build: Multiple improvements

- Don't hardcode the target tuple (this allows arm builds) - Don't hardcode ld as the only hardcoded dynamic library - Add renovate management for versions in dockerfile - Use cargo binstall for cargo-audit, allowing installation on non-x86_64 arches
metabrainz · