Skip to content

chore: update Docker configuration #425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dqbpqdpb wants to merge 1 commit into from
Closed

chore: update Docker configuration #425

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 24 additions & 11 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,35 +1,48 @@
FROM golang:1.26-alpine AS builder
FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS builder

WORKDIR /app

RUN apk add --no-cache git make

COPY go.mod go.sum ./

RUN go mod download
RUN --mount=type=cache,target=/go/pkg/mod \
go mod download

COPY . .

ARG VERSION=dev
ARG COMMIT=none
ARG BUILD_DATE=unknown
TARGETOS=${TARGETOS:-linux}
TARGETARCH=${TARGETARCH:-amd64}
Comment on lines +17 to +18
Copy link

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

These lines use shell syntax (VAR=${VAR:-default}) which is not a valid Dockerfile instruction for defining build arguments. To define build-time arguments with default values, you should use the ARG instruction. For multi-platform builds with buildx, TARGETOS and TARGETARCH are automatically populated, and using ARG will correctly receive them.

ARG TARGETOS=linux
ARG TARGETARCH=amd64


RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X 'main.Version=${VERSION}-plus' -X 'main.Commit=${COMMIT}' -X 'main.BuildDate=${BUILD_DATE}'" -o ./CLIProxyAPIPlus ./cmd/server/
RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build \
-ldflags="-s -w -X 'main.Version=${VERSION}-plus' -X 'main.Commit=${COMMIT}' -X 'main.BuildDate=${BUILD_DATE}'" \
-o ./CLIProxyAPIPlus ./cmd/server/

FROM alpine:3.22.0
FROM alpine:3.23.3

RUN apk add --no-cache tzdata
RUN addgroup -g 1000 appgroup && \
adduser -u 1000 -G appgroup -s /bin/sh -D appuser

RUN mkdir /CLIProxyAPI
RUN apk add --no-cache tzdata ca-certificates

COPY --from=builder ./app/CLIProxyAPIPlus /CLIProxyAPI/CLIProxyAPIPlus
RUN mkdir -p /CLIProxyAPI && chown -R appuser:appgroup /CLIProxyAPI
Comment on lines +26 to +31
Copy link

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The HEALTHCHECK instruction on line 46 uses wget, but it is not installed in the final image. This will cause the health check to fail. You should add wget to the package installation.

Additionally, to reduce image layers and improve build efficiency, it's best to combine related RUN commands into a single instruction.

RUN addgroup -g 1000 appgroup && \
    adduser -u 1000 -G appgroup -s /bin/sh -D appuser && \
    apk add --no-cache tzdata ca-certificates wget && \
    mkdir -p /CLIProxyAPI && chown -R appuser:appgroup /CLIProxyAPI


COPY config.example.yaml /CLIProxyAPI/config.example.yaml
COPY --from=builder --chown=appuser:appgroup /app/CLIProxyAPIPlus /CLIProxyAPI/CLIProxyAPIPlus
COPY --chown=appuser:appgroup config.example.yaml /CLIProxyAPI/config.example.yaml

WORKDIR /CLIProxyAPI

EXPOSE 8317
USER appuser

ENV TZ=Asia/Shanghai
EXPOSE 8317 8085 1455 54545 51121 11451

ENV TZ=Asia/Shanghai
RUN cp /usr/share/zoneinfo/${TZ} /etc/localtime && echo "${TZ}" > /etc/timezone
Copy link

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The RUN command to set the timezone is executed after switching to the non-root user appuser. This will cause the build to fail because appuser does not have permission to write to /etc/localtime and /etc/timezone. Move these commands before the USER appuser instruction.


CMD ["./CLIProxyAPIPlus"]
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD wget --no-verbose --tries=1 --spider http://localhost:8317/health || exit 1

CMD ["./CLIProxyAPIPlus"]
24 changes: 21 additions & 3 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,9 @@ services:
COMMIT: ${COMMIT:-none}
BUILD_DATE: ${BUILD_DATE:-unknown}
container_name: cli-proxy-api-plus
# env_file:
# - .env
environment:
DEPLOY: ${DEPLOY:-}
TZ: ${TZ:-Asia/Shanghai}
ports:
- "8317:8317"
- "8085:8085"
Expand All @@ -22,7 +21,26 @@ services:
- "51121:51121"
- "11451:11451"
volumes:
- ${CLI_PROXY_CONFIG_PATH:-./config.yaml}:/CLIProxyAPI/config.yaml
- ${CLI_PROXY_CONFIG_PATH:-./config.yaml}:/CLIProxyAPI/config.yaml:ro
- ${CLI_PROXY_AUTH_PATH:-./auths}:/root/.cli-proxy-api
Copy link

@gemini-code-assist gemini-code-assist bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The volume for authentication tokens is mounted to /root/.cli-proxy-api. Since the container now runs as the non-root user appuser, and the application expects tokens in the user's home directory (defaulting to ~/.cli-proxy-api), the application will be unable to access the mounted tokens due to permission restrictions on the /root directory. This breaks the intended security model, may lead users to revert to running as root, and will cause authentication data to be non-persistent. Please update the mount path to the correct directory for appuser.

       - ${CLI_PROXY_AUTH_PATH:-./auths}:/home/appuser/.cli-proxy-api

- ${CLI_PROXY_LOG_PATH:-./logs}:/CLIProxyAPI/logs
healthcheck:
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8317/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 10s
deploy:
resources:
limits:
cpus: '${CLI_PROXY_CPU_LIMIT:-1}'
memory: ${CLI_PROXY_MEMORY_LIMIT:-512M}
reservations:
cpus: '${CLI_PROXY_CPU_RESERVE:-0.1}'
memory: ${CLI_PROXY_MEMORY_RESERVE:-128M}
restart: unless-stopped
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"