From 2c6bd8c9dc67d3e0208e1873d8bf3fef6d8f9aa3 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Sun, 22 Jan 2023 01:01:02 -0800 Subject: [PATCH 1/3] Rename `.buildx` Dockerfiles to `.buildkit` This is a more accurate name, since these Dockerfiles require BuildKit, not Buildx. --- .github/workflows/release.yml | 5 ++++- docker/Dockerfile.j2 | 2 +- docker/Makefile | 4 ++-- docker/amd64/{Dockerfile.buildx => Dockerfile.buildkit} | 0 ...{Dockerfile.buildx.alpine => Dockerfile.buildkit.alpine} | 0 docker/arm64/{Dockerfile.buildx => Dockerfile.buildkit} | 0 ...{Dockerfile.buildx.alpine => Dockerfile.buildkit.alpine} | 0 docker/armv6/{Dockerfile.buildx => Dockerfile.buildkit} | 0 ...{Dockerfile.buildx.alpine => Dockerfile.buildkit.alpine} | 0 docker/armv7/{Dockerfile.buildx => Dockerfile.buildkit} | 0 ...{Dockerfile.buildx.alpine => Dockerfile.buildkit.alpine} | 0 hooks/build | 6 +++--- 12 files changed, 10 insertions(+), 7 deletions(-) rename docker/amd64/{Dockerfile.buildx => Dockerfile.buildkit} (100%) rename docker/amd64/{Dockerfile.buildx.alpine => Dockerfile.buildkit.alpine} (100%) rename docker/arm64/{Dockerfile.buildx => Dockerfile.buildkit} (100%) rename docker/arm64/{Dockerfile.buildx.alpine => Dockerfile.buildkit.alpine} (100%) rename docker/armv6/{Dockerfile.buildx => Dockerfile.buildkit} (100%) rename docker/armv6/{Dockerfile.buildx.alpine => Dockerfile.buildkit.alpine} (100%) rename docker/armv7/{Dockerfile.buildx => Dockerfile.buildkit} (100%) rename docker/armv7/{Dockerfile.buildx.alpine => Dockerfile.buildkit.alpine} (100%) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b3690ceb..32f6abc0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,7 +48,10 @@ jobs: ports: - 5000:5000 env: - DOCKER_BUILDKIT: 1 # Disabled for now, but we should look at this because it will speedup building! + # Use BuildKit (https://docs.docker.com/build/buildkit/) for better + # build performance and the ability to copy extended file attributes + # (e.g., for executable capabilities) across build phases. + DOCKER_BUILDKIT: 1 # DOCKER_REPO/secrets.DOCKERHUB_REPO needs to be 'index.docker.io//' DOCKER_REPO: ${{ secrets.DOCKERHUB_REPO }} SOURCE_COMMIT: ${{ github.sha }} diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2 index 82e8527f..095c295a 100644 --- a/docker/Dockerfile.j2 +++ b/docker/Dockerfile.j2 @@ -50,7 +50,7 @@ {% else %} {% set package_arch_target_param = "" %} {% endif %} -{% if "buildx" in target_file %} +{% if "buildkit" in target_file %} {% set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %} {% else %} {% set mount_rust_cache = "" %} diff --git a/docker/Makefile b/docker/Makefile index 8c939cba..d7c0ab80 100644 --- a/docker/Makefile +++ b/docker/Makefile @@ -8,8 +8,8 @@ all: $(OBJECTS) %/Dockerfile.alpine: Dockerfile.j2 render_template ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" -%/Dockerfile.buildx: Dockerfile.j2 render_template +%/Dockerfile.buildkit: Dockerfile.j2 render_template ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" -%/Dockerfile.buildx.alpine: Dockerfile.j2 render_template +%/Dockerfile.buildkit.alpine: Dockerfile.j2 render_template ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" diff --git a/docker/amd64/Dockerfile.buildx b/docker/amd64/Dockerfile.buildkit similarity index 100% rename from docker/amd64/Dockerfile.buildx rename to docker/amd64/Dockerfile.buildkit diff --git a/docker/amd64/Dockerfile.buildx.alpine b/docker/amd64/Dockerfile.buildkit.alpine similarity index 100% rename from docker/amd64/Dockerfile.buildx.alpine rename to docker/amd64/Dockerfile.buildkit.alpine diff --git a/docker/arm64/Dockerfile.buildx b/docker/arm64/Dockerfile.buildkit similarity index 100% rename from docker/arm64/Dockerfile.buildx rename to docker/arm64/Dockerfile.buildkit diff --git a/docker/arm64/Dockerfile.buildx.alpine b/docker/arm64/Dockerfile.buildkit.alpine similarity index 100% rename from docker/arm64/Dockerfile.buildx.alpine rename to docker/arm64/Dockerfile.buildkit.alpine diff --git a/docker/armv6/Dockerfile.buildx b/docker/armv6/Dockerfile.buildkit similarity index 100% rename from docker/armv6/Dockerfile.buildx rename to docker/armv6/Dockerfile.buildkit diff --git a/docker/armv6/Dockerfile.buildx.alpine b/docker/armv6/Dockerfile.buildkit.alpine similarity index 100% rename from docker/armv6/Dockerfile.buildx.alpine rename to docker/armv6/Dockerfile.buildkit.alpine diff --git a/docker/armv7/Dockerfile.buildx b/docker/armv7/Dockerfile.buildkit similarity index 100% rename from docker/armv7/Dockerfile.buildx rename to docker/armv7/Dockerfile.buildkit diff --git a/docker/armv7/Dockerfile.buildx.alpine b/docker/armv7/Dockerfile.buildkit.alpine similarity index 100% rename from docker/armv7/Dockerfile.buildx.alpine rename to docker/armv7/Dockerfile.buildkit.alpine diff --git a/hooks/build b/hooks/build index 96f04d15..223b4153 100755 --- a/hooks/build +++ b/hooks/build @@ -34,9 +34,9 @@ for label in "${LABELS[@]}"; do LABEL_ARGS+=(--label "${label}") done -# Check if DOCKER_BUILDKIT is set, if so, use the Dockerfile.buildx as template +# Check if DOCKER_BUILDKIT is set, if so, use the Dockerfile.buildkit as template if [[ -n "${DOCKER_BUILDKIT}" ]]; then - buildx_suffix=.buildx + buildkit_suffix=.buildkit fi set -ex @@ -45,6 +45,6 @@ for arch in "${arches[@]}"; do docker build \ "${LABEL_ARGS[@]}" \ -t "${DOCKER_REPO}:${DOCKER_TAG}-${arch}" \ - -f docker/${arch}/Dockerfile${buildx_suffix}${distro_suffix} \ + -f docker/${arch}/Dockerfile${buildkit_suffix}${distro_suffix} \ . done From 686474f81505b0b7aae323669809dd86f6186427 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Sun, 22 Jan 2023 01:21:52 -0800 Subject: [PATCH 2/3] Disable Hadolint check for consecutive `RUN` instructions (DL3059) This check doesn't seem to add enough value to justify the difficulties it tends to create when generating `RUN` instructions from a template. --- .hadolint.yaml | 2 ++ docker/Dockerfile.j2 | 5 ----- docker/amd64/Dockerfile | 1 - docker/amd64/Dockerfile.alpine | 1 - docker/amd64/Dockerfile.buildkit | 1 - docker/amd64/Dockerfile.buildkit.alpine | 1 - docker/arm64/Dockerfile | 4 ---- docker/arm64/Dockerfile.alpine | 3 --- docker/arm64/Dockerfile.buildkit | 4 ---- docker/arm64/Dockerfile.buildkit.alpine | 3 --- docker/armv6/Dockerfile | 5 ----- docker/armv6/Dockerfile.alpine | 3 --- docker/armv6/Dockerfile.buildkit | 5 ----- docker/armv6/Dockerfile.buildkit.alpine | 3 --- docker/armv7/Dockerfile | 4 ---- docker/armv7/Dockerfile.alpine | 3 --- docker/armv7/Dockerfile.buildkit | 4 ---- docker/armv7/Dockerfile.buildkit.alpine | 3 --- 18 files changed, 2 insertions(+), 53 deletions(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index f1c324b8..1c305f9d 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -3,5 +3,7 @@ ignored: - DL3008 # disable explicit version for apk install - DL3018 + # disable check for consecutive `RUN` instructions + - DL3059 trustedRegistries: - docker.io diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2 index 095c295a..8c5157f4 100644 --- a/docker/Dockerfile.j2 +++ b/docker/Dockerfile.j2 @@ -106,7 +106,6 @@ ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/{{ package_arch_target }}/lib/libatomi {% elif "arm" in target_file %} # # Install required build libs for {{ package_arch_name }} architecture. -# hadolint ignore=DL3059 RUN dpkg --add-architecture {{ package_arch_name }} \ && apt-get update \ && apt-get install -y \ @@ -178,7 +177,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} ######################## RUNTIME IMAGE ######################## @@ -195,7 +193,6 @@ ENV ROCKET_PROFILE="release" \ {% if "amd64" not in target_file %} -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] {% endif %} @@ -222,13 +219,11 @@ RUN mkdir /data \ {% if "armv6" in target_file and "alpine" not in target_file %} # In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink. # This symlink was there in the buster images, and for some reason this is needed. -# hadolint ignore=DL3059 RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3 {% endif -%} {% if "amd64" not in target_file %} -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] {% endif %} diff --git a/docker/amd64/Dockerfile b/docker/amd64/Dockerfile index 09b959dd..281146f7 100644 --- a/docker/amd64/Dockerfile +++ b/docker/amd64/Dockerfile @@ -81,7 +81,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN cargo build --features ${DB} --release ######################## RUNTIME IMAGE ######################## diff --git a/docker/amd64/Dockerfile.alpine b/docker/amd64/Dockerfile.alpine index eba7a10f..6dd624b6 100644 --- a/docker/amd64/Dockerfile.alpine +++ b/docker/amd64/Dockerfile.alpine @@ -75,7 +75,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl ######################## RUNTIME IMAGE ######################## diff --git a/docker/amd64/Dockerfile.buildkit b/docker/amd64/Dockerfile.buildkit index ae841026..12e85211 100644 --- a/docker/amd64/Dockerfile.buildkit +++ b/docker/amd64/Dockerfile.buildkit @@ -81,7 +81,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release ######################## RUNTIME IMAGE ######################## diff --git a/docker/amd64/Dockerfile.buildkit.alpine b/docker/amd64/Dockerfile.buildkit.alpine index e1a1de9b..ba45c39b 100644 --- a/docker/amd64/Dockerfile.buildkit.alpine +++ b/docker/amd64/Dockerfile.buildkit.alpine @@ -75,7 +75,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl ######################## RUNTIME IMAGE ######################## diff --git a/docker/arm64/Dockerfile b/docker/arm64/Dockerfile index eabadb47..093afadd 100644 --- a/docker/arm64/Dockerfile +++ b/docker/arm64/Dockerfile @@ -46,7 +46,6 @@ RUN mkdir -pv "${CARGO_HOME}" \ # # Install required build libs for arm64 architecture. -# hadolint ignore=DL3059 RUN dpkg --add-architecture arm64 \ && apt-get update \ && apt-get install -y \ @@ -101,7 +100,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu ######################## RUNTIME IMAGE ######################## @@ -113,7 +111,6 @@ ENV ROCKET_PROFILE="release" \ ROCKET_ADDRESS=0.0.0.0 \ ROCKET_PORT=80 -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -128,7 +125,6 @@ RUN mkdir /data \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/arm64/Dockerfile.alpine b/docker/arm64/Dockerfile.alpine index f880d8ec..83bf0745 100644 --- a/docker/arm64/Dockerfile.alpine +++ b/docker/arm64/Dockerfile.alpine @@ -75,7 +75,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl ######################## RUNTIME IMAGE ######################## @@ -89,7 +88,6 @@ ENV ROCKET_PROFILE="release" \ SSL_CERT_DIR=/etc/ssl/certs -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -100,7 +98,6 @@ RUN mkdir /data \ curl \ ca-certificates -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/arm64/Dockerfile.buildkit b/docker/arm64/Dockerfile.buildkit index dc5620e4..cdabd35c 100644 --- a/docker/arm64/Dockerfile.buildkit +++ b/docker/arm64/Dockerfile.buildkit @@ -46,7 +46,6 @@ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/. # # Install required build libs for arm64 architecture. -# hadolint ignore=DL3059 RUN dpkg --add-architecture arm64 \ && apt-get update \ && apt-get install -y \ @@ -101,7 +100,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu ######################## RUNTIME IMAGE ######################## @@ -113,7 +111,6 @@ ENV ROCKET_PROFILE="release" \ ROCKET_ADDRESS=0.0.0.0 \ ROCKET_PORT=80 -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -128,7 +125,6 @@ RUN mkdir /data \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/arm64/Dockerfile.buildkit.alpine b/docker/arm64/Dockerfile.buildkit.alpine index b8fc36c1..837a7a39 100644 --- a/docker/arm64/Dockerfile.buildkit.alpine +++ b/docker/arm64/Dockerfile.buildkit.alpine @@ -75,7 +75,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl ######################## RUNTIME IMAGE ######################## @@ -89,7 +88,6 @@ ENV ROCKET_PROFILE="release" \ SSL_CERT_DIR=/etc/ssl/certs -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -100,7 +98,6 @@ RUN mkdir /data \ curl \ ca-certificates -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/armv6/Dockerfile b/docker/armv6/Dockerfile index 7ddbdee8..84baa7b6 100644 --- a/docker/armv6/Dockerfile +++ b/docker/armv6/Dockerfile @@ -46,7 +46,6 @@ RUN mkdir -pv "${CARGO_HOME}" \ # # Install required build libs for armel architecture. -# hadolint ignore=DL3059 RUN dpkg --add-architecture armel \ && apt-get update \ && apt-get install -y \ @@ -101,7 +100,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi ######################## RUNTIME IMAGE ######################## @@ -113,7 +111,6 @@ ENV ROCKET_PROFILE="release" \ ROCKET_ADDRESS=0.0.0.0 \ ROCKET_PORT=80 -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -130,10 +127,8 @@ RUN mkdir /data \ # In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink. # This symlink was there in the buster images, and for some reason this is needed. -# hadolint ignore=DL3059 RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3 -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/armv6/Dockerfile.alpine b/docker/armv6/Dockerfile.alpine index 65bb552b..1f969d7c 100644 --- a/docker/armv6/Dockerfile.alpine +++ b/docker/armv6/Dockerfile.alpine @@ -77,7 +77,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi ######################## RUNTIME IMAGE ######################## @@ -91,7 +90,6 @@ ENV ROCKET_PROFILE="release" \ SSL_CERT_DIR=/etc/ssl/certs -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -102,7 +100,6 @@ RUN mkdir /data \ curl \ ca-certificates -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/armv6/Dockerfile.buildkit b/docker/armv6/Dockerfile.buildkit index 7b9aab8a..1e33a25f 100644 --- a/docker/armv6/Dockerfile.buildkit +++ b/docker/armv6/Dockerfile.buildkit @@ -46,7 +46,6 @@ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/. # # Install required build libs for armel architecture. -# hadolint ignore=DL3059 RUN dpkg --add-architecture armel \ && apt-get update \ && apt-get install -y \ @@ -101,7 +100,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi ######################## RUNTIME IMAGE ######################## @@ -113,7 +111,6 @@ ENV ROCKET_PROFILE="release" \ ROCKET_ADDRESS=0.0.0.0 \ ROCKET_PORT=80 -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -130,10 +127,8 @@ RUN mkdir /data \ # In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink. # This symlink was there in the buster images, and for some reason this is needed. -# hadolint ignore=DL3059 RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3 -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/armv6/Dockerfile.buildkit.alpine b/docker/armv6/Dockerfile.buildkit.alpine index 4bced53d..d0f5cfbe 100644 --- a/docker/armv6/Dockerfile.buildkit.alpine +++ b/docker/armv6/Dockerfile.buildkit.alpine @@ -77,7 +77,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi ######################## RUNTIME IMAGE ######################## @@ -91,7 +90,6 @@ ENV ROCKET_PROFILE="release" \ SSL_CERT_DIR=/etc/ssl/certs -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -102,7 +100,6 @@ RUN mkdir /data \ curl \ ca-certificates -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/armv7/Dockerfile b/docker/armv7/Dockerfile index bcbf946c..8df12612 100644 --- a/docker/armv7/Dockerfile +++ b/docker/armv7/Dockerfile @@ -46,7 +46,6 @@ RUN mkdir -pv "${CARGO_HOME}" \ # # Install required build libs for armhf architecture. -# hadolint ignore=DL3059 RUN dpkg --add-architecture armhf \ && apt-get update \ && apt-get install -y \ @@ -101,7 +100,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf ######################## RUNTIME IMAGE ######################## @@ -113,7 +111,6 @@ ENV ROCKET_PROFILE="release" \ ROCKET_ADDRESS=0.0.0.0 \ ROCKET_PORT=80 -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -128,7 +125,6 @@ RUN mkdir /data \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/armv7/Dockerfile.alpine b/docker/armv7/Dockerfile.alpine index 6d14ae34..1872e54e 100644 --- a/docker/armv7/Dockerfile.alpine +++ b/docker/armv7/Dockerfile.alpine @@ -75,7 +75,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf ######################## RUNTIME IMAGE ######################## @@ -89,7 +88,6 @@ ENV ROCKET_PROFILE="release" \ SSL_CERT_DIR=/etc/ssl/certs -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -100,7 +98,6 @@ RUN mkdir /data \ curl \ ca-certificates -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/armv7/Dockerfile.buildkit b/docker/armv7/Dockerfile.buildkit index 0084526b..4ff8364a 100644 --- a/docker/armv7/Dockerfile.buildkit +++ b/docker/armv7/Dockerfile.buildkit @@ -46,7 +46,6 @@ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/. # # Install required build libs for armhf architecture. -# hadolint ignore=DL3059 RUN dpkg --add-architecture armhf \ && apt-get update \ && apt-get install -y \ @@ -101,7 +100,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf ######################## RUNTIME IMAGE ######################## @@ -113,7 +111,6 @@ ENV ROCKET_PROFILE="release" \ ROCKET_ADDRESS=0.0.0.0 \ ROCKET_PORT=80 -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -128,7 +125,6 @@ RUN mkdir /data \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data diff --git a/docker/armv7/Dockerfile.buildkit.alpine b/docker/armv7/Dockerfile.buildkit.alpine index d29465bb..2fc23849 100644 --- a/docker/armv7/Dockerfile.buildkit.alpine +++ b/docker/armv7/Dockerfile.buildkit.alpine @@ -75,7 +75,6 @@ RUN touch src/main.rs # Builds again, this time it'll just be # your actual source files being built -# hadolint ignore=DL3059 RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf ######################## RUNTIME IMAGE ######################## @@ -89,7 +88,6 @@ ENV ROCKET_PROFILE="release" \ SSL_CERT_DIR=/etc/ssl/certs -# hadolint ignore=DL3059 RUN [ "cross-build-start" ] # Create data folder and Install needed libraries @@ -100,7 +98,6 @@ RUN mkdir /data \ curl \ ca-certificates -# hadolint ignore=DL3059 RUN [ "cross-build-end" ] VOLUME /data From a2162f4d69eda9f836497ef137cbc3c2d00cd86b Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Wed, 18 Jan 2023 21:50:29 -0800 Subject: [PATCH 3/3] Allow listening on privileged ports (below 1024) as non-root This is done by running `setcap cap_net_bind_service=+ep` on the executable in the build stage (doing it in the runtime stage creates an extra copy of the executable that bloats the image). This only works when using the BuildKit-based builder, since the `COPY` instruction doesn't copy capabilities on the legacy builder. --- docker/Dockerfile.j2 | 47 ++++++++++++++----------- docker/amd64/Dockerfile | 13 +++---- docker/amd64/Dockerfile.alpine | 10 +++--- docker/amd64/Dockerfile.buildkit | 18 +++++----- docker/amd64/Dockerfile.buildkit.alpine | 15 ++++---- docker/arm64/Dockerfile | 21 +++++------ docker/arm64/Dockerfile.alpine | 10 +++--- docker/arm64/Dockerfile.buildkit | 26 +++++++------- docker/arm64/Dockerfile.buildkit.alpine | 15 ++++---- docker/armv6/Dockerfile | 21 +++++------ docker/armv6/Dockerfile.alpine | 10 +++--- docker/armv6/Dockerfile.buildkit | 26 +++++++------- docker/armv6/Dockerfile.buildkit.alpine | 15 ++++---- docker/armv7/Dockerfile | 21 +++++------ docker/armv7/Dockerfile.alpine | 10 +++--- docker/armv7/Dockerfile.buildkit | 26 +++++++------- docker/armv7/Dockerfile.buildkit.alpine | 15 ++++---- 17 files changed, 163 insertions(+), 156 deletions(-) diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2 index 8c5157f4..22acfdf4 100644 --- a/docker/Dockerfile.j2 +++ b/docker/Dockerfile.j2 @@ -83,8 +83,6 @@ FROM vaultwarden/web-vault@{{ vault_image_digest }} as vault ########################## BUILD IMAGE ########################## FROM {{ build_stage_base_image }} as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -93,7 +91,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal @@ -104,20 +101,20 @@ RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \ ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/{{ package_arch_target }}/lib/libatomic.a' {% endif %} {% elif "arm" in target_file %} -# -# Install required build libs for {{ package_arch_name }} architecture. +# Install build dependencies for the {{ package_arch_name }} architecture RUN dpkg --add-architecture {{ package_arch_name }} \ && apt-get update \ && apt-get install -y \ --no-install-recommends \ - libssl-dev{{ package_arch_prefix }} \ + gcc-{{ package_cross_compiler }} \ libc6-dev{{ package_arch_prefix }} \ - libpq5{{ package_arch_prefix }} \ - libpq-dev{{ package_arch_prefix }} \ - libmariadb3{{ package_arch_prefix }} \ + libcap2-bin \ libmariadb-dev{{ package_arch_prefix }} \ libmariadb-dev-compat{{ package_arch_prefix }} \ - gcc-{{ package_cross_compiler }} \ + libmariadb3{{ package_arch_prefix }} \ + libpq-dev{{ package_arch_prefix }} \ + libpq5{{ package_arch_prefix }} \ + libssl-dev{{ package_arch_prefix }} \ # # Make sure cargo has the right target config && echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \ @@ -129,16 +126,14 @@ ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_ CROSS_COMPILE="1" \ OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \ OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}" - {% elif "amd64" in target_file %} -# Install DB packages +# Install build dependencies RUN apt-get update \ && apt-get install -y \ --no-install-recommends \ - libmariadb-dev{{ package_arch_prefix }} \ - libpq-dev{{ package_arch_prefix }} \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* + libcap2-bin \ + libmariadb-dev \ + libpq-dev {% endif %} # Creates a dummy project used to grab dependencies @@ -179,6 +174,18 @@ RUN touch src/main.rs # your actual source files being built RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} +{% if "buildkit" in target_file %} +# Add the `cap_net_bind_service` capability to allow listening on +# privileged (< 1024) ports even when running as a non-root user. +# This is only done if building with BuildKit; with the legacy +# builder, the `COPY` instruction doesn't carry over capabilities. +{% if package_arch_target is defined %} +RUN setcap cap_net_bind_service=+ep target/{{ package_arch_target }}/release/vaultwarden +{% else %} +RUN setcap cap_net_bind_service=+ep target/release/vaultwarden +{% endif %} +{% endif %} + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -200,18 +207,18 @@ RUN [ "cross-build-start" ] RUN mkdir /data \ {% if "alpine" in runtime_stage_base_image %} && apk add --no-cache \ - openssl \ - tzdata \ + ca-certificates \ curl \ - ca-certificates + openssl \ + tzdata {% else %} && apt-get update && apt-get install -y \ --no-install-recommends \ - openssl \ ca-certificates \ curl \ libmariadb-dev-compat \ libpq5 \ + openssl \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* {% endif %} diff --git a/docker/amd64/Dockerfile b/docker/amd64/Dockerfile index 281146f7..00983f50 100644 --- a/docker/amd64/Dockerfile +++ b/docker/amd64/Dockerfile @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM rust:1.66-bullseye as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,19 +37,17 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal -# Install DB packages +# Install build dependencies RUN apt-get update \ && apt-get install -y \ --no-install-recommends \ + libcap2-bin \ libmariadb-dev \ - libpq-dev \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* + libpq-dev # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin /app @@ -83,6 +79,7 @@ RUN touch src/main.rs # your actual source files being built RUN cargo build --features ${DB} --release + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -97,11 +94,11 @@ ENV ROCKET_PROFILE="release" \ RUN mkdir /data \ && apt-get update && apt-get install -y \ --no-install-recommends \ - openssl \ ca-certificates \ curl \ libmariadb-dev-compat \ libpq5 \ + openssl \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* diff --git a/docker/amd64/Dockerfile.alpine b/docker/amd64/Dockerfile.alpine index 6dd624b6..cb38bf8b 100644 --- a/docker/amd64/Dockerfile.alpine +++ b/docker/amd64/Dockerfile.alpine @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal @@ -77,6 +74,7 @@ RUN touch src/main.rs # your actual source files being built RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -92,10 +90,10 @@ ENV ROCKET_PROFILE="release" \ # Create data folder and Install needed libraries RUN mkdir /data \ && apk add --no-cache \ - openssl \ - tzdata \ + ca-certificates \ curl \ - ca-certificates + openssl \ + tzdata VOLUME /data diff --git a/docker/amd64/Dockerfile.buildkit b/docker/amd64/Dockerfile.buildkit index 12e85211..8330958e 100644 --- a/docker/amd64/Dockerfile.buildkit +++ b/docker/amd64/Dockerfile.buildkit @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM rust:1.66-bullseye as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,19 +37,17 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal -# Install DB packages +# Install build dependencies RUN apt-get update \ && apt-get install -y \ --no-install-recommends \ + libcap2-bin \ libmariadb-dev \ - libpq-dev \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* + libpq-dev # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin /app @@ -83,6 +79,12 @@ RUN touch src/main.rs # your actual source files being built RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release +# Add the `cap_net_bind_service` capability to allow listening on +# privileged (< 1024) ports even when running as a non-root user. +# This is only done if building with BuildKit; with the legacy +# builder, the `COPY` instruction doesn't carry over capabilities. +RUN setcap cap_net_bind_service=+ep target/release/vaultwarden + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -97,11 +99,11 @@ ENV ROCKET_PROFILE="release" \ RUN mkdir /data \ && apt-get update && apt-get install -y \ --no-install-recommends \ - openssl \ ca-certificates \ curl \ libmariadb-dev-compat \ libpq5 \ + openssl \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* diff --git a/docker/amd64/Dockerfile.buildkit.alpine b/docker/amd64/Dockerfile.buildkit.alpine index ba45c39b..eb551e03 100644 --- a/docker/amd64/Dockerfile.buildkit.alpine +++ b/docker/amd64/Dockerfile.buildkit.alpine @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal @@ -77,6 +74,12 @@ RUN touch src/main.rs # your actual source files being built RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl +# Add the `cap_net_bind_service` capability to allow listening on +# privileged (< 1024) ports even when running as a non-root user. +# This is only done if building with BuildKit; with the legacy +# builder, the `COPY` instruction doesn't carry over capabilities. +RUN setcap cap_net_bind_service=+ep target/x86_64-unknown-linux-musl/release/vaultwarden + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -92,10 +95,10 @@ ENV ROCKET_PROFILE="release" \ # Create data folder and Install needed libraries RUN mkdir /data \ && apk add --no-cache \ - openssl \ - tzdata \ + ca-certificates \ curl \ - ca-certificates + openssl \ + tzdata VOLUME /data diff --git a/docker/arm64/Dockerfile b/docker/arm64/Dockerfile index 093afadd..0087b8ea 100644 --- a/docker/arm64/Dockerfile +++ b/docker/arm64/Dockerfile @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM rust:1.66-bullseye as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal -# -# Install required build libs for arm64 architecture. +# Install build dependencies for the arm64 architecture RUN dpkg --add-architecture arm64 \ && apt-get update \ && apt-get install -y \ --no-install-recommends \ - libssl-dev:arm64 \ + gcc-aarch64-linux-gnu \ libc6-dev:arm64 \ - libpq5:arm64 \ - libpq-dev:arm64 \ - libmariadb3:arm64 \ + libcap2-bin \ libmariadb-dev:arm64 \ libmariadb-dev-compat:arm64 \ - gcc-aarch64-linux-gnu \ + libmariadb3:arm64 \ + libpq-dev:arm64 \ + libpq5:arm64 \ + libssl-dev:arm64 \ # # Make sure cargo has the right target config && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \ @@ -70,7 +67,6 @@ ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \ OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \ OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" - # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin /app WORKDIR /app @@ -102,6 +98,7 @@ RUN touch src/main.rs # your actual source files being built RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -117,11 +114,11 @@ RUN [ "cross-build-start" ] RUN mkdir /data \ && apt-get update && apt-get install -y \ --no-install-recommends \ - openssl \ ca-certificates \ curl \ libmariadb-dev-compat \ libpq5 \ + openssl \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* diff --git a/docker/arm64/Dockerfile.alpine b/docker/arm64/Dockerfile.alpine index 83bf0745..139d1a31 100644 --- a/docker/arm64/Dockerfile.alpine +++ b/docker/arm64/Dockerfile.alpine @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal @@ -77,6 +74,7 @@ RUN touch src/main.rs # your actual source files being built RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -93,10 +91,10 @@ RUN [ "cross-build-start" ] # Create data folder and Install needed libraries RUN mkdir /data \ && apk add --no-cache \ - openssl \ - tzdata \ + ca-certificates \ curl \ - ca-certificates + openssl \ + tzdata RUN [ "cross-build-end" ] diff --git a/docker/arm64/Dockerfile.buildkit b/docker/arm64/Dockerfile.buildkit index cdabd35c..e1f1e0d2 100644 --- a/docker/arm64/Dockerfile.buildkit +++ b/docker/arm64/Dockerfile.buildkit @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM rust:1.66-bullseye as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal -# -# Install required build libs for arm64 architecture. +# Install build dependencies for the arm64 architecture RUN dpkg --add-architecture arm64 \ && apt-get update \ && apt-get install -y \ --no-install-recommends \ - libssl-dev:arm64 \ + gcc-aarch64-linux-gnu \ libc6-dev:arm64 \ - libpq5:arm64 \ - libpq-dev:arm64 \ - libmariadb3:arm64 \ + libcap2-bin \ libmariadb-dev:arm64 \ libmariadb-dev-compat:arm64 \ - gcc-aarch64-linux-gnu \ + libmariadb3:arm64 \ + libpq-dev:arm64 \ + libpq5:arm64 \ + libssl-dev:arm64 \ # # Make sure cargo has the right target config && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \ @@ -70,7 +67,6 @@ ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \ OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \ OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" - # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin /app WORKDIR /app @@ -102,6 +98,12 @@ RUN touch src/main.rs # your actual source files being built RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu +# Add the `cap_net_bind_service` capability to allow listening on +# privileged (< 1024) ports even when running as a non-root user. +# This is only done if building with BuildKit; with the legacy +# builder, the `COPY` instruction doesn't carry over capabilities. +RUN setcap cap_net_bind_service=+ep target/aarch64-unknown-linux-gnu/release/vaultwarden + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -117,11 +119,11 @@ RUN [ "cross-build-start" ] RUN mkdir /data \ && apt-get update && apt-get install -y \ --no-install-recommends \ - openssl \ ca-certificates \ curl \ libmariadb-dev-compat \ libpq5 \ + openssl \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* diff --git a/docker/arm64/Dockerfile.buildkit.alpine b/docker/arm64/Dockerfile.buildkit.alpine index 837a7a39..26d75edc 100644 --- a/docker/arm64/Dockerfile.buildkit.alpine +++ b/docker/arm64/Dockerfile.buildkit.alpine @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal @@ -77,6 +74,12 @@ RUN touch src/main.rs # your actual source files being built RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl +# Add the `cap_net_bind_service` capability to allow listening on +# privileged (< 1024) ports even when running as a non-root user. +# This is only done if building with BuildKit; with the legacy +# builder, the `COPY` instruction doesn't carry over capabilities. +RUN setcap cap_net_bind_service=+ep target/aarch64-unknown-linux-musl/release/vaultwarden + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -93,10 +96,10 @@ RUN [ "cross-build-start" ] # Create data folder and Install needed libraries RUN mkdir /data \ && apk add --no-cache \ - openssl \ - tzdata \ + ca-certificates \ curl \ - ca-certificates + openssl \ + tzdata RUN [ "cross-build-end" ] diff --git a/docker/armv6/Dockerfile b/docker/armv6/Dockerfile index 84baa7b6..f90e5c07 100644 --- a/docker/armv6/Dockerfile +++ b/docker/armv6/Dockerfile @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM rust:1.66-bullseye as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal -# -# Install required build libs for armel architecture. +# Install build dependencies for the armel architecture RUN dpkg --add-architecture armel \ && apt-get update \ && apt-get install -y \ --no-install-recommends \ - libssl-dev:armel \ + gcc-arm-linux-gnueabi \ libc6-dev:armel \ - libpq5:armel \ - libpq-dev:armel \ - libmariadb3:armel \ + libcap2-bin \ libmariadb-dev:armel \ libmariadb-dev-compat:armel \ - gcc-arm-linux-gnueabi \ + libmariadb3:armel \ + libpq-dev:armel \ + libpq5:armel \ + libssl-dev:armel \ # # Make sure cargo has the right target config && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \ @@ -70,7 +67,6 @@ ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \ OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \ OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" - # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin /app WORKDIR /app @@ -102,6 +98,7 @@ RUN touch src/main.rs # your actual source files being built RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -117,11 +114,11 @@ RUN [ "cross-build-start" ] RUN mkdir /data \ && apt-get update && apt-get install -y \ --no-install-recommends \ - openssl \ ca-certificates \ curl \ libmariadb-dev-compat \ libpq5 \ + openssl \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* diff --git a/docker/armv6/Dockerfile.alpine b/docker/armv6/Dockerfile.alpine index 1f969d7c..129f0216 100644 --- a/docker/armv6/Dockerfile.alpine +++ b/docker/armv6/Dockerfile.alpine @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal @@ -79,6 +76,7 @@ RUN touch src/main.rs # your actual source files being built RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -95,10 +93,10 @@ RUN [ "cross-build-start" ] # Create data folder and Install needed libraries RUN mkdir /data \ && apk add --no-cache \ - openssl \ - tzdata \ + ca-certificates \ curl \ - ca-certificates + openssl \ + tzdata RUN [ "cross-build-end" ] diff --git a/docker/armv6/Dockerfile.buildkit b/docker/armv6/Dockerfile.buildkit index 1e33a25f..4fa86cfa 100644 --- a/docker/armv6/Dockerfile.buildkit +++ b/docker/armv6/Dockerfile.buildkit @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM rust:1.66-bullseye as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal -# -# Install required build libs for armel architecture. +# Install build dependencies for the armel architecture RUN dpkg --add-architecture armel \ && apt-get update \ && apt-get install -y \ --no-install-recommends \ - libssl-dev:armel \ + gcc-arm-linux-gnueabi \ libc6-dev:armel \ - libpq5:armel \ - libpq-dev:armel \ - libmariadb3:armel \ + libcap2-bin \ libmariadb-dev:armel \ libmariadb-dev-compat:armel \ - gcc-arm-linux-gnueabi \ + libmariadb3:armel \ + libpq-dev:armel \ + libpq5:armel \ + libssl-dev:armel \ # # Make sure cargo has the right target config && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \ @@ -70,7 +67,6 @@ ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \ OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \ OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" - # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin /app WORKDIR /app @@ -102,6 +98,12 @@ RUN touch src/main.rs # your actual source files being built RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi +# Add the `cap_net_bind_service` capability to allow listening on +# privileged (< 1024) ports even when running as a non-root user. +# This is only done if building with BuildKit; with the legacy +# builder, the `COPY` instruction doesn't carry over capabilities. +RUN setcap cap_net_bind_service=+ep target/arm-unknown-linux-gnueabi/release/vaultwarden + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -117,11 +119,11 @@ RUN [ "cross-build-start" ] RUN mkdir /data \ && apt-get update && apt-get install -y \ --no-install-recommends \ - openssl \ ca-certificates \ curl \ libmariadb-dev-compat \ libpq5 \ + openssl \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* diff --git a/docker/armv6/Dockerfile.buildkit.alpine b/docker/armv6/Dockerfile.buildkit.alpine index d0f5cfbe..10559387 100644 --- a/docker/armv6/Dockerfile.buildkit.alpine +++ b/docker/armv6/Dockerfile.buildkit.alpine @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal @@ -79,6 +76,12 @@ RUN touch src/main.rs # your actual source files being built RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi +# Add the `cap_net_bind_service` capability to allow listening on +# privileged (< 1024) ports even when running as a non-root user. +# This is only done if building with BuildKit; with the legacy +# builder, the `COPY` instruction doesn't carry over capabilities. +RUN setcap cap_net_bind_service=+ep target/arm-unknown-linux-musleabi/release/vaultwarden + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -95,10 +98,10 @@ RUN [ "cross-build-start" ] # Create data folder and Install needed libraries RUN mkdir /data \ && apk add --no-cache \ - openssl \ - tzdata \ + ca-certificates \ curl \ - ca-certificates + openssl \ + tzdata RUN [ "cross-build-end" ] diff --git a/docker/armv7/Dockerfile b/docker/armv7/Dockerfile index 8df12612..bf0e4f01 100644 --- a/docker/armv7/Dockerfile +++ b/docker/armv7/Dockerfile @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM rust:1.66-bullseye as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal -# -# Install required build libs for armhf architecture. +# Install build dependencies for the armhf