From b1301c945055f39e40128172d2c1b310fa823085 Mon Sep 17 00:00:00 2001 From: Assistant Date: Tue, 10 Mar 2026 10:10:03 -0400 Subject: [PATCH] chore: update Docker configuration with latest versions and best practices - Upgrade Alpine from 3.22.0 to 3.23.3 (security fixes) - Add multi-platform build support (ARM64, ARM, x86) - Add Go module caching for faster builds - Add non-root user for security - Add health check configuration - Add resource limits in docker-compose - Add logging configuration with rotation - Add ca-certificates for HTTPS support - Add volume mount as read-only for config --- Dockerfile | 35 ++++++++++++++++++++++++----------- docker-compose.yml | 24 +++++++++++++++++++++--- 2 files changed, 45 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index cde6205a81..f08b08ba34 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,35 +1,48 @@ -FROM golang:1.26-alpine AS builder +FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS builder WORKDIR /app +RUN apk add --no-cache git make + COPY go.mod go.sum ./ -RUN go mod download +RUN --mount=type=cache,target=/go/pkg/mod \ + go mod download COPY . . ARG VERSION=dev ARG COMMIT=none ARG BUILD_DATE=unknown +TARGETOS=${TARGETOS:-linux} +TARGETARCH=${TARGETARCH:-amd64} -RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X 'main.Version=${VERSION}-plus' -X 'main.Commit=${COMMIT}' -X 'main.BuildDate=${BUILD_DATE}'" -o ./CLIProxyAPIPlus ./cmd/server/ +RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build \ + -ldflags="-s -w -X 'main.Version=${VERSION}-plus' -X 'main.Commit=${COMMIT}' -X 'main.BuildDate=${BUILD_DATE}'" \ + -o ./CLIProxyAPIPlus ./cmd/server/ -FROM alpine:3.22.0 +FROM alpine:3.23.3 -RUN apk add --no-cache tzdata +RUN addgroup -g 1000 appgroup && \ + adduser -u 1000 -G appgroup -s /bin/sh -D appuser -RUN mkdir /CLIProxyAPI +RUN apk add --no-cache tzdata ca-certificates -COPY --from=builder ./app/CLIProxyAPIPlus /CLIProxyAPI/CLIProxyAPIPlus +RUN mkdir -p /CLIProxyAPI && chown -R appuser:appgroup /CLIProxyAPI -COPY config.example.yaml /CLIProxyAPI/config.example.yaml +COPY --from=builder --chown=appuser:appgroup /app/CLIProxyAPIPlus /CLIProxyAPI/CLIProxyAPIPlus +COPY --chown=appuser:appgroup config.example.yaml /CLIProxyAPI/config.example.yaml WORKDIR /CLIProxyAPI -EXPOSE 8317 +USER appuser -ENV TZ=Asia/Shanghai +EXPOSE 8317 8085 1455 54545 51121 11451 +ENV TZ=Asia/Shanghai RUN cp /usr/share/zoneinfo/${TZ} /etc/localtime && echo "${TZ}" > /etc/timezone -CMD ["./CLIProxyAPIPlus"] \ No newline at end of file +HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ + CMD wget --no-verbose --tries=1 --spider http://localhost:8317/health || exit 1 + +CMD ["./CLIProxyAPIPlus"] diff --git a/docker-compose.yml b/docker-compose.yml index cd8c21b97c..b0e4cb3541 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,10 +10,9 @@ services: COMMIT: ${COMMIT:-none} BUILD_DATE: ${BUILD_DATE:-unknown} container_name: cli-proxy-api-plus - # env_file: - # - .env environment: DEPLOY: ${DEPLOY:-} + TZ: ${TZ:-Asia/Shanghai} ports: - "8317:8317" - "8085:8085" @@ -22,7 +21,26 @@ services: - "51121:51121" - "11451:11451" volumes: - - ${CLI_PROXY_CONFIG_PATH:-./config.yaml}:/CLIProxyAPI/config.yaml + - ${CLI_PROXY_CONFIG_PATH:-./config.yaml}:/CLIProxyAPI/config.yaml:ro - ${CLI_PROXY_AUTH_PATH:-./auths}:/root/.cli-proxy-api - ${CLI_PROXY_LOG_PATH:-./logs}:/CLIProxyAPI/logs + healthcheck: + test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8317/health"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 10s + deploy: + resources: + limits: + cpus: '${CLI_PROXY_CPU_LIMIT:-1}' + memory: ${CLI_PROXY_MEMORY_LIMIT:-512M} + reservations: + cpus: '${CLI_PROXY_CPU_RESERVE:-0.1}' + memory: ${CLI_PROXY_MEMORY_RESERVE:-128M} restart: unless-stopped + logging: + driver: json-file + options: + max-size: "10m" + max-file: "3"