chore: Replace alpine with distroless

Following a trend by at other database teams: * grafana/loki#13325 * grafana/mimir#8204
simonswine · Jul 22, 2024 · e8a629c · e8a629c
1 parent a9ae4a9
commit e8a629c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 19 deletions.
diff --git a/cmd/pyroscope/Dockerfile b/cmd/pyroscope/Dockerfile
@@ -1,17 +1,24 @@
-FROM alpine:3.18.7
+FROM gcr.io/distroless/static:debug AS debug
 
-RUN apk add --no-cache ca-certificates
+SHELL [ "/busybox/sh", "-c" ]
+
+RUN addgroup -g 10001 -S pyroscope && \
+    adduser -u 10001 -S pyroscope -G pyroscope -h /data
+
+FROM gcr.io/distroless/static
+
+COPY --from=debug /etc/passwd /etc/passwd
+COPY --from=debug /etc/group /etc/group
+
+# Copy folder from debug container, this folder needs to have the correct UID
+# in order for the container to run as non-root.
+VOLUME /data
+COPY --chown=pyroscope:pyroscope --from=debug /data /data
 
 COPY cmd/pyroscope/pyroscope.yaml /etc/pyroscope/config.yaml
 COPY profilecli /usr/bin/profilecli
 COPY pyroscope /usr/bin/pyroscope
 
-RUN addgroup -g 10001 -S pyroscope && \
-    adduser -u 10001 -S pyroscope -G pyroscope
-RUN mkdir -p /data && \
-    chown -R pyroscope:pyroscope /data
-VOLUME /data
-
 USER pyroscope
 EXPOSE 4040
 ENTRYPOINT [ "/usr/bin/pyroscope" ]

diff --git a/cmd/pyroscope/debug.Dockerfile b/cmd/pyroscope/debug.Dockerfile
@@ -1,22 +1,25 @@
-FROM golang as builder
+FROM gcr.io/distroless/static:debug AS debug
 
-WORKDIR /app
-FROM alpine:3.18.7
+SHELL [ "/busybox/sh", "-c" ]
 
-RUN apk add --no-cache ca-certificates
+RUN addgroup -g 10001 -S pyroscope && \
+    adduser -u 10001 -S pyroscope -G pyroscope -h /data
 
-COPY .tmp/bin/linux_amd64/dlv /usr/bin/dlv
+FROM gcr.io/distroless/static
+
+COPY --from=debug /etc/passwd /etc/passwd
+COPY --from=debug /etc/group /etc/group
+
+# Copy folder from debug container, this folder needs to have the correct UID
+# in order for the container to run as non-root.
+VOLUME /data
+COPY --chown=pyroscope:pyroscope --from=debug /data /data
 
+COPY .tmp/bin/linux_amd64/dlv /usr/bin/dlv
 COPY cmd/pyroscope/pyroscope.yaml /etc/pyroscope/config.yaml
 COPY profilecli /usr/bin/profilecli
 COPY pyroscope /usr/bin/pyroscope
 
-RUN addgroup -g 10001 -S pyroscope && \
-    adduser -u 10001 -S pyroscope -G pyroscope
-RUN mkdir -p /data && \
-    chown -R pyroscope:pyroscope /data
-VOLUME /data
-
 USER pyroscope
 EXPOSE 4040
 ENTRYPOINT ["/usr/bin/dlv", "--listen=:40000", "--headless=true", "--log", "--continue", "--accept-multiclient" , "--api-version=2", "exec", "/usr/bin/pyroscope", "--"]