architecture RUN dpkg --add-architecture armhf \ && apt-get update \ && apt-get install -y \ --no-install-recommends \ - libssl-dev:armhf \ + gcc-arm-linux-gnueabihf \ libc6-dev:armhf \ - libpq5:armhf \ - libpq-dev:armhf \ - libmariadb3:armhf \ + libcap2-bin \ libmariadb-dev:armhf \ libmariadb-dev-compat:armhf \ - gcc-arm-linux-gnueabihf \ + libmariadb3:armhf \ + libpq-dev:armhf \ + libpq5:armhf \ + libssl-dev:armhf \ # # Make sure cargo has the right target config && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \ @@ -70,7 +67,6 @@ ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \ OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \ OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" - # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin /app WORKDIR /app @@ -102,6 +98,7 @@ RUN touch src/main.rs # your actual source files being built RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -117,11 +114,11 @@ RUN [ "cross-build-start" ] RUN mkdir /data \ && apt-get update && apt-get install -y \ --no-install-recommends \ - openssl \ ca-certificates \ curl \ libmariadb-dev-compat \ libpq5 \ + openssl \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* diff --git a/docker/armv7/Dockerfile.alpine b/docker/armv7/Dockerfile.alpine index 1872e54e..43d2509c 100644 --- a/docker/armv7/Dockerfile.alpine +++ b/docker/armv7/Dockerfile.alpine @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal @@ -77,6 +74,7 @@ RUN touch src/main.rs # your actual source files being built RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -93,10 +91,10 @@ RUN [ "cross-build-start" ] # Create data folder and Install needed libraries RUN mkdir /data \ && apk add --no-cache \ - openssl \ - tzdata \ + ca-certificates \ curl \ - ca-certificates + openssl \ + tzdata RUN [ "cross-build-end" ] diff --git a/docker/armv7/Dockerfile.buildkit b/docker/armv7/Dockerfile.buildkit index 4ff8364a..07b51478 100644 --- a/docker/armv7/Dockerfile.buildkit +++ b/docker/armv7/Dockerfile.buildkit @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM rust:1.66-bullseye as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,25 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal -# -# Install required build libs for armhf architecture. +# Install build dependencies for the armhf architecture RUN dpkg --add-architecture armhf \ && apt-get update \ && apt-get install -y \ --no-install-recommends \ - libssl-dev:armhf \ + gcc-arm-linux-gnueabihf \ libc6-dev:armhf \ - libpq5:armhf \ - libpq-dev:armhf \ - libmariadb3:armhf \ + libcap2-bin \ libmariadb-dev:armhf \ libmariadb-dev-compat:armhf \ - gcc-arm-linux-gnueabihf \ + libmariadb3:armhf \ + libpq-dev:armhf \ + libpq5:armhf \ + libssl-dev:armhf \ # # Make sure cargo has the right target config && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \ @@ -70,7 +67,6 @@ ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \ OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \ OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" - # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin /app WORKDIR /app @@ -102,6 +98,12 @@ RUN touch src/main.rs # your actual source files being built RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf +# Add the `cap_net_bind_service` capability to allow listening on +# privileged (< 1024) ports even when running as a non-root user. +# This is only done if building with BuildKit; with the legacy +# builder, the `COPY` instruction doesn't carry over capabilities. +RUN setcap cap_net_bind_service=+ep target/armv7-unknown-linux-gnueabihf/release/vaultwarden + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -117,11 +119,11 @@ RUN [ "cross-build-start" ] RUN mkdir /data \ && apt-get update && apt-get install -y \ --no-install-recommends \ - openssl \ ca-certificates \ curl \ libmariadb-dev-compat \ libpq5 \ + openssl \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* diff --git a/docker/armv7/Dockerfile.buildkit.alpine b/docker/armv7/Dockerfile.buildkit.alpine index 2fc23849..9a9e1a9b 100644 --- a/docker/armv7/Dockerfile.buildkit.alpine +++ b/docker/armv7/Dockerfile.buildkit.alpine @@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb ########################## BUILD IMAGE ########################## FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build - - # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ LANG=C.UTF-8 \ @@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ CARGO_HOME="/root/.cargo" \ USER="root" - # Create CARGO_HOME folder and don't download rust docs RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ && rustup set profile minimal @@ -77,6 +74,12 @@ RUN touch src/main.rs # your actual source files being built RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf +# Add the `cap_net_bind_service` capability to allow listening on +# privileged (< 1024) ports even when running as a non-root user. +# This is only done if building with BuildKit; with the legacy +# builder, the `COPY` instruction doesn't carry over capabilities. +RUN setcap cap_net_bind_service=+ep target/armv7-unknown-linux-musleabihf/release/vaultwarden + ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built @@ -93,10 +96,10 @@ RUN [ "cross-build-start" ] # Create data folder and Install needed libraries RUN mkdir /data \ && apk add --no-cache \ - openssl \ - tzdata \ + ca-certificates \ curl \ - ca-certificates + openssl \ + tzdata RUN [ "cross-build-end" ]