Docker patterns for Cubby Go + SQLite
Use for building and running the Cubby Go backend in containers, including SQLite storage and ARM64 builds.
Default: gcr.io/distroless/static-debian12:nonroot for production.
Alternative: alpine only when a shell or debugging tools are required.
# syntax=docker/dockerfile:1.7
FROM golang:1.25-alpine3.20 AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
go build -ldflags="-s -w" -o /app/cubby ./cmd/server
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=builder /app/cubby /app/cubby
USER nonroot:nonroot
VOLUME ["/data"]
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
CMD ["/app/cubby", "-healthcheck"]
ENTRYPOINT ["/app/cubby"]
Copy go.mod/go.sum first, go mod download, then copy source.
Use BuildKit cache mounts for /go/pkg/mod and /root/.cache/go-build.
CGO_ENABLED=0 for modernc.org/sqlite-ldflags="-s -w" to reduce binary sizeGOOS=linux GOARCH=amd64|arm64 explicitdocker buildx build \
--platform linux/amd64,linux/arm64 \
-t registry/cubby:1.0.0 \
--push \
./backend
SQLite WAL uses db, db-wal, db-shm on the same volume.
Mount a single /data volume and point DB_PATH to /data/cubby.db.
Ensure volume is writable by UID 65534 (distroless nonroot).
USER nonroot:nonroot)ENTRYPOINT in exec formcap_drop: ["ALL"])