Add multi-stage Dockerfile with security best practices

2026-02-05 05:41:11 +00:00 · 2026-01-08 13:20:51 +01:00 · 2026-01-08 13:20:51 +01:00 · 37d3d638af
commit 37d3d638af
parent ab1d5364a0
1 changed files with 60 additions and 0 deletions
--- a/60
+++ b/60
@ -0,0 +1,60 @@
+# Multi-stage Dockerfile for Spring PetClinic
+# Stage 1: Build
+FROM eclipse-temurin:21-jdk-jammy AS builder
+
+WORKDIR /app
+
+# Copy Maven wrapper and pom.xml for dependency caching
+COPY .mvn/ .mvn/
+COPY mvnw pom.xml ./
+
+# Download dependencies
+RUN ./mvnw dependency:go-offline -B
+
+# Copy source code
+COPY src ./src
+
+# Build application
+RUN ./mvnw clean package -DskipTests -B
+
+# Extract JAR layers for better caching
+RUN mkdir -p target/extracted && \
+    java -Djarmode=layertools -jar target/*.jar extract --destination target/extracted
+
+# Stage 2: Runtime
+FROM eclipse-temurin:21-jre-jammy
+
+# Install curl for health checks
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends curl && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create non-root user
+RUN groupadd -r spring && useradd -r -g spring spring
+
+WORKDIR /app
+
+# Copy extracted layers from builder
+COPY --from=builder /app/target/extracted/dependencies/ ./
+COPY --from=builder /app/target/extracted/spring-boot-loader/ ./
+COPY --from=builder /app/target/extracted/snapshot-dependencies/ ./
+COPY --from=builder /app/target/extracted/application/ ./
+
+# Change ownership
+RUN chown -R spring:spring /app
+
+# Switch to non-root user
+USER spring:spring
+
+EXPOSE 8080
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=60s --retries=3 \
+    CMD curl -f http://localhost:8080/actuator/health || exit 1
+
+# JVM options for containers
+ENV JAVA_OPTS="-XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0"
+
+# Run application
+ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS org.springframework.boot.loader.launch.JarLauncher"]