From fece091fc1e6241bbb5262e29948f23b62df445b Mon Sep 17 00:00:00 2001
From: Carles Garcia Cabot <carles.garciacabot@grafana.com>
Date: Wed, 15 Jan 2025 10:42:12 +0100
Subject: [PATCH] Use distroless base image for tempo

This image contains busybox, making debugging easier by running /busybox/sh
---
 cmd/tempo/Dockerfile | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/cmd/tempo/Dockerfile b/cmd/tempo/Dockerfile
index 395d7992424..0c119317c5a 100644
--- a/cmd/tempo/Dockerfile
+++ b/cmd/tempo/Dockerfile
@@ -1,13 +1,15 @@
-FROM alpine:3.21 AS certs
-RUN apk --update add ca-certificates
-ARG TARGETARCH
-COPY bin/linux/tempo-${TARGETARCH} /tempo
+FROM gcr.io/distroless/static-debian12:debug AS builder
+
+# we need this because some docker-compose files call chown assuming there's a shell
+SHELL ["/busybox/sh", "-c"]
 
-RUN addgroup -g 10001 -S tempo && \
-    adduser -u 10001 -S tempo -G tempo
+RUN ["/busybox/addgroup", "-g", "10001", "-S", "tempo"]
+RUN ["/busybox/adduser", "-u", "10001", "-S", "tempo", "-G", "tempo"]
+RUN ["/busybox/mkdir", "-p", "/var/tempo", "-m", "0700"]
+RUN ["/busybox/chown", "-R", "tempo:tempo", "/var/tempo"]
 
-RUN mkdir -p /var/tempo -m 0700 && \
-    chown -R tempo:tempo /var/tempo
+ARG TARGETARCH
+COPY bin/linux/tempo-${TARGETARCH} /tempo
 
 USER 10001:10001