Once upon a time all you needed to Dockerize an app was the 2016 deprecated onbuild:
FROM golang:onbuild EXPOSE 8080
Then we went multistage:
FROM alpine:latest RUN apk --no-cache add ca-certificates COPY --from=builder /go/bin/app /app ENTRYPOINT ./app
Building a #golang container image for production— Matt Boyle (@MattJamesBoyle) August 10, 2023
One of the many reasons I love GO is how easy it is to build and containerise. However, it's also important to ensure your production application has the smallest attack surface possible, is portable, and small in size.
Now distroless is said to be 50% smaller than Alpine, since it doesn’t have a shell, though distroless has:
- CA certs: no need to copy them from stage 1
- /etc/passwd: contains users and groups such as nonroot
- tzdata: in case you want to set the timezone other than UTC
Then often you need curl to run health checks.