Update Dockerfile (#2342)

Updates/adds a new multistage (build-kit) Dockerfile. (if accepted, could make `Dockerfile.monolith` and `Dockerfile.polylith` in `build/docker` obsolete) There's no huge difference between the dockerfiles, except this uses a non-root user when running the container, also doesn't copy the working directory to the image when building. Also adds vulnerabilities scans using [Trivy](https://github.com/aquasecurity/trivy) for the created docker images. (untested) Building images is done using ``` docker build . --target image-monolith -t dendrite-monolith docker build . --target image-polylith -t dendrite-polylith ``` As noted in the comments, only adds `dendrite-polylith-multi` to the polylith image and all required binaries to the monolith image. Probably needs some docs updating, if this is accepted. Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2025-07-29 12:42:46 +00:00 · 2022-10-04 11:41:06 +02:00 · 2022-10-04 11:41:06 +02:00 · e6c992ba8b
commit e6c992ba8b
parent 34ed316584
13 changed files with 257 additions and 115 deletions
--- a/build/docker/Dockerfile.demo-pinecone
+++ b/build/docker/Dockerfile.demo-pinecone
@ -1,25 +0,0 @@
-FROM docker.io/golang:1.19-alpine AS base
-
-RUN apk --update --no-cache add bash build-base
-
-WORKDIR /build
-
-COPY . /build
-
-RUN mkdir -p bin
-RUN go build -trimpath -o bin/ ./cmd/dendrite-demo-pinecone
-RUN go build -trimpath -o bin/ ./cmd/create-account
-RUN go build -trimpath -o bin/ ./cmd/generate-keys
-
-FROM alpine:latest
-LABEL org.opencontainers.image.title="Dendrite (Pinecone demo)"
-LABEL org.opencontainers.image.description="Next-generation Matrix homeserver written in Go"
-LABEL org.opencontainers.image.source="https://github.com/matrix-org/dendrite"
-LABEL org.opencontainers.image.licenses="Apache-2.0"
-
-COPY --from=base /build/bin/* /usr/bin/
-
-VOLUME /etc/dendrite
-WORKDIR /etc/dendrite
-
-ENTRYPOINT ["/usr/bin/dendrite-demo-pinecone"]
--- a/build/docker/Dockerfile.monolith
+++ b/build/docker/Dockerfile.monolith
@ -1,25 +0,0 @@
-FROM docker.io/golang:1.19-alpine AS base
-
-RUN apk --update --no-cache add bash build-base
-
-WORKDIR /build
-
-COPY . /build
-
-RUN mkdir -p bin
-RUN go build -trimpath -o bin/ ./cmd/dendrite-monolith-server
-RUN go build -trimpath -o bin/ ./cmd/create-account
-RUN go build -trimpath -o bin/ ./cmd/generate-keys
-
-FROM alpine:latest
-LABEL org.opencontainers.image.title="Dendrite (Monolith)"
-LABEL org.opencontainers.image.description="Next-generation Matrix homeserver written in Go"
-LABEL org.opencontainers.image.source="https://github.com/matrix-org/dendrite"
-LABEL org.opencontainers.image.licenses="Apache-2.0"
-
-COPY --from=base /build/bin/* /usr/bin/
-
-VOLUME /etc/dendrite
-WORKDIR /etc/dendrite
-
-ENTRYPOINT ["/usr/bin/dendrite-monolith-server"]
--- a/build/docker/Dockerfile.polylith
+++ b/build/docker/Dockerfile.polylith
@ -1,25 +0,0 @@
-FROM docker.io/golang:1.19-alpine AS base
-
-RUN apk --update --no-cache add bash build-base
-
-WORKDIR /build
-
-COPY . /build
-
-RUN mkdir -p bin
-RUN go build -trimpath -o bin/ ./cmd/dendrite-polylith-multi
-RUN go build -trimpath -o bin/ ./cmd/create-account
-RUN go build -trimpath -o bin/ ./cmd/generate-keys
-
-FROM alpine:latest
-LABEL org.opencontainers.image.title="Dendrite (Polylith)"
-LABEL org.opencontainers.image.description="Next-generation Matrix homeserver written in Go"
-LABEL org.opencontainers.image.source="https://github.com/matrix-org/dendrite"
-LABEL org.opencontainers.image.licenses="Apache-2.0"
-
-COPY --from=base /build/bin/* /usr/bin/
-
-VOLUME /etc/dendrite
-WORKDIR /etc/dendrite
-
-ENTRYPOINT ["/usr/bin/dendrite-polylith-multi"]
--- a/build/docker/README.md
+++ b/build/docker/README.md
@ -9,11 +9,15 @@ They can be found on Docker Hub:

