Update Dockerfile (#2342)

Updates/adds a new multistage (build-kit) Dockerfile. (if accepted,
could make `Dockerfile.monolith` and `Dockerfile.polylith` in
`build/docker` obsolete)
There's no huge difference between the dockerfiles, except this uses a
non-root user when running the container, also doesn't copy the working
directory to the image when building.
Also adds vulnerabilities scans using
[Trivy](https://github.com/aquasecurity/trivy) for the created docker
images. (untested)

Building images is done using 
```
docker build . --target image-monolith -t dendrite-monolith
docker build . --target image-polylith -t dendrite-polylith
```

As noted in the comments, only adds `dendrite-polylith-multi` to the
polylith image and all required binaries to the monolith image.
Probably needs some docs updating, if this is accepted.

Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>

6 files changed, 79 insertions, 82 deletions

diff --git a/build/docker/Dockerfile.demo-pinecone b/build/docker/Dockerfile.demo-pinecone
deleted file mode 100644
index 133c63c5..00000000
--- a/build/docker/Dockerfile.demo-pinecone
+++ /dev/null
@@ -1,25 +0,0 @@
-FROM docker.io/golang:1.19-alpine AS base
-
-RUN apk --update --no-cache add bash build-base
-
-WORKDIR /build
-
-COPY . /build
-
-RUN mkdir -p bin
-RUN go build -trimpath -o bin/ ./cmd/dendrite-demo-pinecone
-RUN go build -trimpath -o bin/ ./cmd/create-account
-RUN go build -trimpath -o bin/ ./cmd/generate-keys
-
-FROM alpine:latest
-LABEL org.opencontainers.image.title="Dendrite (Pinecone demo)"
-LABEL org.opencontainers.image.description="Next-generation Matrix homeserver written in Go"
-LABEL org.opencontainers.image.source="https://github.com/matrix-org/dendrite"
-LABEL org.opencontainers.image.licenses="Apache-2.0"
-
-COPY --from=base /build/bin/* /usr/bin/
-
-VOLUME /etc/dendrite
-WORKDIR /etc/dendrite
-
-ENTRYPOINT ["/usr/bin/dendrite-demo-pinecone"]
diff --git a/build/docker/Dockerfile.monolith b/build/docker/Dockerfile.monolith
deleted file mode 100644
index 3180e962..00000000
--- a/build/docker/Dockerfile.monolith
+++ /dev/null
@@ -1,25 +0,0 @@
-FROM docker.io/golang:1.19-alpine AS base
-
-RUN apk --update --no-cache add bash build-base
-
-WORKDIR /build
-
-COPY . /build
-
-RUN mkdir -p bin
-RUN go build -trimpath -o bin/ ./cmd/dendrite-monolith-server
-RUN go build -trimpath -o bin/ ./cmd/create-account
-RUN go build -trimpath -o bin/ ./cmd/generate-keys
-
-FROM alpine:latest
-LABEL org.opencontainers.image.title="Dendrite (Monolith)"
-LABEL org.opencontainers.image.description="Next-generation Matrix homeserver written in Go"
-LABEL org.opencontainers.image.source="https://github.com/matrix-org/dendrite"
-LABEL org.opencontainers.image.licenses="Apache-2.0"
-
-COPY --from=base /build/bin/* /usr/bin/
-
-VOLUME /etc/dendrite
-WORKDIR /etc/dendrite
-
-ENTRYPOINT ["/usr/bin/dendrite-monolith-server"]
diff --git a/build/docker/Dockerfile.polylith b/build/docker/Dockerfile.polylith
deleted file mode 100644
index 79f8a5f2..00000000
--- a/build/docker/Dockerfile.polylith
+++ /dev/null
@@ -1,25 +0,0 @@
-FROM docker.io/golang:1.19-alpine AS base
-
-RUN apk --update --no-cache add bash build-base
-
-WORKDIR /build
-
-COPY . /build
-
-RUN mkdir -p bin
-RUN go build -trimpath -o bin/ ./cmd/dendrite-polylith-multi
-RUN go build -trimpath -o bin/ ./cmd/create-account
-RUN go build -trimpath -o bin/ ./cmd/generate-keys
-
-FROM alpine:latest
-LABEL org.opencontainers.image.title="Dendrite (Polylith)"
-LABEL org.opencontainers.image.description="Next-generation Matrix homeserver written in Go"
-LABEL org.opencontainers.image.source="https://github.com/matrix-org/dendrite"
-LABEL org.opencontainers.image.licenses="Apache-2.0"
-
-COPY --from=base /build/bin/* /usr/bin/
-
-VOLUME /etc/dendrite
-WORKDIR /etc/dendrite
-
-ENTRYPOINT ["/usr/bin/dendrite-polylith-multi"]
diff --git a/build/docker/README.md b/build/docker/README.md
index 261519fd..14a9c859 100644
--- a/build/docker/README.md
+++ b/build/docker/README.md
@@ -9,11 +9,15 @@ They can be found on Docker Hub:
 
