-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
143 lines (121 loc) · 4.62 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# hadolint global ignore=DL3006,DL3008,DL3003
# see [Multi-platform | Docker Docs](https://docs.docker.com/build/building/multi-platform/)
# see [Fast multi-arch Docker build for Rust projects - DEV Community](https://dev.to/vladkens/fast-multi-arch-docker-build-for-rust-projects-an1)
# see [How to create small Docker images for Rust](https://kerkour.com/rust-small-docker-image)
# alternative: https://edu.chainguard.dev/chainguard/chainguard-images/reference/rust/image_specs/
#---------------------------------------------------------------------------------------------------
# Buinding 'build' on CI takes ~30min
# Rust compilation in docker is slow (especially for arm64)
# and the setup/tune of cache/sccache to speed up is not trivial
# vs using using pre-built binaries for releases (built in 6 min for each platform)
#
# We keep this target for reference
#
# checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag
# trivy:ignore:AVD-DS-0001
FROM --platform=$BUILDPLATFORM rust:1.84.0-alpine AS build
ARG PROFILE=release
ENV PKG_CONFIG_SYSROOT_DIR=/
RUN <<EOT
set -eux
# musl-dev is required for the musl target
# zig + cargo-zigbuild are used to build cross platform C code
# make is used by jmealloc and some C code
apk add --no-cache musl-dev zig make # openssl-dev
update-ca-certificates
EOT
RUN <<EOT
set -eux
rustup target add x86_64-unknown-linux-musl aarch64-unknown-linux-musl
cargo install --locked cargo-zigbuild
EOT
# Create appuser
ENV USER=nonroot
ENV UID=10001
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
"${USER}"
WORKDIR /work
COPY ./ .
# TODO `upx /work/target/*/${PROFILE}/cdviz-collector`
RUN <<EOT
set -eux
cargo zigbuild --target x86_64-unknown-linux-musl --target aarch64-unknown-linux-musl "--$PROFILE"
mkdir -p /app/linux
ls target
cp "target/aarch64-unknown-linux-musl/${PROFILE}/cdviz-collector" /app/linux/arm64
cp "target/x86_64-unknown-linux-musl/${PROFILE}/cdviz-collector" /app/linux/amd64
EOT
HEALTHCHECK NONE
#---------------------------------------------------------------------------------------------------
# Instead of building from source, download the binary from github release
# Buinding 'download' on CI takes ~2min
#
# checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag
# trivy:ignore:AVD-DS-0001
FROM --platform=$BUILDPLATFORM alpine:3 AS download
ARG VERSION
RUN <<EOT
set -eux
apk add --no-cache --no-check-certificate ca-certificates curl tar xz
update-ca-certificates
EOT
# Create appuser
ENV USER=nonroot
ENV UID=10001
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
"${USER}"
WORKDIR /work
RUN <<EOT
set -eux
mkdir -p /app/linux
mkdir x86_64
cd x86_64
curl -L -o cdviz-collector.tar.xz "https://github.com/cdviz-dev/cdviz-collector/releases/download/$VERSION/cdviz-collector-x86_64-unknown-linux-musl.tar.xz"
tar -xvf cdviz-collector.tar.xz --strip-components=1
mv cdviz-collector /app/linux/amd64
cd ..
mkdir aarch64
cd aarch64
curl -L -o cdviz-collector.tar.xz "https://github.com/cdviz-dev/cdviz-collector/releases/download/$VERSION/cdviz-collector-aarch64-unknown-linux-musl.tar.xz"
tar -xvf cdviz-collector.tar.xz --strip-components=1
mv cdviz-collector /app/linux/arm64
cd ..
EOT
HEALTHCHECK NONE
#---------------------------------------------------------------------------------------------------
# checkov:skip=CKV_DOCKER_7:Ensure the base image uses a non latest version tag
# trivy:ignore:AVD-DS-0001
# TARGETPLATFORM usage to copy right binary from builder stage
# ARG populated by docker itself
FROM scratch AS cdviz-collector
LABEL org.opencontainers.image.source="https://github.com/cdviz-dev/cdviz-collector"
LABEL org.opencontainers.image.licenses="Apache-2.0"
LABEL org.opencontainers.image.description="A service & cli to collect SDLC/CI/CD events and to dispatch as cdevents."
ARG TARGETPLATFORM
# COPY --from=build /etc/passwd /etc/passwd
# COPY --from=build /etc/group /etc/group
# USER nonroot
# COPY --from=build /app/${TARGETPLATFORM} /app
COPY --from=download /etc/passwd /etc/passwd
COPY --from=download /etc/group /etc/group
USER nonroot
COPY --from=download /app/${TARGETPLATFORM} /cdviz-collector
ENV \
OTEL_EXPORTER_OTLP_TRACES_ENDPOINT="http://127.0.0.1:4317" \
OTEL_TRACES_SAMPLER="always_off"
HEALTHCHECK NONE
#see https://stackoverflow.com/questions/21553353/what-is-the-difference-between-cmd-and-entrypoint-in-a-dockerfile
ENTRYPOINT ["/cdviz-collector"]
CMD []