veritas501/ip_derper

Dockerfile优化

zhj9709 opened this issue · 2 comments

zhj9709 commented

可以参考一下

  • 第一阶段构建的基础镜像改为golang:1.21-alpine,不需要使用ubuntu作为基础镜像然后再下载golang环境
  • 第二阶段构建的基础镜像改为alpine,同样可以安装openssl命令、执行脚本,生成的镜像体积只有二三十M
  • 将部分命令合并执行,减少镜像层数
FROM golang:1.21-alpine AS builder
WORKDIR /app

# ========= CONFIG =========
# - download links
ENV MODIFIED_DERPER_GIT=https://github.com/veritas501/tailscale.git
# ==========================

# install necessary packages && compile derper
RUN apk update && apk add --no-cache git \
    && git clone $MODIFIED_DERPER_GIT tailscale --depth 1 \
    && cd /app/tailscale/cmd/derper \
    && go build -ldflags "-s -w" -o /app/derper \
    && rm -rf /app/tailscale

# ========= derper image =========
FROM alpine:latest
WORKDIR /app

# - derper args
ENV DERP_HOST=127.0.0.1 \
    DERP_CERTS=/app/certs \
    DERP_STUN=true \
    DERP_VERIFY_CLIENTS=false

COPY build_cert.sh /app
COPY --from=builder /app/derper /app/derper

# install necessary packages && build self-signed certs
RUN apk update \
    && apk add --no-cache openssl \
    && chmod +x /app/derper \
    && chmod +x /app/build_cert.sh \
    && /app/build_cert.sh $DERP_HOST $DERP_CERTS /app/san.conf

# start derper
CMD /app/derper --hostname=$DERP_HOST \
    --certmode=manual \
    --certdir=$DERP_CERTS \
    --stun=$DERP_STUN  \
    --verify-clients=$DERP_VERIFY_CLIENTS

还需要将build_cert.sh中的#!/bin/bash改为#!/bin/sh,alpine中没有bash

#!/bin/sh

CERT_HOST=$1
CERT_DIR=$2
CONF_FILE=$3

echo "[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
countryName = XX
stateOrProvinceName = N/A
localityName = N/A
organizationName = Self-signed certificate
commonName = $CERT_HOST: Self-signed certificate

[req_ext]
subjectAltName = @alt_names

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP.1 = $CERT_HOST
" > "$CONF_FILE"

mkdir -p "$CERT_DIR"
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout "$CERT_DIR/$CERT_HOST.key" -out "$CERT_DIR/$CERT_HOST.crt" -config "$CONF_FILE"
veritas501 commented

好的我改下,你方便的话可以直接提PR

veritas501 commented

code merged :)