keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_blocks/deploy-docker.md
Parfii-bot 0be354a920 KeiSeiKit-public — clean state 
Single-commit clean baseline after security scrub of niche-tells,
project codenames, internal jargon, and contributor-email leaks.

Contents:
- 100 Rust crates (_primitives/_rust/)
- 37 agent manifests (_manifests/) + generated specs (_generated/)
- 67 user-invocable skills (skills/)
- 33 hooks (hooks/)
- Composition blocks (_blocks/)
- Documentation (docs/, README.md)
- TS adapter packages (_ts_packages/)
- Assembler (_assembler/)
- Roles (_roles/)
- Templates (_templates/)
- Forgejo CI (.forgejo/)

Author: Denis Parfionovich <info@greendragon.info>

License: see LICENSE.
2026-05-01 12:09:03 +08:00

1.7 KiB
Raw Blame History

DEPLOY — Docker

Dockerfile — multi-stage MANDATORY (build tools never ship to prod image):

FROM rust:1.80 AS builder
WORKDIR /app
COPY . .
RUN cargo build --release --bin myapp

FROM gcr.io/distroless/cc-debian12
COPY --from=builder /app/target/release/myapp /myapp
USER nonroot:nonroot
HEALTHCHECK --interval=30s --timeout=3s CMD ["/myapp", "--healthcheck"]
ENTRYPOINT ["/myapp"]

Base image: distroless (preferred, no shell — smaller attack surface) or alpine (if musl compat) or debian:slim. NEVER ubuntu:latest for prod.

File ops:

  • COPY — deterministic. NEVER ADD (auto-extracts tars, fetches URLs — surprising behavior).
  • .dockerignore committed. Includes .git, target/, node_modules/, .env*, secrets/.

Secrets:

  • NEVER ENV SECRET=... — leaks into image layers forever.
  • Build-time secrets via --secret id=foo,src=./foo.txt (BuildKit).
  • Runtime secrets via env injection from orchestrator / docker-compose secrets: (Swarm) / K8s Secret.

User: USER nonroot (distroless provides it) or explicit RUN useradd -u 10001 app && USER app. Running as root = CVE amplifier.

Healthcheck: MANDATORY. Orchestrator uses it for readiness/liveness; without it, failed containers stay "up".

docker-compose: LOCAL DEV ONLY. For prod, the orchestrator (ECS, Fargate, K8s, Nomad, Docker Swarm) owns the deployment. Typical prod pattern: single container listening on internal port, behind nginx reverse proxy on a public port, colocated on a shared host.

Forbidden: ADD for local files (use COPY); USER root in final stage; secrets in ENV or ARG; missing HEALTHCHECK; docker-compose as prod orchestrator; :latest tags in prod manifests; single-stage Dockerfile that ships build toolchain.