kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 8 plan: add Dockerfile step (Step 8.6)

Browse Source 
- PROJECT_PLAN.md: insert Step 8.6 (Dockerfile) before the
  documentation step (renumbered to 8.7); acceptance criteria cover
  multi-stage build, non-root runtime user, EXPOSE ports, VOLUME /data,
  dist/mcias.conf.docker.example, Makefile docker target, and image
  size target (<50 MB)
- ARCHITECTURE.md §18: add Dockerfile to artifact inventory table;
  add Dockerfile Design section covering build stages, security
  properties (no shell, non-root uid 10001, TLS inside container),
  operator workflow, and the new Makefile docker target
This commit is contained in:
Kyle Isom
2026-03-11 14:47:07 -07:00
parent 7c79d00514
commit 8f706f10ec
2 changed files with 84 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
PROJECT_PLAN.md
View File

@@ -458,12 +458,36 @@ See ARCHITECTURE.md §18 for full design rationale and artifact inventory.
- `make build` works from a clean checkout after `go mod download`
- Tests: `make build` produces binaries; `make test` passes; `make lint` passes
### Step 8.6: Documentation
### Step 8.6: Dockerfile
**Acceptance criteria:**
- `README.md` updated with: quick-start section referencing the install script,
links to man pages, configuration walkthrough
- ARCHITECTURE.md §18 written (operational artifact inventory, file locations,
systemd integration notes)
- `Dockerfile` at repository root using a multi-stage build:
- Build stage: `golang:1.26-bookworm` — compiles all four binaries with
`CGO_ENABLED=1` (required for SQLite via `modernc.org/sqlite`) and
`-trimpath -ldflags="-s -w"` to strip debug info
- Runtime stage: `debian:bookworm-slim` — installs only `ca-certificates`
and `libc6`; copies binaries from the build stage
- Final image runs as a non-root user (`uid=10001`, `gid=10001`; named `mcias`)
- `EXPOSE 8443` (REST) and `EXPOSE 9443` (gRPC); both are overridable via env
- `VOLUME /data` — operator mounts the SQLite database here
- `ENTRYPOINT ["mciassrv"]` with `CMD ["-config", "/etc/mcias/mcias.conf"]`
- Image must not contain the Go toolchain, source code, or build cache
- `dist/mcias.conf.docker.example` — config template suitable for container
deployment: `listen_addr = "0.0.0.0:8443"`, `grpc_addr = "0.0.0.0:9443"`,
`db_path = "/data/mcias.db"`, TLS cert/key paths under `/etc/mcias/`
- `Makefile` gains a `docker` target: `docker build -t mcias:$(VERSION) .`
where `VERSION` defaults to the output of `git describe --tags --always`
- Tests:
- `docker build .` completes without error (run in CI if Docker available;
skip gracefully if not)
- `docker run --rm mcias:latest mciassrv --help` exits 0
- Image size documented in PROGRESS.md (target: under 50 MB)
### Step 8.7: Documentation
**Acceptance criteria:**
- `README.md` updated with: quick-start section referencing both the install
script and the Docker image, links to man pages, configuration walkthrough
- ARCHITECTURE.md §18 updated to include the Dockerfile in the artifact
inventory and document the container deployment model
- `PROGRESS.md` updated to reflect Phase 8 complete
---