-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathContainerfile
More file actions
110 lines (85 loc) · 2.25 KB
/
Containerfile
File metadata and controls
110 lines (85 loc) · 2.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# eTMA Handler - Wolfi Container
# Secure, minimal container using Chainguard's Wolfi base
#
# Build:
# podman build -t etma-handler:latest .
#
# Run:
# podman run -p 4000:4000 etma-handler:latest
#
# Features:
# - Wolfi base (secure, minimal)
# - Multi-stage build (small final image)
# - Non-root user (security best practice)
# - Health check included
# ===========================================
# STAGE 1: Builder
# ===========================================
FROM cgr.dev/chainguard/wolfi-base AS builder
# Install build dependencies
RUN apk add --no-cache --no-cache \
elixir \
erlang \
erlang-dev \
git \
build-base \
nodejs \
npm
WORKDIR /app
# Install Hex and Rebar
RUN mix local.hex --force && \
mix local.rebar --force
# Set build environment
ENV MIX_ENV=prod
# Cache dependencies (mix.lock generated during build if not present)
COPY mix.exs ./
RUN mix deps.get --only $MIX_ENV
# Copy config (needed for deps.compile)
COPY config config
# Compile dependencies
RUN mix deps.compile
# Copy application code
COPY lib lib
COPY priv priv
COPY assets assets
# Install Node dependencies and build assets
WORKDIR /app/assets
RUN npm install
WORKDIR /app
# Build assets
RUN mix assets.deploy
# Compile application
RUN mix compile
# Build release
RUN mix release
# ===========================================
# STAGE 2: Runner
# ===========================================
FROM cgr.dev/chainguard/wolfi-base AS runner
# Install runtime dependencies
RUN apk add --no-cache --no-cache \
libstdc++ \
ncurses \
openssl
WORKDIR /app
# Create non-root user for security
RUN addgroup -S etma && adduser -S etma -G etma
# Copy release from builder
COPY --from=builder --chown=etma:etma /app/_build/prod/rel/etma_handler ./
# Create data directory
RUN mkdir -p /app/data && chown etma:etma /app/data
# Switch to non-root user
USER etma
# Environment configuration
ENV HOME=/app \
PORT=4000 \
PHX_HOST=localhost \
MIX_ENV=prod \
ETMA_DATA_DIR=/app/data
# Expose port
EXPOSE 4000
# Health check
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD wget --no-verbose --tries=1 --spider http://localhost:4000/api/health || exit 1
# Start the application
CMD ["bin/etma_handler", "start"]