# Dockerfile — MCIAS multi-stage container image # # Stage 1 (builder): Compiles all four MCIAS binaries. # Stage 2 (runtime): Minimal Alpine image containing only the binaries. # # modernc.org/sqlite is a pure-Go, CGo-free SQLite port. CGO_ENABLED=0 # produces fully static binaries with no C library dependencies, which # deploy cleanly onto a minimal Alpine runtime image. # # The final image: # - Runs as non-root uid 10001 (mcias) # - Exposes port 8443 (REST/TLS) and 9443 (gRPC/TLS) # - Declares VOLUME /srv/mcias for config, TLS, and database # - Does NOT contain the Go toolchain, source code, or build cache # # Build: # docker build -t mcias:$(git describe --tags --always) . # # Run: # docker run -d \ # --name mcias \ # -v /srv/mcias:/srv/mcias \ # -e MCIAS_MASTER_PASSPHRASE=your-passphrase \ # -p 8443:8443 \ # -p 9443:9443 \ # mcias:latest # --------------------------------------------------------------------------- # Stage 1 — builder # --------------------------------------------------------------------------- FROM golang:1.26-alpine AS builder WORKDIR /build # Download dependencies first for layer caching. COPY go.mod go.sum ./ RUN go mod download # Copy source. COPY . . # CGO_ENABLED=0: modernc.org/sqlite is pure Go; no C toolchain required. # -trimpath removes local file system paths from the binary. # -ldflags="-s -w" strips the DWARF debug info and symbol table to reduce # image size. RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /out/mciassrv ./cmd/mciassrv && \ CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /out/mciasctl ./cmd/mciasctl && \ CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /out/mciasdb ./cmd/mciasdb && \ CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /out/mciasgrpcctl ./cmd/mciasgrpcctl # --------------------------------------------------------------------------- # Stage 2 — runtime # --------------------------------------------------------------------------- FROM alpine:3.21 # ca-certificates: required to validate external TLS certificates. RUN apk add --no-cache ca-certificates # Create a non-root user for the service. # uid/gid 10001 is chosen to be well above the range typically assigned to # system users (1–999) and human users (1000+), reducing the chance of # collision with existing uids on the host when using host networking. RUN addgroup -g 10001 mcias && \ adduser -u 10001 -G mcias -H -s /sbin/nologin -D mcias # Copy compiled binaries from the builder stage. COPY --from=builder /out/mciassrv /usr/local/bin/mciassrv COPY --from=builder /out/mciasctl /usr/local/bin/mciasctl COPY --from=builder /out/mciasdb /usr/local/bin/mciasdb COPY --from=builder /out/mciasgrpcctl /usr/local/bin/mciasgrpcctl # Create the data directory. # /srv/mcias is mounted from the host with config, TLS certs, and database. RUN mkdir -p /srv/mcias/certs /srv/mcias/backups && \ chown -R mcias:mcias /srv/mcias && \ chmod 0750 /srv/mcias # Declare /srv/mcias as a volume so the operator must explicitly mount it. # Contains the config file, TLS cert/key, and SQLite database. VOLUME /srv/mcias # REST/TLS port and gRPC/TLS port. These are documentation only; the actual # ports are set in the config file. Override by mounting a different config. EXPOSE 8443 EXPOSE 9443 # Run as the non-root mcias user. USER mcias # Default entry point and config path. # The operator mounts /srv/mcias from the host containing mcias.toml, # TLS cert/key, and the SQLite database. # See deploy/examples/mcias.conf.docker.example for a suitable template. ENTRYPOINT ["mciassrv"] CMD ["-config", "/srv/mcias/mcias.toml"]