Produce distroless minimized container images

This change produces a minimal container image (~25MB) containing only
the entrypoint bash (static) executable, the split-sync or split-proxy
executable, and the minimal Debian files needed for these to execute.

The dependency on the `tr` application was removed from functions.sh
by using bash variable parameter expansion instead.

We use a static bash executable to minimize libraries needed to
include in the image.  Bash executes only briefly in the entrypoint
which then exec's into the application.

split-sync and split-proxy are dynamically linked with libc because
the go net library requires it.  Therefore, libc is copied into the
final image too.

ca-certificates are copied into the image so TLS connections to
split.io can be validated.

The last build stage is used to produce a single-layer final
container.

Author: matt-domsch-sp

docker/Dockerfile.proxy

@@ -5,22 +5,8 @@ ARG EXTRA_BUILD_ARGS
 ARG FIPS_MODE
 
 RUN apt update -y
-RUN apt install -y build-essential ca-certificates python3 git
+RUN apt install -y build-essential ca-certificates python3 git bash-static
 
-WORKDIR /code
-
-COPY . .
-
-RUN bash -c 'if [[ "${FIPS_MODE}" = "enabled" ]]; \
-    then echo "building in fips mode"; make clean split-proxy-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-proxy-fips split-proxy; \
-    else echo "building in standard mode"; make clean split-proxy entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
-    fi'
-
-# Runner stage
-FROM debian:12.9 AS runner
-
-RUN apt update -y
-RUN apt install -y bash ca-certificates
 RUN addgroup --gid 1000 --system 'split-proxy'
 RUN adduser \
     --disabled-password \
@@ -31,10 +17,39 @@ RUN adduser \
     --uid 1000 \
     'split-proxy'
 
+WORKDIR /code
+
+COPY . .
+
+RUN bash -c 'if [[ "${FIPS_MODE}" = "enabled" ]]; \
+    then echo "building in fips mode"; make clean split-proxy-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-proxy-fips split-proxy; \
+    else echo "building in standard mode"; make clean split-proxy entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
+    fi'
+
+# copy1 stage
+FROM scratch AS copy1
+
 COPY docker/functions.sh .
 
 COPY --from=builder /code/split-proxy /usr/bin/
 COPY --from=builder /code/entrypoint.proxy.sh .
+COPY --from=builder /bin/bash-static /bin/bash
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/shadow /etc/shadow
+COPY --from=builder /etc/group /etc/group
+# because split-sync is dynamically linked to glibc for the net library
+COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6
+COPY --from=builder /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+# Get copyright statements for included components for legal compliance
+COPY --from=build /usr/share/doc/ca-certificates/copyright /usr/share/doc/ca-certificates/copyright
+COPY --from=build /usr/share/doc/bash-static/copyright /usr/share/doc/bash-static/copyright
+COPY --from=build /usr/share/doc/libc6/copyright /usr/share/doc/libc6/copyright
+
+# runner stage squashed minimum layer
+FROM scratch
+
+COPY --from=copy1 / /
 
 EXPOSE 3000 3010
 

docker/Dockerfile.synchronizer

@@ -5,22 +5,8 @@ ARG EXTRA_BUILD_ARGS
 ARG FIPS_MODE
 
 RUN apt update -y
-RUN apt install -y build-essential ca-certificates python3 git
+RUN apt install -y build-essential ca-certificates python3 git bash-static
 
-WORKDIR /code
-
-COPY . .
-
-RUN bash -c 'if [[ "${FIPS_MODE}" = "enabled" ]]; \
-    then echo "building in fips mode"; make clean split-sync-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \
-    else echo "building in standard mode"; make clean split-sync entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
-    fi'
-
-# Runner stage
-FROM debian:12.9 AS runner
-
-RUN apt update -y
-RUN apt install -y bash ca-certificates
 RUN addgroup --gid 1000 --system 'split-synchronizer'
 RUN adduser \
     --disabled-password \
@@ -31,10 +17,40 @@ RUN adduser \
     --uid 1000 \
     'split-synchronizer'
 
+WORKDIR /code
+
+COPY . .
+
+RUN bash -c 'if [[ "${FIPS_MODE}" = "enabled" ]]; \
+    then echo "building in fips mode"; make clean split-sync-fips entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; mv split-sync-fips split-sync; \
+    else echo "building in standard mode"; make clean split-sync entrypoints EXTRA_BUILD_ARGS="${EXTRA_BUILD_ARGS}"; \
+    fi'
+
+# copy1 stage
+FROM scratch AS copy1
+
 COPY docker/functions.sh .
 
 COPY --from=builder /code/split-sync /usr/bin/
 COPY --from=builder /code/entrypoint.synchronizer.sh .
+COPY --from=builder /bin/bash-static /bin/bash
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/shadow /etc/shadow
+COPY --from=builder /etc/group /etc/group
+# because split-sync is dynamically linked to glibc for the net library
+COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6
+COPY --from=builder /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+# Get copyright statements for included components for legal compliance
+COPY --from=build /usr/share/doc/ca-certificates/copyright /usr/share/doc/ca-certificates/copyright
+COPY --from=build /usr/share/doc/bash-static/copyright /usr/share/doc/bash-static/copyright
+COPY --from=build /usr/share/doc/libc6/copyright /usr/share/doc/libc6/copyright
+
+
+# runner stage squashed minimum layer
+FROM scratch
+
+COPY --from=copy1 / /
 
 EXPOSE 3000 3010
 

docker/entrypoint.sh.tpl

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 
 FLAGS=({{ARGS}})
 

docker/functions.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 
 function parse_flags_from_conf_file() {
     fn=$1
@@ -21,7 +21,8 @@ function flag_to_env_var() {
         return 1
     fi
 
-    echo "${prefix}_${flag}" | tr "[a-z]" "[A-Z]" | tr "-" "_"
+    uppercase="${prefix^^}_${flag^^}"
+    echo "${uppercase//-/_}"
     return 0
 }