-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.node
More file actions
147 lines (135 loc) · 7.13 KB
/
Dockerfile.node
File metadata and controls
147 lines (135 loc) · 7.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# syntax=docker/dockerfile:1.24
FROM --platform=$BUILDPLATFORM rust:1.96-bookworm AS chef
ARG BUILDARCH
# renovate: datasource=github-releases depName=ziglang/zig
ARG ZIG_VERSION=0.16.0
# renovate: datasource=github-releases depName=rust-cross/cargo-zigbuild
ARG CARGO_ZIGBUILD_VERSION=0.22.3
# renovate: datasource=github-releases depName=mozilla/sccache
ARG SCCACHE_VERSION=0.15.0
# renovate: datasource=crate depName=cargo-chef
ARG CARGO_CHEF_VERSION=0.1.77
# sccache cannot cache incremental artifacts; release builds do not use them.
ENV CARGO_INCREMENTAL=0
RUN apt-get update \
&& apt-get install -y --no-install-recommends libclang-dev clang \
&& rm -rf /var/lib/apt/lists/*
RUN case "${BUILDARCH}" in \
amd64) HOST_TARGET=x86_64-unknown-linux-musl; ZIG_ARCH=x86_64; SCCACHE_ARCH=x86_64 ;; \
arm64) HOST_TARGET=aarch64-unknown-linux-musl; ZIG_ARCH=aarch64; SCCACHE_ARCH=aarch64 ;; \
*) echo "Unsupported BUILDARCH: ${BUILDARCH}" >&2; exit 1 ;; \
esac \
&& curl -fsSL "https://ziglang.org/download/${ZIG_VERSION}/zig-${ZIG_ARCH}-linux-${ZIG_VERSION}.tar.xz" \
| tar -xJ -C /opt \
&& ln -s "/opt/zig-${ZIG_ARCH}-linux-${ZIG_VERSION}/zig" /usr/local/bin/zig \
&& curl -fsSL "https://github.com/rust-cross/cargo-zigbuild/releases/download/v${CARGO_ZIGBUILD_VERSION}/cargo-zigbuild-${HOST_TARGET}.tar.xz" \
| tar -xJO "cargo-zigbuild-${HOST_TARGET}/cargo-zigbuild" > /usr/local/bin/cargo-zigbuild \
&& chmod +x /usr/local/bin/cargo-zigbuild \
&& curl -fsSL "https://github.com/mozilla/sccache/releases/download/v${SCCACHE_VERSION}/sccache-v${SCCACHE_VERSION}-${SCCACHE_ARCH}-unknown-linux-musl.tar.gz" \
| tar -xzO "sccache-v${SCCACHE_VERSION}-${SCCACHE_ARCH}-unknown-linux-musl/sccache" > /usr/local/bin/sccache \
&& chmod +x /usr/local/bin/sccache
RUN --mount=type=cache,target=/usr/local/cargo/registry,id=cargo-registry-${BUILDARCH},sharing=locked \
cargo install --locked cargo-chef --version "${CARGO_CHEF_VERSION}"
RUN cat > /usr/local/lib/build-env.sh <<'EOF'
case "${TARGETARCH}" in
amd64) RUST_TARGET=x86_64-unknown-linux-gnu; SCCACHE_SERVER_PORT=4226 ;;
arm64) RUST_TARGET=aarch64-unknown-linux-gnu; SCCACHE_SERVER_PORT=4227 ;;
*) echo "Unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1 ;;
esac
if [ "$ENABLE_SCCACHE" = "1" ]; then
export RUSTC_WRAPPER=sccache \
CMAKE_C_COMPILER_LAUNCHER=sccache \
CMAKE_CXX_COMPILER_LAUNCHER=sccache \
CC="sccache cc" \
CXX="sccache c++" \
SCCACHE_IGNORE_SERVER_IO_ERROR=1 \
SCCACHE_SERVER_PORT \
SCCACHE_IDLE_TIMEOUT=0 \
SCCACHE_BUCKET=sccache \
SCCACHE_ENDPOINT=https://s3.erwanleboucher.dev \
SCCACHE_REGION=us-east-1 \
SCCACHE_S3_USE_SSL=true \
AWS_ACCESS_KEY_ID="$(cat /run/secrets/SCCACHE_AWS_ACCESS_KEY_ID)" \
AWS_SECRET_ACCESS_KEY="$(cat /run/secrets/SCCACHE_AWS_SECRET_ACCESS_KEY)"
if sccache --start-server; then
echo "sccache server started (wrapper=$RUSTC_WRAPPER port=$SCCACHE_SERVER_PORT)"
else
echo "sccache failed to start, continuing without cache" >&2
unset RUSTC_WRAPPER CMAKE_C_COMPILER_LAUNCHER CMAKE_CXX_COMPILER_LAUNCHER CC CXX
fi
fi
EOF
WORKDIR /app
FROM chef AS planner
COPY rust-toolchain.toml Cargo.toml Cargo.lock ./
COPY crates/ crates/
COPY src/ src/
RUN cargo chef prepare --recipe-path recipe.json
FROM chef AS builder
ARG TARGETARCH
ARG ENABLE_SCCACHE=0
COPY rust-toolchain.toml ./
COPY --from=planner /app/recipe.json recipe.json
