Add vips-tools (vipsthumbnail) to the runtime image alongside ffmpeg and exiftool, and document THUMB_MAX_PIXELS as the pure-Go fallback guard. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
+4
-3
@@ -92,9 +92,10 @@ THUMB_WIDTH=160
|
||||
THUMB_HEIGHT=160
|
||||
PREVIEW_WIDTH=1920
|
||||
PREVIEW_HEIGHT=1080
|
||||
# Largest source image (in pixels, width×height) decoded to build a thumbnail or
|
||||
# preview; bigger images get a placeholder. Bounds a decompression bomb and the
|
||||
# per-image RAM cost. Default ~300 Mpx (e.g. 13000×17000).
|
||||
# Pixel cap (width×height) for the pure-Go fallback decoder, used only when
|
||||
# vipsthumbnail is NOT installed; larger images then get a placeholder. With vips
|
||||
# present (the default image) thumbnails shrink on load, so this limit — and its
|
||||
# RAM cost — don't apply. Also bounds a decompression bomb. Default ~300 Mpx.
|
||||
THUMB_MAX_PIXELS=300000000
|
||||
# How many thumbnails/previews may be generated at once. Each resize already uses
|
||||
# every core, so a burst of large images otherwise pegs the CPU and RAM. 0 = auto
|
||||
|
||||
+10
-8
@@ -41,23 +41,25 @@ RUN go mod download
|
||||
|
||||
COPY backend/ ./
|
||||
|
||||
# CGO is disabled: image processing is pure Go (disintegration/imaging) and
|
||||
# video thumbnails shell out to the ffmpeg binary at runtime, so the resulting
|
||||
# binary is fully static and portable across base images.
|
||||
# CGO is disabled: the binary shells out to external tools at runtime
|
||||
# (vipsthumbnail for image thumbnails, ffmpeg for video frames, exiftool for
|
||||
# metadata) and falls back to pure-Go image processing (disintegration/imaging)
|
||||
# when vips is absent, so it stays fully static and portable across base images.
|
||||
RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags="-s -w" -o /out/server ./cmd/server
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Stage 3 — minimal runtime
|
||||
#
|
||||
# Alpine (not distroless/scratch) because video thumbnailing invokes ffmpeg and
|
||||
# metadata extraction invokes exiftool as external processes; both must be
|
||||
# present on the runtime image.
|
||||
# Alpine (not distroless/scratch) because thumbnailing and metadata extraction
|
||||
# invoke external processes (vipsthumbnail, ffmpeg, exiftool) that must be present
|
||||
# on the runtime image.
|
||||
# -----------------------------------------------------------------------------
|
||||
FROM alpine:3.21 AS runtime
|
||||
|
||||
# ffmpeg: video frame extraction. exiftool: rich image/video/audio metadata.
|
||||
# vips-tools: fast, low-memory image thumbnails (shrink-on-load, so multi-hundred-
|
||||
# Mpx photos cost little). ffmpeg: video frame extraction. exiftool: rich metadata.
|
||||
# ca-certificates/tzdata: TLS + time zones.
|
||||
RUN apk add --no-cache ffmpeg exiftool ca-certificates tzdata
|
||||
RUN apk add --no-cache vips-tools ffmpeg exiftool ca-certificates tzdata
|
||||
|
||||
# Run as an unprivileged user.
|
||||
RUN addgroup -S -g 42776 tanabata && adduser -S -G tanabata -u 42776 tanabata
|
||||
|
||||
Reference in New Issue
Block a user