From 014855cf17e194d45cb56cd8302aa5df900702d4 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Mon, 8 Apr 2024 07:04:50 -0700 Subject: [PATCH] [PM-7068] - Use a distroless container image for `bws` (#681) ## Type of change - [ ] Bug fix - [ ] New feature development - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [x] Build/deploy pipeline (DevOps) - [x] Other ## Objective Addresses [PM-7068](https://bitwarden.atlassian.net/browse/PM-7068). Build the `bws` Docker image from an empty file system. This results in a much smaller Docker image (~16MB, uncompressed) with a smaller threat surface than bundling it with a distro. ## Code changes - **./crates/bws/Dockerfile:** Use `scratch` for the final build stage. This results in a distroless image that only contains our binary, the libraries that it depends on, and the CA certificates needed for SSL to work. The `ldd` line automatically determines what dependencies we need to copy over so we don't have to manually maintain a list of them. ## Before you submit - Please add **unit tests** where it makes sense to do so [PM-7068]: https://bitwarden.atlassian.net/browse/PM-7068?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ --- crates/bws/Dockerfile | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/crates/bws/Dockerfile b/crates/bws/Dockerfile index 4f16f8e6c..cc9e1c481 100644 --- a/crates/bws/Dockerfile +++ b/crates/bws/Dockerfile @@ -15,27 +15,35 @@ COPY . /app # Build project WORKDIR /app/crates/bws -RUN cargo build --release +RUN cargo build --release --bin bws + +# Bundle bws dependencies +RUN mkdir /lib-bws +RUN ldd /app/target/release/bws | tr -s '[:blank:]' '\n' | grep '^/' | xargs -I % cp % /lib-bws + +# Make a HOME directory for the app stage +RUN mkdir -p /home/app ############################################### # App stage # ############################################### -FROM debian:bookworm-slim +FROM scratch ARG TARGETPLATFORM LABEL com.bitwarden.product="bitwarden" +# Set a HOME directory +COPY --from=build /home/app /home/app +ENV HOME=/home/app + # Copy built project from the build stage WORKDIR /usr/local/bin COPY --from=build /app/target/release/bws . -COPY --from=build /etc/ssl/certs /etc/ssl/certs - -# Create a non-root user -RUN useradd -ms /bin/bash app -# Switch to the non-root user -USER app +# Copy certs +COPY --from=build /etc/ssl/certs /etc/ssl/certs -WORKDIR /home/app +# Copy bws dependencies +COPY --from=build /lib-bws /lib ENTRYPOINT ["bws"]