From a5cc95743766c2e0fdb9678af5f8dae3e9daff8e Mon Sep 17 00:00:00 2001 From: Vladyslav Krasnyy Date: Fri, 1 Aug 2025 11:05:42 +0200 Subject: [PATCH 1/3] compiling go from source --- Dockerfile | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/Dockerfile b/Dockerfile index 618a98f4..ca77479d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,27 +1,24 @@ +# Multi-stage build to compile registry from source with latest Go +FROM golang:1.23-alpine AS builder + +RUN apk add --no-cache git ca-certificates + +# Clone and build the registry from source with latest Go (fixes vulnerability) +RUN set -eux; \ + git clone --depth 1 --branch v3.0.0 https://github.com/distribution/distribution.git /src; \ + cd /src; \ + CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o registry ./cmd/registry + +# Final stage - minimal runtime image FROM alpine:3.21 RUN apk add --no-cache ca-certificates -RUN set -eux; \ -# Check https://github.com/distribution/distribution/releases for latest version -# Updated to use a newer version that should have Go vulnerability fixes - version='3.0.1'; \ - apkArch="$(apk --print-arch)"; \ - case "$apkArch" in \ - x86_64) arch='amd64'; sha256='UPDATE_HASH_HERE' ;; \ - aarch64) arch='arm64'; sha256='UPDATE_HASH_HERE' ;; \ - armhf) arch='armv6'; sha256='UPDATE_HASH_HERE' ;; \ - armv7) arch='armv7'; sha256='UPDATE_HASH_HERE' ;; \ - ppc64le) arch='ppc64le'; sha256='UPDATE_HASH_HERE' ;; \ - s390x) arch='s390x'; sha256='UPDATE_HASH_HERE' ;; \ - riscv64) arch='riscv64'; sha256='UPDATE_HASH_HERE' ;; \ - *) echo >&2 "error: unsupported architecture: $apkArch"; exit 1 ;; \ - esac; \ - wget -O registry.tar.gz "https://github.com/distribution/distribution/releases/download/v${version}/registry_${version}_linux_${arch}.tar.gz"; \ - echo "$sha256 *registry.tar.gz" | sha256sum -c -; \ - tar --extract --verbose --file registry.tar.gz --directory /bin/ registry; \ - rm registry.tar.gz; \ - registry --version +# Copy the compiled binary from builder stage +COPY --from=builder /src/registry /bin/registry + +# Verify the binary works +RUN registry --version COPY ./config-example.yml /etc/distribution/config.yml @@ -33,4 +30,4 @@ EXPOSE 5000 COPY entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] -CMD ["/etc/distribution/config.yml"] +CMD ["/etc/distribution/config.yml"] \ No newline at end of file From f5bdfca2a9619f6990ca952c18146982506afc23 Mon Sep 17 00:00:00 2001 From: Vladyslav Krasnyy Date: Fri, 1 Aug 2025 11:08:57 +0200 Subject: [PATCH 2/3] permission fix --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ca77479d..a86476c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,9 @@ FROM alpine:3.21 RUN apk add --no-cache ca-certificates -# Copy the compiled binary from builder stage +# Copy the compiled binary from builder stage and make it executable COPY --from=builder /src/registry /bin/registry +RUN chmod +x /bin/registry # Verify the binary works RUN registry --version From 9e1f1d54e414ce62e399f9c70e57ecc35a5e1705 Mon Sep 17 00:00:00 2001 From: Vladyslav Krasnyy Date: Fri, 1 Aug 2025 11:14:27 +0200 Subject: [PATCH 3/3] simplified approach --- Dockerfile | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index a86476c7..5b9fd540 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,22 +4,20 @@ FROM golang:1.23-alpine AS builder RUN apk add --no-cache git ca-certificates # Clone and build the registry from source with latest Go (fixes vulnerability) -RUN set -eux; \ - git clone --depth 1 --branch v3.0.0 https://github.com/distribution/distribution.git /src; \ - cd /src; \ - CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o registry ./cmd/registry +WORKDIR /src +RUN git clone --depth 1 --branch v3.0.0 https://github.com/distribution/distribution.git . +RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /registry ./cmd/registry + +# Test the binary works in builder +RUN /registry --version # Final stage - minimal runtime image FROM alpine:3.21 RUN apk add --no-cache ca-certificates -# Copy the compiled binary from builder stage and make it executable -COPY --from=builder /src/registry /bin/registry -RUN chmod +x /bin/registry - -# Verify the binary works -RUN registry --version +# Copy the compiled binary from builder stage +COPY --from=builder /registry /bin/registry COPY ./config-example.yml /etc/distribution/config.yml