# syntax=docker/dockerfile:1 # This file was generated using a Jinja2 template. # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. {% set rust_version = "1.72.0" %} {% set debian_version = "bookworm" %} {% set alpine_version = "3.17" %} {% set build_stage_base_image = "docker.io/library/rust:%s-%s" % (rust_version, debian_version) %} {% if "alpine" in target_file %} {% if "amd64" in target_file %} {% set build_stage_base_image = "docker.io/blackdex/rust-musl:x86_64-musl-stable-%s-openssl3" % rust_version %} {% set runtime_stage_base_image = "docker.io/library/alpine:%s" % alpine_version %} {% set package_arch_target = "x86_64-unknown-linux-musl" %} {% elif "armv7" in target_file %} {% set build_stage_base_image = "docker.io/blackdex/rust-musl:armv7-musleabihf-stable-%s-openssl3" % rust_version %} {% set runtime_stage_base_image = "docker.io/balenalib/armv7hf-alpine:%s" % alpine_version %} {% set package_arch_target = "armv7-unknown-linux-musleabihf" %} {% elif "armv6" in target_file %} {% set build_stage_base_image = "docker.io/blackdex/rust-musl:arm-musleabi-stable-%s-openssl3" % rust_version %} {% set runtime_stage_base_image = "docker.io/balenalib/rpi-alpine:%s" % alpine_version %} {% set package_arch_target = "arm-unknown-linux-musleabi" %} {% elif "arm64" in target_file %} {% set build_stage_base_image = "docker.io/blackdex/rust-musl:aarch64-musl-stable-%s-openssl3" % rust_version %} {% set runtime_stage_base_image = "docker.io/balenalib/aarch64-alpine:%s" % alpine_version %} {% set package_arch_target = "aarch64-unknown-linux-musl" %} {% endif %} {% elif "amd64" in target_file %} {% set runtime_stage_base_image = "docker.io/library/debian:%s-slim" % debian_version %} {% elif "arm64" in target_file %} {% set runtime_stage_base_image = "docker.io/balenalib/aarch64-debian:%s" % debian_version %} {% set package_arch_name = "arm64" %} {% set package_arch_target = "aarch64-unknown-linux-gnu" %} {% set package_cross_compiler = "aarch64-linux-gnu" %} {% elif "armv6" in target_file %} {% set runtime_stage_base_image = "docker.io/balenalib/rpi-debian:%s" % debian_version %} {% set package_arch_name = "armel" %} {% set package_arch_target = "arm-unknown-linux-gnueabi" %} {% set package_cross_compiler = "arm-linux-gnueabi" %} {% elif "armv7" in target_file %} {% set runtime_stage_base_image = "docker.io/balenalib/armv7hf-debian:%s" % debian_version %} {% set package_arch_name = "armhf" %} {% set package_arch_target = "armv7-unknown-linux-gnueabihf" %} {% set package_cross_compiler = "arm-linux-gnueabihf" %} {% endif %} {% if package_arch_name is defined %} {% set package_arch_prefix = ":" + package_arch_name %} {% else %} {% set package_arch_prefix = "" %} {% endif %} {% if package_arch_target is defined %} {% set package_arch_target_param = " --target=" + package_arch_target %} {% else %} {% set package_arch_target_param = "" %} {% endif %} {% if "buildkit" in target_file %} {% set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %} {% else %} {% set mount_rust_cache = "" %} {% endif %} # Using multistage build: # https://docs.docker.com/develop/develop-images/multistage-build/ # https://whitfin.io/speeding-up-rust-docker-builds/ ####################### VAULT BUILD IMAGE ####################### {% set vault_version = "v2023.7.1" %} {% set vault_image_digest = "sha256:b306f38fe0d54fa3d79059a737f8e1803da44ddc5f273c2aecdd6a4886211b0f" %} # The web-vault digest specifies a particular web-vault build on Docker Hub. # Using the digest instead of the tag name provides better security, # as the digest of an image is immutable, whereas a tag name can later # be changed to point to a malicious image. # # To verify the current digest for a given tag name: # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, # click the tag name to view the digest of the image it currently points to. # - From the command line: # $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version }} # $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version }} # [docker.io/vaultwarden/web-vault@{{ vault_image_digest }}] # # - Conversely, to get the tag name from the digest: # $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }} # [docker.io/vaultwarden/web-vault:{{ vault_version }}] # FROM docker.io/vaultwarden/web-vault@{{ vault_image_digest }} as vault ########################## BUILD IMAGE ########################## FROM {{ build_stage_base_image }} as build # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ TZ=UTC \ TERM=xterm-256color \ CARGO_HOME="/root/.cargo" \ REGISTRIES_CRATES_IO_PROTOCOL=sparse \ USER="root" # Create CARGO_HOME folder and don't download rust docs RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal {% if "alpine" in target_file %} # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 # Debian Bookworm already contains libpq v15 ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" {% if "armv6" in target_file %} # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic ENV RUSTFLAGS='-Clink-arg=-latomic' {% endif %} {% elif "arm" in target_file %} # Install build dependencies for the {{ package_arch_name }} architecture RUN {{ mount_rust_cache -}} dpkg --add-architecture {{ package_arch_name }} \ && apt-get update \ && apt-get install -y \ --no-install-recommends \ gcc-{{ package_cross_compiler }} \ libc6-dev{{ package_arch_prefix }} \ libmariadb-dev{{ package_arch_prefix }} \ libmariadb-dev-compat{{ package_arch_prefix }} \ libmariadb3{{ package_arch_prefix }} \ libpq-dev{{ package_arch_prefix }} \ libpq5{{ package_arch_prefix }} \ libssl-dev{{ package_arch_prefix }} \ # # Make sure cargo has the right target config && echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \ && echo 'linker = "{{ package_cross_compiler }}-gcc"' >> "${CARGO_HOME}/config" \ && echo 'rustflags = ["-L/usr/lib/{{ package_cross_compiler }}"]' >> "${CARGO_HOME}/config" # Set arm specific environment values ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_compiler }}-gcc" \ CROSS_COMPILE="1" \ OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \ OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}" {% elif "amd64" in target_file %} # Install build dependencies RUN apt-get update \ && apt-get install -y \ --no-install-recommends \ libmariadb-dev \ libpq-dev {% endif %} # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin /app WORKDIR /app # Copies over *only* your manifests and build files COPY ./Cargo.* ./ COPY ./rust-toolchain ./rust-toolchain COPY ./build.rs ./build.rs {% if package_arch_target is defined %} RUN {{ mount_rust_cache -}} rustup target add {{ package_arch_target }} {% endif %} # Configure the DB ARG as late as possible to not invalidate the cached layers above {% if "alpine" in target_file %} # Enable MiMalloc to improve performance on Alpine builds ARG DB=sqlite,mysql,postgresql,enable_mimalloc {% else %} ARG DB=sqlite,mysql,postgresql {% endif %} # Builds your dependencies and removes the # dummy project, except the target folder # This folder contains the compiled dependencies RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} \ && find . -not -path "./target*" -delete # Copies the complete project # To avoid copying unneeded files, use .dockerignore COPY . . # Make sure that we actually build the project RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built FROM {{ runtime_stage_base_image }} ENV ROCKET_PROFILE="release" \ ROCKET_ADDRESS=0.0.0.0 \ ROCKET_PORT=80 {%- if "alpine" in runtime_stage_base_image %} \ SSL_CERT_DIR=/etc/ssl/certs {% endif %} {% if "amd64" not in target_file %} RUN [ "cross-build-start" ] {% endif %} # Create data folder and Install needed libraries RUN mkdir /data \ {% if "alpine" in runtime_stage_base_image %} && apk add --no-cache \ ca-certificates \ curl \ openssl \ tzdata {% else %} && apt-get update && apt-get install -y \ --no-install-recommends \ ca-certificates \ curl \ libmariadb-dev-compat \ libpq5 \ openssl \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* {% endif %} {% if "amd64" not in target_file %} RUN [ "cross-build-end" ] {% endif %} VOLUME /data EXPOSE 80 EXPOSE 3012 # Copies the files from the context (Rocket.toml file and web-vault) # and the binary from the "build" stage to the current stage WORKDIR / COPY --from=vault /web-vault ./web-vault {% if package_arch_target is defined %} COPY --from=build /app/target/{{ package_arch_target }}/release/vaultwarden . {% else %} COPY --from=build /app/target/release/vaultwarden . {% endif %} COPY docker/healthcheck.sh /healthcheck.sh COPY docker/start.sh /start.sh HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] CMD ["/start.sh"]