Run Flood in distroless/scratch container image

[jesec]

Fully static builds of Node runtime allow some aggressive security enhancements.

Technically you may run Flood without a Linux distribution. flood and nothing else.

No shell. No package manager. No libc. No core utilities (cp, mv, etc.).

Intruders, even if they breached other security measures, would find it extremely difficult to perform even the smallest malicious task in such environment.

FROM jesec/busybox-applets as busybox

FROM alpine as build

WORKDIR /root

# Install Flood and dependencies to /bin
RUN mkdir -p /root/sysroot/bin
RUN if [[ `uname -m` == "aarch64" ]]; \
    then wget https://nightly.link/jesec/flood/workflows/publish-rolling/master/flood-linux-arm64.zip && unzip flood-linux-arm64.zip && mv flood-linux-arm64 flood; \
    elif [[ `uname -m` == "x86_64" ]]; \
    then wget https://nightly.link/jesec/flood/workflows/publish-rolling/master/flood-linux-x64.zip && unzip flood-linux-x64.zip && mv flood-linux-x64 flood; \
    fi
RUN mv flood /root/sysroot/bin/flood
COPY --from=busybox /bin/busybox_DF /root/sysroot/bin/df
RUN chmod 0555 /root/sysroot/bin/*

# Create 1001:1001 user
RUN mkdir -p /root/sysroot/home/download
RUN chown 1001:1001 /root/sysroot/home/download

FROM scratch

COPY --from=build /root/sysroot /

# Run as 1001:1001 user
ENV HOME=/home/download
USER 1001:1001

# Expose port 3000
EXPOSE 3000

# Flood
ENTRYPOINT ["flood", "--host=0.0.0.0"]