feat: updated Dockerfile for security improvement and build optimizat…

…ions

Signed-off-by: MD Maksudur Rahman Khan <[email protected]>

.github/workflows/docker-push.yml

@@ -74,13 +74,14 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push by digest
-        id: build
         uses: docker/build-push-action@v6
         with:
-          annotations: ${{ steps.meta.outputs.annotations }}
           build-args: |
             ALPINE_VERSION=${{ matrix.alpine_version }}
             BEANSTALKD_VERSION=${{ matrix.beanstalkd_version }}
+            BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+            VCS_REF=${{ github.sha }}
+            VERSION=${{ matrix.beanstalkd_version }}
           context: .
           labels: |
             ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -3,48 +3,64 @@ ARG ALPINE_VERSION="latest"
 FROM public.ecr.aws/docker/library/alpine:${ALPINE_VERSION} AS builder
 
 ARG BEANSTALKD_VERSION="v1.13"
+ARG BUILD_PATH="/build"
 
-# install dependencies
-RUN apk update --quiet --no-cache && \
-    apk add --quiet --no-cache build-base git pkgconfig
+# hadolint ignore=DL3018
+RUN apk add --no-cache \
+    build-base \
+    git \
+    pkgconfig
 
-WORKDIR /build
+WORKDIR ${BUILD_PATH}
 
-# build from source
-RUN git clone --depth 1 --branch $BEANSTALKD_VERSION https://github.com/beanstalkd/beanstalkd.git && \
-    cd beanstalkd && \
+# Build from source
+RUN git clone --depth 1 --branch ${BEANSTALKD_VERSION} https://github.com/beanstalkd/beanstalkd.git . && \
     if [ -f "sd-daemon.c" ]; then \
         sed -i 's,sys/fcntl.h,fcntl.h,' sd-daemon.c; \
     fi && \
     make && \
+    strip beanstalkd && \
     ./beanstalkd -v
 
-###############
-# Final Build #
-###############
+# Final image
 FROM public.ecr.aws/docker/library/alpine:${ALPINE_VERSION}
 
+ARG BEANSTALKD_VERSION
+ARG BUILD_DATE
+ARG VCS_REF
+ARG VERSION
+
 LABEL org.opencontainers.image.authors="Maksudur Rahman Maateen <[email protected]>"
 LABEL org.opencontainers.image.created="${BUILD_DATE}"
 LABEL org.opencontainers.image.description="A Docker container for beanstalkd, a simple and fast general purpose work queue."
 LABEL org.opencontainers.image.documentation="https://github.com/maateen/docker-beanstalkd"
 LABEL org.opencontainers.image.licenses="MIT"
-LABEL org.opencontainers.image.source="https://beanstalkd.github.io/"
+LABEL org.opencontainers.image.revision="${VCS_REF}"
+LABEL org.opencontainers.image.source="https://github.com/maateen/docker-beanstalkd"
 LABEL org.opencontainers.image.title="maateen/docker-beanstalkd"
 LABEL org.opencontainers.image.url="https://github.com/maateen/docker-beanstalkd"
 LABEL org.opencontainers.image.vendor="Maksudur Rahman Maateen <[email protected]>"
-LABEL org.opencontainers.image.version="${BEANSTALKD_VERSION}"
+LABEL org.opencontainers.image.version="${VERSION}"
 
-ENV PV_DIR /var/cache/beanstalkd
-ENV FSYNC_INTERVAL 1000
+ENV PV_DIR=/var/cache/beanstalkd \
+    FSYNC_INTERVAL=1000
 
-COPY --from=builder /build/beanstalkd /usr/bin/
+# Create non-root user
+RUN addgroup -S beanstalkd && \
+    adduser -S -G beanstalkd beanstalkd && \
+    mkdir -p ${PV_DIR} && \
+    chown -R beanstalkd:beanstalkd ${PV_DIR}
 
-RUN mkdir -p ${PV_DIR}
-VOLUME ${PV_DIR}
+COPY --from=builder --chown=beanstalkd:beanstalkd /build/beanstalkd /usr/local/bin/
 
+USER beanstalkd
+WORKDIR ${PV_DIR}
+
+VOLUME ${PV_DIR}
 EXPOSE 11300
 
-HEALTHCHECK --interval=5s --timeout=2s --retries=3 CMD pgrep beanstalkd || exit 1
+HEALTHCHECK --interval=5s --timeout=2s --retries=3 \
+    CMD pgrep beanstalkd || exit 1
 
-CMD /usr/bin/beanstalkd -b ${PV_DIR} -f ${FSYNC_INTERVAL}
+ENTRYPOINT ["beanstalkd"]
+CMD ["-b", "/var/cache/beanstalkd", "-f", "1000"]