docker: various improvements to Dockerfile

This includes the following changes:

- Use multi-stage build to run application in an optimized environment, see
  https://docs.docker.com/develop/develop-images/multistage-build/
- Run application on alpine instead of archlinux to further reduce image size
- Build Crystal application with --release for improved runtime performance
- Run application as non-root user for better security, see
  https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
- Only rebuild Docker layers when required
This commit is contained in:
Leon Klingele 2019-08-01 12:49:12 +02:00
parent f99a7b2a8c
commit ea39bb4334
No known key found for this signature in database
GPG key ID: 0C8AF48831EEC211

View file

@ -1,15 +1,28 @@
FROM archlinux/base
RUN pacman -Sy --noconfirm shards crystal imagemagick librsvg \
which pkgconf gcc ttf-liberation glibc
# base-devel contains many other basic packages, that are normally assumed to already exist on a clean arch system
ADD . /invidious
FROM alpine:latest AS builder
RUN apk add -u crystal shards libc-dev \
yaml-dev libxml2-dev sqlite-dev sqlite-static zlib-dev openssl-dev
WORKDIR /invidious
COPY ./shard.yml ./shard.yml
RUN shards update && shards install
COPY ./src/ ./src/
# TODO: .git folder is required for building this is destructive.
# See definition of CURRENT_BRANCH, CURRENT_COMMIT and CURRENT_VERSION.
COPY ./.git/ ./.git/
RUN crystal build --static --release \
# TODO: Remove next line, see https://github.com/crystal-lang/crystal/issues/7946
-Dmusl \
./src/invidious.cr
RUN sed -i 's/host: localhost/host: postgres/' config/config.yml && \
shards update && shards install && \
crystal build src/invidious.cr
FROM alpine:latest
RUN apk add -u imagemagick ttf-opensans
WORKDIR /invidious
RUN addgroup -g 1000 -S invidious && \
adduser -u 1000 -S invidious -G invidious
COPY ./assets/ ./assets/
COPY ./config/config.yml ./config/config.yml
COPY ./config/sql/ ./config/sql/
COPY ./locales/ ./locales/
RUN sed -i 's/host: localhost/host: postgres/' config/config.yml
COPY --from=builder /invidious/invidious .
USER invidious
CMD [ "/invidious/invidious" ]