Goal

Dockerize QuickNotes with a ≤25 MB multi-stage image, a Compose stack with healthcheck + persistent volume, and the 6 container-security hardening defaults.

Changes

• app/Dockerfile — multi-stage build (golang:1.24-alpine builder → distroless/static:nonroot), static CGO_ENABLED=0 binary, -trimpath -ldflags='-s -w', runs as nonroot, final image 13.7 MB
• app/healthcheck/main.go — tiny static Go binary for the distroless healthcheck (no shell/curl/wget in the image)
• compose.yaml — quicknotes service + named volume quicknotes-data:/data, exec-form healthcheck, env vars, restart: unless-stopped; a one-shot volume-init sidecar chowns the volume so the nonroot app can seed it; hardened with cap_drop: [ALL], read_only: true, /tmp tmpfs, no-new-privileges
• submissions/lab6.md — full write-up for Task 1, Task 2, and Bonus

Testing

• docker images → 13.7 MB (≤ 25 MB); docker inspect confirms User=nonroot, EXPOSE 8080, exec-form entrypoint
• Compose stack reaches healthy; persistence test passes: POSTed note survives down && up, and is gone after down -v && up (back to 4 seed notes)
• Bonus: verified all 5 enforceable defaults via docker inspect (CapDrop=[ALL], ReadonlyRootfs=true, SecurityOpt=[no-new-privileges:true]), no-shell exec fails as expected. Trivy scan did not complete due to vuln-DB download connectivity issues (documented in submission).

Checklist

• Title is a clear sentence (≤ 70 chars)
• Commits are signed (git log --show-signature)
• submissions/lab6.md updated