdata: in case you want to set the timezone other than UTC

https://github.com/GoogleContainerTools/distroless/blob/main/examples/go/Dockerfile

https://gist.github.com/MatthewJamesBoyle/598538dd1c8d38f9dc70575b1be5958a

Then often you need curl to run health checks.