Add Docker support with distroless image

[leisefuxX]

Summary

This PR adds Docker containerization support using Google's distroless base image, providing a minimal and secure deployment option for gosh under linux

Changes

1. Bug fix: Architecture-specific syscall name for fstatat/newfstatat

   • The seccomp-bpf filter failed on x86_64 because fstatat is only valid on arm64
   • Added runtime check using runtime.GOARCH to select the correct syscall name

2. Docker support:

   • Dockerfile: Multi-stage build with distroless runtime
   • docker-compose.yml: Simple deployment configuration
   • gosh.container.yml: Template configuration
   • config/: Example configuration directory

Design Decisions

Base Image: gcr.io/distroless/static-debian12

• Minimal attack surface (no shell, no package manager)
• Tiny image size (~24MB total, ~6MB content)
• Industry standard used by Kubernetes, Knative, Tekton, etc.

Privilege Model

The container leverages gosh's built-in privilege separation:

• Container starts as root (required for chroot()/setuid() syscalls)
• gosh drops privileges to UID 65532 after initialization
• Seccomp-BPF filters are applied by gosh itself
• Custom /etc/passwd and /etc/group added for user.Lookup() compatibility

Configuration

/config/gosh.yml      - main configuration (required)
/config/index.html    - custom index template (optional)
/config/favicon.ico   - favicon (optional)
/config/custom.css    - custom styles (optional)
/data/                - persistent storage

Usage

# Using docker-compose
docker compose up -d

# Or manually
docker run -d -p 8080:8080 \
  -v ./config:/config:ro \
  -v gosh-data:/data \
  gorja/gosh:0.6.0

Pre-built Image

A pre-built image is available on Docker Hub: gorja/gosh:0.6.0

Test plan

• Build image successfully
• Container starts without errors
• Privilege dropping works (processes run as UID 65532)
• Seccomp-BPF filters apply correctly on x86_64
• File upload/download works
• Custom index.html is served

---

🤖 Generated with Claude Code

[oxzi]

First, thanks a lot for using gosh and this PR. Please excuse the delay.

In general, I would like to have a Dockerfile in here, but there are a few things needed to be addressed first. Please take a look at my comments, added after a first vibe check of this PR.

[oxzi]

This is not required, since newfstatat is already part of @system-services. Already described when introducing this change in c55f4fa.

https://github.com/oxzi/syscallset-go/blob/v0.1.7/syscalls.go#L1133-L1333

Furthermore, this binary logic assumes that newfstatat is available on every architecture that is not arm64. Unsure about that.

[oxzi]

Meh. Seems like I don't know my own library. I assumed that syscallset-go ignore unknown system calls, but it only does so when passing a syscall set.

I have changed this with the just released - and already bumped here - version 0.1.7.

Thus, no further changes in the Go code are required from this PR. Just rebase :)

[oxzi]

I am not a huge fan of having duplicated configuration files. Changes to the main gosh.yml will be forgotten and not being reapplied here.

Thus, how about copying it into the container, do the necessary changes via sed or yq within the container build stage and still allow users to overlay/overwrite it?

[oxzi]

Quite same as https://github.com/oxzi/gosh/pull/73/changes#r2738584441. Is there even a change compared to ./index.html?

[oxzi]

Please don't use an LLM (w/o Internet access) to pin "latest" versions.

Especially in this case, these versions are dangerously outdated, as Go only supports the two last major versions, being 1.24 and 1.25 at the time of writing. Since Go 1.23's EOL, there were multiple security fixes in 1.24 and 1.25, many of those might also affect 1.23.

Furthermore, Debian stable is trixie now.

[oxzi]

The /config directory is not mentioned as a VOLUME in the Dockerfile, but only referenced through the docker-compose.yml file.

[oxzi]

What is this file for? Is it even being referenced?