|
|
@@ -1,76 +1,79 @@
|
|
|
-# 构建阶段(使用新版官方镜像)
|
|
|
-FROM golang:1.21-alpine3.19 AS builder
|
|
|
-
|
|
|
-# 设置工作目录
|
|
|
-WORKDIR /app
|
|
|
-
|
|
|
-# 配置Alpine镜像源(使用新版)
|
|
|
-RUN echo -e "https://mirrors.aliyun.com/alpine/v3.19/main\nhttps://mirrors.aliyun.com/alpine/v3.19/community" > /etc/apk/repositories
|
|
|
-
|
|
|
-# 安装构建依赖(添加upgrade确保索引最新)
|
|
|
-RUN apk add --no-cache --upgrade \
|
|
|
- gcc \
|
|
|
- g++ \
|
|
|
- musl-dev \
|
|
|
- sqlite-dev \
|
|
|
- make
|
|
|
+# 构建阶段(使用Debian基础镜像保证glibc兼容性)
|
|
|
+FROM golang:1.21-bullseye AS builder
|
|
|
|
|
|
# 配置Go环境
|
|
|
ENV GOPROXY=https://goproxy.cn,direct \
|
|
|
CGO_ENABLED=1 \
|
|
|
GOOS=linux \
|
|
|
- GOARCH=amd64
|
|
|
+ GOARCH=amd64 \
|
|
|
+ GO111MODULE=on
|
|
|
+
|
|
|
+# 安装构建依赖
|
|
|
+RUN apt-get update && apt-get install -y \
|
|
|
+ gcc \
|
|
|
+ g++ \
|
|
|
+ libsqlite3-dev \
|
|
|
+ pkg-config \
|
|
|
+ && rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
-# 复制依赖文件先进行缓存
|
|
|
+WORKDIR /app
|
|
|
+
|
|
|
+# 复制依赖清单
|
|
|
COPY go.mod go.sum ./
|
|
|
RUN go mod download
|
|
|
|
|
|
-# 复制项目代码
|
|
|
+# 复制源代码
|
|
|
COPY . .
|
|
|
|
|
|
-# 构建可执行文件(添加-ldflags优化)
|
|
|
-RUN go build -ldflags="-w -s" -o /app/main cmd/main.go
|
|
|
+# 构建优化参数
|
|
|
+RUN go build -v -ldflags="-w -s -linkmode external -extldflags '-static'" \
|
|
|
+ -tags "osusergo netgo sqlite_omit_load_extension" \
|
|
|
+ -o /app/main cmd/main.go
|
|
|
|
|
|
# 运行时阶段
|
|
|
-FROM alpine:3.19
|
|
|
-
|
|
|
-# 配置镜像源和基础依赖
|
|
|
-RUN echo -e "https://mirrors.aliyun.com/alpine/v3.19/main\nhttps://mirrors.aliyun.com/alpine/v3.19/community" > /etc/apk/repositories \
|
|
|
- && apk update \
|
|
|
- && apk add --no-cache --upgrade \
|
|
|
- sqlite-libs \
|
|
|
- libc6-compat \
|
|
|
- ca-certificates \
|
|
|
- tzdata
|
|
|
+FROM debian:bullseye-slim
|
|
|
|
|
|
# 设置容器时区
|
|
|
ENV TZ=Asia/Shanghai
|
|
|
+RUN apt-get update && apt-get install -y \
|
|
|
+ ca-certificates \
|
|
|
+ tzdata \
|
|
|
+ libsqlite3-0 \
|
|
|
+ curl \
|
|
|
+ && ln -snf /usr/share/zoneinfo/$TZ /etc/localtime \
|
|
|
+ && echo $TZ > /etc/timezone \
|
|
|
+ && rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
-# 创建专用用户
|
|
|
-RUN addgroup -S appgroup && adduser -S appuser -G appgroup
|
|
|
+# 创建专用用户(固定uid/gid)
|
|
|
+RUN groupadd -g 10001 appgroup && \
|
|
|
+ useradd -u 10001 -g appgroup -d /app -s /sbin/nologin appuser
|
|
|
|
|
|
-# 设置工作目录并转移所有权
|
|
|
+# 设置工作目录
|
|
|
WORKDIR /app
|
|
|
-RUN mkdir -p /app/data/json_files
|
|
|
+
|
|
|
+# 从构建阶段复制文件
|
|
|
COPY --from=builder --chown=appuser:appgroup /app/main .
|
|
|
COPY --chown=appuser:appgroup config.yaml .
|
|
|
-COPY --chown=appuser:appgroup data/json_files ./data/json_files
|
|
|
+COPY --chown=appuser:appgroup --from=builder /app/data/json_files ./data/json_files
|
|
|
|
|
|
-# 设置权限
|
|
|
-RUN chmod 755 /app/main \
|
|
|
+# 初始化容器环境
|
|
|
+RUN mkdir -p /app/data \
|
|
|
+ && chown -R appuser:appgroup /app \
|
|
|
+ && chmod 755 /app/main \
|
|
|
&& chmod 644 config.yaml \
|
|
|
&& chmod -R 755 /app/data
|
|
|
|
|
|
-# 切换到非root用户
|
|
|
-USER appuser
|
|
|
+# 安全增强配置
|
|
|
+RUN echo "hosts: files dns" > /etc/nsswitch.conf && \
|
|
|
+ echo "appuser hard nofile 65535" >> /etc/security/limits.conf && \
|
|
|
+ echo "appuser soft nofile 65535" >> /etc/security/limits.conf
|
|
|
|
|
|
-# 健康检查
|
|
|
-HEALTHCHECK --interval=30s --timeout=3s \
|
|
|
- CMD wget --spider http://localhost:8080/healthz || exit 1
|
|
|
+# 健康检查(使用curl代替wget)
|
|
|
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s \
|
|
|
+ CMD curl -fsS http://localhost:8080/healthz || exit 1
|
|
|
|
|
|
-# 暴露端口
|
|
|
+# 运行时配置
|
|
|
+USER appuser
|
|
|
EXPOSE 8080
|
|
|
-
|
|
|
-# 启动命令
|
|
|
ENTRYPOINT ["./main"]
|
|
|
-CMD ["server"]
|
|
|
+CMD ["--config", "config.yaml", "server"]
|
