Issue-393 Use Distroless images for Go apps (#396)

* Use Distroless Debian11 for Hodometer image

* Use Distroless Debian11 for Hodometer stub receiver image

* Use Distroless static for Hodometer images

* Use nonroot Distroless images for Hodometer

* Use nonroot Distroless images for SCv2 core Go components

* Use Debian-based Distroless image for core Go components

These components are buit with Kafka, which uses librdkafka under the hood.
In turn, this is highly likely to be dynamically linked to a C/C++ runtime,
meaning we need an image which contains this C/C++ dependency.

* Disable CGo for scheduler container build

This successfully allows the scheduler container to start in Compose.

* Change scheduler base image back to static Distroless

* Disable CGo for agent images & use static Distroless image as base

* Disable CGo for scheduler, agent, and proxy scheduler binaries in Makefile

* Add Dockerfile comments re use of specific base images for built binaries

* Use entrypoint instead of cmd in Dockerfiles

hodometer/Dockerfile.hodometer

@@ -16,7 +16,7 @@ RUN make build-hodometer
 
 ################################################################################
 
-FROM golang:1.18-alpine
+FROM gcr.io/distroless/static:nonroot
 COPY --from=builder /build/bin/hodometer /bin/hodometer
 
 ARG UID=1000

hodometer/Dockerfile.receiver

@@ -9,7 +9,7 @@ RUN make build-receiver
 
 ################################################################################
 
-FROM golang:1.18-alpine
+FROM gcr.io/distroless/static:nonroot
 COPY --from=builder /build/bin/receiver /bin/receiver
 
 ARG UID=1000

scheduler/Dockerfile.agent

@@ -6,9 +6,9 @@ WORKDIR /build
 RUN rm -r apis && mv apis-TEMP apis
 
 # Build the binary
-RUN go build -o agent ./cmd/agent/main.go
+RUN CGO_ENABLED=0 go build -o agent ./cmd/agent/main.go
 
-# Copy into scratch
-FROM golang:alpine
+# Copy binary
+FROM gcr.io/distroless/static:nonroot
 COPY --from=builder /build/agent /bin/agent
-CMD ["/bin/agent"]
+ENTRYPOINT ["/bin/agent"]

scheduler/Dockerfile.modelgateway

@@ -8,7 +8,7 @@ RUN rm -r apis && mv apis-TEMP apis
 # Build the binary
 RUN go build -o modelgateway ./cmd/modelgateway/main.go
 
-# Copy into scratch
-FROM gcr.io/distroless/base-debian10:latest
+# Kafka dependencies necessitate leaving CGo enabled and using a base image with C dependencies
+FROM gcr.io/distroless/base-debian11:nonroot
 COPY --from=builder /build/modelgateway /bin/modelgateway
-CMD ["/bin/modelgateway"]
+ENTRYPOINT ["/bin/modelgateway"]

scheduler/Dockerfile.pipelinegateway

@@ -8,7 +8,7 @@ RUN rm -r apis && mv apis-TEMP apis
 # Build the binary
 RUN go build -o pipelinegateway ./cmd/pipelinegateway/main.go
 
-# Copy into scratch
-FROM gcr.io/distroless/base-debian10:latest
+# Kafka dependencies necessitate leaving CGo enabled and using a base image with C dependencies
+FROM gcr.io/distroless/base-debian11:nonroot
 COPY --from=builder /build/pipelinegateway /bin/pipelinegateway
-CMD ["/bin/pipelinegateway"]
+ENTRYPOINT ["/bin/pipelinegateway"]

scheduler/Dockerfile.scheduler

@@ -6,9 +6,9 @@ WORKDIR /build
 RUN rm -r apis && mv apis-TEMP apis
 
 # Build the binary
-RUN go build -o scheduler ./cmd/scheduler/main.go
+RUN CGO_ENABLED=0 go build -o scheduler ./cmd/scheduler/main.go
 
-# Copy into scratch
-FROM golang:alpine
+# Copy binary
+FROM gcr.io/distroless/static:nonroot
 COPY --from=builder /build/scheduler /bin/scheduler
-CMD ["/bin/scheduler"]
+ENTRYPOINT ["/bin/scheduler"]

scheduler/Makefile

@@ -26,15 +26,15 @@ GO_LDFLAGS := -s -w $(patsubst %,-X %, $(GO_BUILD_VARS))
 
 .PHONY: build-scheduler
 build-scheduler: test-go
-	go build -o bin/scheduler ./cmd/scheduler
+	CGO_ENABLED=0 go build -o bin/scheduler ./cmd/scheduler
 
 .PHONY: build-proxy
 build-proxy: test-go
-	go build -o bin/proxy ./cmd/proxy
+	CGO_ENABLED=0 go build -o bin/proxy ./cmd/proxy
 
 .PHONY: build-agent
 build-agent: test-go
-	go build -o bin/agent ./cmd/agent
+	CGO_ENABLED=0 go build -o bin/agent ./cmd/agent
 
 .PHONY: build-modelgateway
 build-modelgateway: test-go