build/contrib: Improve docker support. #2740

This significantly reworks the docker support to provide build a lightweight non-root distroless container image based on scratch. It employs a multi-stage build that downloads and builds the latest source code, compresses the resulting binaries, and then produces the final image based on scratch that only includes the Decred-specific binaries. It must be noted that there are some still remaining TODO items in the documentation as well as the Dockerfile that will need to be handled by a future commit, but the changes are being submitted now to allow another contributor to finish up those aspects. The following is an overview of the changes: - Removes existing Dockerfile and Dockerfile.alpine - Introduces a new Dockerfile under contrib/docker with the following properties: - Runs as a non-root user - Uses a static UID:GID of 10000:10000 - Note that using UIDs/GIDs below 10000 for container users is a security risk on several systems since a hypothetical attack which allows escalation outside of the container might otherwise coincide with an existing user's UID or existing group's GID which has additional permissions - The image is based on scratch image (aka completely empty) and only includes the Decred-specific binaries which means there is no shell or any other binaries available if an attacker were to somehow manage to find a remote execution vulnerability exploit in a Decred binary - Introduces code to build an entrypoint for the image since it is based on scratch and thus has no shell for that purpose - Adds contrib/docker/README.md - Updates README.md in the main directory to account for changes - There is still outstanding work to be done here and thus has several TODOs - Updates contrib/README.md to call out the new addition

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build/contrib: Improve docker support. #2740

build/contrib: Improve docker support. #2740

Commits on Sep 18, 2021