 ## Dockerfiles

-The `Dockerfile` builds the base image which contains all of the Dendrite
-components. The `Dockerfile.component` file takes the given component, as
-specified with `--buildarg component=` from the base image and produce
-smaller component-specific images, which are substantially smaller and do
-not contain the Go toolchain etc.
+The `Dockerfile` is a multistage file which can build all three Dendrite
+images depending on the supplied `--target`. From the root of the Dendrite
+repository, run:
+
+```
+docker build . --target monolith -t matrixdotorg/dendrite-monolith
+docker build . --target polylith -t matrixdotorg/dendrite-monolith
+docker build . --target demo-pinecone -t matrixdotorg/dendrite-monolith
+```

 ## Compose files

--- a/build/docker/crossbuild.sh
+++ b/build/docker/crossbuild.sh
@ -0,0 +1,67 @@
+#!/bin/sh
+set -e
+
+# In order to cross-compile with the multi-stage Docker builds, we need to
+# ensure that the suitable toolchain for cross-compiling is installed. Since
+# the images are Alpine-based, we will use musl. Download and install the
+# toolchain inside the build container.
+
+USERARCH=`go env GOARCH`
+GOARCH="$TARGETARCH"
+GOOS="linux"
+
+echo "Target arch: $TARGETARCH"
+echo "User arch:   $USERARCH"
+
+if [ "$TARGETARCH" != "$USERARCH" ]; then
+    if [ "$USERARCH" != "amd64" ]; then
+      echo "Cross-compiling only supported on amd64"
+      exit 1
+    fi
+
+    echo "Cross compile"
+    case $GOARCH in
+    arm64)
+        curl -s https://more.musl.cc/x86_64-linux-musl/aarch64-linux-musl-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=aarch64-linux-musl-gcc
+        ;;
+
+    amd64)
+        curl -s https://more.musl.cc/x86_64-linux-musl/x86_64-linux-musl-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=x86_64-linux-musl-gcc
+        ;;
+
+    386)
+        curl -s https://more.musl.cc/x86_64-linux-musl/i686-linux-musl-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=i686-linux-musl-gcc
+        ;;
+
+    arm)
+        curl -s https://more.musl.cc/x86_64-linux-musl/armv7l-linux-musleabihf-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=armv7l-linux-musleabihf-gcc
+        ;;
+
+    s390x)
+        curl -s https://more.musl.cc/x86_64-linux-musl/s390x-linux-musl-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=s390x-linux-musl-gcc
+        ;;
+
+    ppc64le)
+        curl -s https://more.musl.cc/x86_64-linux-musl/powerpc64le-linux-musl-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=powerpc64le-linux-musl-gcc
+        ;;
+
+    *)
+        echo "Unsupported GOARCH=${GOARCH}"
+        exit 1
+        ;;
+    esac
+else
+    echo "Native compile"
+fi
+
+# Output the go environment just in case it is useful for debugging.
+go env
+
+# Build Dendrite and tools, statically linking them.
+CGO_ENABLED=1 go build -v -ldflags="-linkmode external -extldflags -static ${FLAGS}" -trimpath -o /out/ ./cmd/...
--- a/build/docker/images-build.sh
+++ b/build/docker/images-build.sh
@ -6,5 +6,6 @@ TAG=${1:-latest}

 echo "Building tag '${TAG}'"

-docker build -t matrixdotorg/dendrite-monolith:${TAG}  -f build/docker/Dockerfile.monolith .
-docker build -t matrixdotorg/dendrite-polylith:${TAG}  -f build/docker/Dockerfile.polylith .
+docker build . --target monolith -t matrixdotorg/dendrite-monolith:${TAG}
+docker build . --target polylith -t matrixdotorg/dendrite-monolith:${TAG}
+docker build . --target demo-pinecone -t matrixdotorg/dendrite-demo-pinecone:${TAG}