Skip to content

feat(docker): Adding Dockerfile #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(docker): Adding Dockerfile #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b82fdae
feat(dir): Creating dir for docker setup
t0mbombadil May 26, 2024
27919f5
feat(docker): Adding docker support, with security hardened container
t0mbombadil May 26, 2024
46fed66
fix(examples-typos): Fixing a little misleading usage examples
t0mbombadil May 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docker/.gitkeep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

48 changes: 48 additions & 0 deletions docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
FROM golang:alpine as build

# Install git.
# Git is required for fetching the dependencies.
RUN apk update && apk add --no-cache git

# Create appuser.
ENV USER=appuser
ENV UID=10001
# See https://stackoverflow.com/a/55757473/12429735RUN
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
"${USER}"

WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download

COPY . .
RUN go get -d -v
RUN GOOS=linux go build -ldflags="-w -s" -o /app/howto



FROM scratch

ARG OPENAI_API_KEY
ENV OPENAI_API_KEY=${OPENAI_API_KEY}

# To allow TLS requests to OpenAI
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

# Import the user and group files from the builder.
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group

WORKDIR /app
COPY --from=build /app/howto /app/howto

# Use an unprivileged user.
USER appuser:appuser

ENTRYPOINT ["/app/howto"]
34 changes: 34 additions & 0 deletions docker/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Overview

Run howto app in docker/podman container

# Set up on shell

## One time set up
```bash
./build.sh

# Set API key
## Could be set also in ~/.bashrc file or similar
read -s OPENAI_API_KEY ; echo "export OPENAI_API_KEY=$OPENAI_API_KEY" >> <some_rc_file_loaded_at_shell>

# Set alias
echo "alias howto=\"$(realpath)/run.sh\"" >> ~/.bashrc
```

# Usage

```bash
./run.sh "tar a file"

# Or with alias
howto "tar a file"
```

# Security hardening

Image runs:
- without (almost) any other filesystem files than binary itself (FROM scratch)
- with non-root user

And provided run.sh script runs it with readonly container filesystem
5 changes: 5 additions & 0 deletions docker/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/bin/bash

# Execute from root of repo
cd "$(git rev-parse --show-toplevel)"
docker build -f docker/Dockerfile -t sandbox-howto .
4 changes: 4 additions & 0 deletions docker/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash

CONFIG_DIR="$HOME/.howto/config"
docker run --read-only -v "$CONFIG_DIR:/nonexistent:rw" -e OPENAI_API_KEY=$OPENAI_API_KEY sandbox-howto $1