Update Dockerfile #351
Update Dockerfile #351
Conversation
📝 WalkthroughWalkthroughThis pull request updates the Dockerfile for a Go project. The changes set the Changes
Sequence Diagram(s)sequenceDiagram
participant B as Builder
participant D as Dockerfile
participant G as Go Compiler
B->>D: Start build with TARGETARCH
D->>D: Set GOARCH based on TARGETARCH
D->>D: Reformat mimalloc install & adjust lib handling with hash checks
D->>G: Build Go project with CGO_ENABLED=1 and -static-libgcc
G-->>D: Return build results
D->>D: Create user/group and configure port exposure
D->>B: Run application with updated command
Possibly related PRs
Suggested reviewers
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
Dockerfile (2)
18-21: Mimalloc Installation Process
The mimalloc installation command chains several operations (cloning, building, and installing) in oneRUNinstruction. While this is concise, consider pinning the repository to a specific commit or tag for deterministic builds.
61-63: Defined Start Command for the Application
The CMD instruction to run the application (displaying the version) is clear. As a future enhancement, consider an entrypoint script if additional runtime configuration becomes necessary.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
Dockerfile(2 hunks)
🔇 Additional comments (6)
Dockerfile (6)
6-6: Architecture Build Argument Mapping
Mapping theTARGETARCHargument toGOARCHis correctly implemented to support multi-architecture builds. This ensures that subsequent build steps use the appropriate architecture.
8-9: Pinned MoveVM Version
The MoveVM version is explicitly set tov0.6.1, which ensures reproducibility. Verify whether future updates might require an update here.
39-44: Enhanced Build Command with Additional Linker Flags
The updated build command now enables CGO, applies appropriate build tags, and includes additional linker flags (like-static-libgcc) to improve performance and binary consistency. Ensure that the quoted-extldflagsvalue is correctly processed by the build system.
48-50: Security Enhancement via Non-Root User Creation
Switching to a non-root user (initia) by creating a dedicated group and user enhances security and aligns with container best practices.
53-55: Cross-Stage Binary Transfer
Copying the built binary from the Go builder stage to the final image is correctly performed using multi-stage builds, which helps reduce the final image size.
58-60: Consolidated Port Exposure
Exposing all necessary ports in a singleEXPOSEcommand improves clarity and conciseness.
| # Determine architecture-specific libraries | ||
| RUN set -eux; \ | ||
| case "${TARGETARCH}" in \ | ||
| "amd64") export GOARCH="amd64"; ARCH="x86_64";; \ | ||
| "arm64") export GOARCH="arm64"; ARCH="aarch64";; \ | ||
| "amd64") ARCH="x86_64";; \ | ||
| "arm64") ARCH="aarch64";; \ | ||
| *) echo "Unsupported architecture: ${TARGETARCH}"; exit 1;; \ | ||
| esac; \ | ||
| echo "Using GOARCH=${GOARCH} and ARCH=${ARCH}"; \ | ||
| wget -O /lib/libmovevm_muslc.${ARCH}.a https://github.com/initia-labs/movevm/releases/download/${LIBMOVEVM_VERSION}/libmovevm_muslc.${ARCH}.a; \ | ||
| wget -O /lib/libcompiler_muslc.${ARCH}.a https://github.com/initia-labs/movevm/releases/download/${LIBMOVEVM_VERSION}/libcompiler_muslc.${ARCH}.a; \ | ||
| cp /lib/libmovevm_muslc.${ARCH}.a /lib/libmovevm_muslc.a; \ | ||
| cp /lib/libcompiler_muslc.${ARCH}.a /lib/libcompiler_muslc.a | ||
|
|
||
| # Verify the library hashes (optional, uncomment if needed) | ||
| # RUN sha256sum /lib/libmovevm_muslc.${ARCH}.a | grep ... | ||
| # RUN sha256sum /lib/libcompiler_muslc.${ARCH}.a | grep ... | ||
| cp /lib/libcompiler_muslc.${ARCH}.a /lib/libcompiler_muslc.a; \ | ||
| sha256sum /lib/libmovevm_muslc.${ARCH}.a | grep EXPECTED_HASH; \ | ||
| sha256sum /lib/libcompiler_muslc.${ARCH}.a | grep EXPECTED_HASH | ||
|
|
There was a problem hiding this comment.
🛠️ Refactor suggestion
Architecture-Specific Library Download & Verification
The script properly sets the ARCH variable based on TARGETARCH and downloads the corresponding libraries. It also performs hash verification via sha256sum ... | grep EXPECTED_HASH. Note that "EXPECTED_HASH" is currently a placeholder—ensure that it is replaced with a defined value (or set as an environment variable) for effective integrity checks.
This PR improves the Dockerfile for Initia, ensuring better compatibility, security, and efficiency. Key changes:
Fixed architecture handling (
GOARCH) for multi-arch builds.Added library verification for downloaded dependencies.
Optimized build process with better linker flags.
Enhanced security by running as a non-root user.
Reduced image size by removing unnecessary packages.