ff-proxy/Dockerfile at v2 · harness/ff-proxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
############################
# STEP 1: Build executable binary
############################
FROM golang:1.25.10 AS builder

WORKDIR /app

ARG gitTag
ENV GIT_TAG=$gitTag

# Fetch dependencies.
COPY go.mod .
COPY go.sum .
COPY Makefile .
RUN make dep
COPY . .

# Generate Code and Build
RUN make build

############################
# STEP 2: Grab CA certificates
############################
FROM debian:bookworm-slim AS certs
RUN apt-get update && apt-get install -y ca-certificates
RUN mkdir /tmp/certs && cp -r /etc/ssl/certs/* /tmp/certs

############################
# STEP 3: Build pushpin from source (matching fanout/pushpin:1.41.0)
# Adapted from https://github.com/fanout/docker-pushpin
# Using ubuntu:24.04 LTS for better security patches and support until 2029
############################
FROM ubuntu:24.04 AS pushpin-builder

ARG DEBIAN_FRONTEND=noninteractive

# Build deps only + patch OS packages in this stage
RUN apt-get update \
 && apt-get -y upgrade \
 && apt-get install -y --no-install-recommends \
      bzip2 pkg-config make g++ rustc cargo \
      libssl-dev qt6-base-dev libzmq3-dev libboost-dev \
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/*

WORKDIR /build

ARG PUSHPIN_VERSION=1.41.0

# Download and extract pushpin source
ADD https://github.com/fastly/pushpin/releases/download/v${PUSHPIN_VERSION}/pushpin-${PUSHPIN_VERSION}.tar.bz2 .

RUN tar xf pushpin-${PUSHPIN_VERSION}.tar.bz2 && mv pushpin-${PUSHPIN_VERSION} pushpin

WORKDIR /build/pushpin

RUN make RELEASE=1 PREFIX=/usr CONFIGDIR=/etc
RUN make RELEASE=1 PREFIX=/usr CONFIGDIR=/etc check
RUN make RELEASE=1 PREFIX=/usr CONFIGDIR=/etc INSTALL_ROOT=/build/out install

############################
# STEP 4: Create final image with pushpin and ff-proxy
############################
FROM ubuntu:24.04

ARG DEBIAN_FRONTEND=noninteractive

# Patch OS packages (most reliable for passing scans)
RUN apt-get update \
 && apt-get -y upgrade \
 && apt-get install -y --no-install-recommends \
      libqt6core6 libqt6network6 libzmq5 \
      libsodium23 libtasn1-6 \
      ca-certificates \
 && apt-get -y autoremove \
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/*

# Copy pushpin from builder (matching original base image)
COPY --from=pushpin-builder /build/out/ /

# Copy entrypoint script
COPY docker-entrypoint.sh /usr/local/bin/

# Copy ff-proxy and config
COPY --from=builder /app/ff-proxy /app/ff-proxy
COPY --from=builder /app/config/pushpin /etc/pushpin
COPY --from=builder /app/start.sh /start.sh

# Copy CA certificates
COPY --from=certs /tmp/certs /etc/ssl/certs

# Prepare directories + set permissions
# Use existing nobody user (UID 65534)
RUN chmod +x /usr/local/bin/docker-entrypoint.sh \
 && mkdir -p /var/run/pushpin /log /pushpin/run /pushpin/log \
 && chmod 0500 /app/ff-proxy \
 && chown -R 65534:65534 /etc/pushpin /var/run/pushpin /log /pushpin \
 && chown 65534:65534 /app/ff-proxy

# Use nobody user for runtime
USER 65534:65534

ENV LANG=C.UTF-8

# Expose ports (matching original base image)
EXPOSE 7999 5560 5561 5562 5563 7000

ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["./start.sh"]