changed: refactoring and migration to runtime image from scratch

Author: ammnt

.github/workflows/build.yml

@@ -81,6 +81,23 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Slim the Docker image🚀
+        id: slim
+        uses: kitabisa/[email protected]
+        env:
+          DSLIM_HTTP_PROBE: false
+        with:
+          target: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
+          tag: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
+          overwrite: true
+          version: 1.40.11
+
+      - name: Dump the Slim report📊
+        run: |
+          echo "${REPORT}" > slim.report.json
+        env:
+          REPORT: ${{ steps.slim.outputs.report }}
+
       - name: Analyze image with Docker Scout💊
         uses: docker/[email protected]
         with:
@@ -160,23 +177,6 @@ jobs:
           name: Dockle Report
           path: "${{ github.workspace }}/dockle.report.json"
 
-      - name: Slim the Docker image🚀
-        id: slim
-        uses: kitabisa/[email protected]
-        env:
-          DSLIM_HTTP_PROBE: false
-        with:
-          target: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
-          tag: ghcr.io/ammnt/freenginx:${{ env.APP_VERSION }}
-          overwrite: true
-          version: 1.40.11
-
-      - name: Dump the Slim report📊
-        run: |
-          echo "${REPORT}" > slim.report.json
-        env:
-          REPORT: ${{ steps.slim.outputs.report }}
-
       - name: Upload the Slim report📊
         uses: actions/[email protected]
         with:

Dockerfile

@@ -133,23 +133,25 @@ RUN NB_CORES="${BUILD_CORES-$(getconf _NPROCESSORS_CONF)}" \
     --add-module=/tmp/ngx_brotli \
 && make -j "${NB_CORES}" && make install && make clean && strip /usr/sbin/freenginx \
 && chown -R freenginx:freenginx /var/cache/freenginx && chmod -R g+w /var/cache/freenginx \
-&& chown -R freenginx:freenginx /etc/freenginx && chmod -R g+w /etc/freenginx
-
-FROM docker.io/library/alpine:${BASE_VERSION}@sha256:${BASE_HASH}
-RUN set -ex && addgroup -S freenginx && adduser -S freenginx -s /sbin/nologin -G freenginx --uid 101 --no-create-home \
-&& apk -U upgrade && apk add --no-cache \
-    pcre \
-    tini \
-    brotli-libs \
-    libxslt \
-&& apk del --purge apk-tools \
-&& rm -rf /tmp/* /var/cache/apk/ /var/cache/misc /root/.gnupg /root/.cache /root/go /etc/apk
+&& chown -R freenginx:freenginx /etc/freenginx && chmod -R g+w /etc/freenginx && touch /tmp/error.log
 
+FROM scratch
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+COPY --from=builder /sbin/tini /sbin/tini
 COPY --from=builder --chown=freenginx:freenginx /usr/sbin/freenginx /usr/sbin/freenginx
 COPY --from=builder --chown=freenginx:freenginx /etc/freenginx /etc/freenginx
+COPY --from=builder --chown=freenginx:freenginx /tmp/error.log /tmp/error.log
 COPY --from=builder --chown=freenginx:freenginx /var/cache/freenginx /var/cache/freenginx
 COPY --chown=freenginx:freenginx ./freenginx.conf /etc/freenginx/freenginx.conf
 COPY --chown=freenginx:freenginx ./default.conf /etc/freenginx/conf.d/default.conf
+COPY --from=builder /lib/ld-musl-x86_64.so.1 /lib/
+COPY --from=builder /usr/lib/libbrotlienc.so.1 \
+                    /usr/lib/libpcre.so.1 \
+                    /usr/lib/libz.so.1 \
+                    /usr/lib/libxml2.so.2 \
+                    /usr/lib/libbrotlicommon.so.1 \
+                    /usr/lib/liblzma.so.5 /usr/lib/
 
 ENTRYPOINT [ "/sbin/tini", "--" ]
 

README.md

@@ -36,7 +36,8 @@ services:
 
 # Description:
 
-- Based on latest version of Alpine Linux - low size (~5 MB);
+- Built on latest version of Alpine Linux - low size (~5 MB);
+- Runtime on scratch image - with zero bloat;
 - Multi-stage building with statically linked binary;
 - OpenSSL with HTTP/3 and QUIC support:<br>
 https://github.com/openssl/openssl
@@ -49,7 +50,7 @@ https://github.com/openssl/openssl
 - zlib library latest version;
 - Rootless master process - unprivileged container;
 - Async I/O threads module;
-- "Distroless" image - shell removed from the image;
+- "Distroless" image - reduced attack surface (removed SHELL, UNIX tools, package manager etc);
 - Removed unnecessary modules;
 - Added OCI labels and annotations;
 - No excess ENTRYPOINT in the image;