 ## Dockerfiles
 
-The `Dockerfile` builds the base image which contains all of the Dendrite
-components. The `Dockerfile.component` file takes the given component, as
-specified with `--buildarg component=` from the base image and produce
-smaller component-specific images, which are substantially smaller and do
-not contain the Go toolchain etc.
+The `Dockerfile` is a multistage file which can build all three Dendrite
+images depending on the supplied `--target`. From the root of the Dendrite
+repository, run:
+
+```
+docker build . --target monolith -t matrixdotorg/dendrite-monolith
+docker build . --target polylith -t matrixdotorg/dendrite-monolith
+docker build . --target demo-pinecone -t matrixdotorg/dendrite-monolith
+```
 
 ## Compose files
 
diff --git a/build/docker/crossbuild.sh b/build/docker/crossbuild.sh
new file mode 100644
index 00000000..46e5d7e9
--- /dev/null
+++ b/build/docker/crossbuild.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+set -e
+
+# In order to cross-compile with the multi-stage Docker builds, we need to
+# ensure that the suitable toolchain for cross-compiling is installed. Since
+# the images are Alpine-based, we will use musl. Download and install the
+# toolchain inside the build container.
+
+USERARCH=`go env GOARCH`
+GOARCH="$TARGETARCH"
+GOOS="linux"
+
+echo "Target arch: $TARGETARCH"
+echo "User arch:   $USERARCH"
+
+if [ "$TARGETARCH" != "$USERARCH" ]; then
+    if [ "$USERARCH" != "amd64" ]; then
+      echo "Cross-compiling only supported on amd64"
+      exit 1
+    fi
+
+    echo "Cross compile"
+    case $GOARCH in
+    arm64)
+        curl -s https://more.musl.cc/x86_64-linux-musl/aarch64-linux-musl-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=aarch64-linux-musl-gcc
+        ;;
+
+    amd64)
+        curl -s https://more.musl.cc/x86_64-linux-musl/x86_64-linux-musl-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=x86_64-linux-musl-gcc
+        ;;
+
+    386)
+        curl -s https://more.musl.cc/x86_64-linux-musl/i686-linux-musl-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=i686-linux-musl-gcc
+        ;;
+
+    arm)
+        curl -s https://more.musl.cc/x86_64-linux-musl/armv7l-linux-musleabihf-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=armv7l-linux-musleabihf-gcc
+        ;;
+
+    s390x)
+        curl -s https://more.musl.cc/x86_64-linux-musl/s390x-linux-musl-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=s390x-linux-musl-gcc
+        ;;
+
+    ppc64le)
+        curl -s https://more.musl.cc/x86_64-linux-musl/powerpc64le-linux-musl-cross.tgz | tar xz --strip-components=1 -C /usr
+        export CC=powerpc64le-linux-musl-gcc
+        ;;
+
+    *)
+        echo "Unsupported GOARCH=${GOARCH}"
+        exit 1
+        ;;
+    esac
+else
+    echo "Native compile"
+fi
+
+# Output the go environment just in case it is useful for debugging.
+go env
+
+# Build Dendrite and tools, statically linking them.
+CGO_ENABLED=1 go build -v -ldflags="-linkmode external -extldflags -static ${FLAGS}" -trimpath -o /out/ ./cmd/...
diff --git a/build/docker/images-build.sh b/build/docker/images-build.sh
index c2c14068..1a832615 100755
--- a/build/docker/images-build.sh
+++ b/build/docker/images-build.sh
@@ -6,5 +6,6 @@ TAG=${1:-latest}
 
 echo "Building tag '${TAG}'"
 
-docker build -t matrixdotorg/dendrite-monolith:${TAG}  -f build/docker/Dockerfile.monolith .
-docker build -t matrixdotorg/dendrite-polylith:${TAG}  -f build/docker/Dockerfile.polylith .
\ No newline at end of file
+docker build . --target monolith -t matrixdotorg/dendrite-monolith:${TAG}
+docker build . --target polylith -t matrixdotorg/dendrite-monolith:${TAG}
+docker build . --target demo-pinecone -t matrixdotorg/dendrite-demo-pinecone:${TAG}
\ No newline at end of file