Code-Memo

Containers for Go services and CLIs

Go’s static binaries and low runtime dependency footprint make it container-friendly.

Multi-stage Docker build (service)

# build stage
FROM golang:1.22 AS build
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
    go build -trimpath -ldflags "-s -w" -o /out/app ./cmd/mytool

# runtime stage
FROM gcr.io/distroless/static:nonroot
COPY --from=build /out/app /app
USER nonroot:nonroot
ENTRYPOINT ["/app"]

Distroless vs scratch vs alpine

• Distroless: good defaults (certs, nonroot), small, secure.
• Scratch: smallest, but you must handle certs/timezone if needed.
• Alpine: convenient tooling, but musl vs glibc differences; not “minimal risk” for all workloads.

CA certificates

If you call HTTPS endpoints, you need CA certs in the image (distroless includes them; scratch does not by default).

CGO_ENABLED=0

• Helps build portable Linux binaries.
• Not always possible (if dependencies require CGO).

Containers for CLIs

For CI jobs, a containerized CLI can be useful (pin tool + dependencies). For end-user machines, prefer direct binary releases.