-
Notifications
You must be signed in to change notification settings - Fork 1
/
Dockerfile
104 lines (78 loc) · 3.07 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# image used for the healthcheck binary
FROM golang:1.21.3-alpine AS gobuilder
COPY healthcheck/ /go/src/healthcheck/
WORKDIR /go/src/healthcheck
RUN CGO_ENABLED=0 go build -trimpath -ldflags '-w -s -extldflags "-static"' -o /healthcheck ./...
#
# ---
#
# image used for extracting the latest redis version
FROM redis:7.2.3 AS redistemp
# make a pipe fail on the first failure
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# extract the latest redis version
RUN /usr/local/bin/redis-server --version | cut -d ' ' -f 3 | cut -d '=' -f 2 > /redis.version
#
# ---
#
# our temp image for building
FROM debian:buster AS builder
# make a pipe fail on the first failure
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# prepare the chowned/chmodded volume directory (fails if /data already exists so we don't copy over files)
RUN mkdir -p /redis/copy/data \
&& chmod 700 /redis
# install the necessary build dependencies
# hadolint ignore=DL3008
RUN apt-get update -y \
&& apt-get -q install -y --no-install-recommends \
ca-certificates \
wget \
make \
tcl \
gcc \
libjemalloc-dev \
libc6-dev
# copy in the redis version
COPY --from=redistemp /redis.version /
# get the redis source code and unpack it
# hadolint ignore=SC2155
RUN export REDIS_VERSION="$(cat /redis.version)" ; echo "Using Redis version ${REDIS_VERSION}" \
&& redisHashLine="$(wget -qO - https://raw.githubusercontent.com/antirez/redis-hashes/master/README | grep 'hash redis' | grep -v 'rc\d' | grep -v '^#' | grep -F "${REDIS_VERSION}")" \
&& wget "http://download.redis.io/releases/redis-${REDIS_VERSION}.tar.gz" \
&& echo "$(echo "$redisHashLine" | cut -d ' ' -f 4) redis-${REDIS_VERSION}.tar.gz" | sha256sum --check \
&& tar -C redis -xf "redis-${REDIS_VERSION}.tar.gz" \
&& mv "/redis/redis-${REDIS_VERSION}/" /redis/src
WORKDIR /redis/src
# compile redis statically so everything (except glibc) is included
RUN make CFLAGS="-static -static-libgcc" EXEEXT="-static -static-libgcc" LDFLAGS="-I/usr/local/include/"
# copy our binaries
RUN cp src/redis-server src/redis-sentinel /redis/copy/
#
# ---
#
# start from the distroless scratch image (with glibc), based on debian:buster
FROM gcr.io/distroless/base-debian10:nonroot
# container label annotations
LABEL maintainer="[email protected]"
LABEL name="iron-redis"
LABEL url="https://github.com/ironPeakServices/iron-redis"
LABEL description="Secure base image for running Redis"
# copy in our healthcheck binary
COPY --from=gobuilder --chown=nonroot /healthcheck /healthcheck
# copy our binaries into our scratch image
COPY --from=builder --chown=nonroot /redis/copy/ /
# copy in our redis config file
COPY --chown=nonroot redis.conf /
# run as an unprivileged user instead of root
USER nonroot
# where we will store our data
VOLUME /data
# redis uses the current working directory
WORKDIR /data
# default redis port
EXPOSE 6379
# healthcheck to report the container status
HEALTHCHECK --interval=10s --timeout=10s --start-period=5s --retries=3 CMD [ "/healthcheck", "6379" ]
# entrypoint
CMD ["/redis-server", "/redis.conf", "--port 6379"]