RUN --mount=type=cache,target=/usr/local/cargo/registry,id=cargo-registry-${TARGETARCH},sharing=locked \
--mount=type=cache,target=/usr/local/cargo/git,id=cargo-git-${TARGETARCH},sharing=locked \
--mount=type=cache,target=/root/.cache,id=root-cache-${TARGETARCH},sharing=locked \
--mount=type=secret,id=SCCACHE_AWS_ACCESS_KEY_ID,required=false \
--mount=type=secret,id=SCCACHE_AWS_SECRET_ACCESS_KEY,required=false \
set -eux \
&& . /usr/local/lib/build-env.sh \
&& rustup target add "$RUST_TARGET" \
&& cargo chef cook --release --zigbuild --target "$RUST_TARGET" --package towonel-node --recipe-path recipe.json \
&& if [ "$ENABLE_SCCACHE" = "1" ]; then sccache --show-stats || true; fi
COPY rust-toolchain.toml Cargo.toml Cargo.lock ./
COPY crates/ crates/
COPY src/ src/
RUN --mount=type=cache,target=/usr/local/cargo/registry,id=cargo-registry-${TARGETARCH},sharing=locked \
--mount=type=cache,target=/usr/local/cargo/git,id=cargo-git-${TARGETARCH},sharing=locked \
--mount=type=cache,target=/root/.cache,id=root-cache-${TARGETARCH},sharing=locked \
--mount=type=secret,id=SCCACHE_AWS_ACCESS_KEY_ID,required=false \
--mount=type=secret,id=SCCACHE_AWS_SECRET_ACCESS_KEY,required=false \
set -eux \
&& . /usr/local/lib/build-env.sh \
&& cargo zigbuild --release --target "$RUST_TARGET" -p towonel-node \
&& if [ "$ENABLE_SCCACHE" = "1" ]; then sccache --show-stats || true; fi \
&& mkdir -p /out \
&& cp "target/${RUST_TARGET}/release/towonel" /out/
FROM scratch AS artifact
COPY --from=builder /out/towonel /towonel
FROM debian:bookworm-slim AS runtime-prep
RUN groupadd -g 10001 nonroot \
&& useradd -u 10001 -g 10001 -M -s /sbin/nologin nonroot \
&& install -d -o 10001 -g 10001 /var/lib/towonel /etc/towonel /data /data/certs /home/nonroot
COPY --from=builder /out/towonel /usr/local/bin/towonel
FROM debian:bookworm-slim
ARG VERSION=dev
ARG REVISION=unknown
ARG CREATED=
RUN apt-get update \
&& apt-get install -y --no-install-recommends ca-certificates curl libcap2-bin tini \
&& rm -rf /var/lib/apt/lists/*
LABEL org.opencontainers.image.title="towonel" \
org.opencontainers.image.description="Towonel hub/edge node — Iroh-based tunnel control plane and data plane" \
org.opencontainers.image.source="https://codeberg.org/towonel/towonel" \
org.opencontainers.image.url="https://codeberg.org/towonel/towonel" \
org.opencontainers.image.documentation="https://codeberg.org/towonel/towonel/src/branch/main/README.md" \
org.opencontainers.image.licenses="MIT" \
org.opencontainers.image.authors="Erwan Leboucher <erwanleboucher@gmail.com>" \
org.opencontainers.image.vendor="Erwan Leboucher" \
org.opencontainers.image.version="${VERSION}" \
org.opencontainers.image.revision="${REVISION}" \
org.opencontainers.image.created="${CREATED}"
COPY --from=runtime-prep /etc/passwd /etc/passwd
COPY --from=runtime-prep /etc/group /etc/group
COPY --from=runtime-prep --chown=10001:10001 /var/lib/towonel /var/lib/towonel
COPY --from=runtime-prep --chown=10001:10001 /etc/towonel /etc/towonel
COPY --from=runtime-prep --chown=10001:10001 /data /data
COPY --from=runtime-prep --chown=10001:10001 /home/nonroot /home/nonroot
COPY --from=runtime-prep /usr/local/bin/towonel /usr/local/bin/towonel
RUN setcap 'cap_net_bind_service=+ep' /usr/local/bin/towonel
WORKDIR /home/nonroot
USER 10001:10001
ENV TOWONEL_DATA_DIR=/data
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
CMD curl --max-time 2 -fsSk https://localhost:8443/v1/health || exit 1
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/towonel"]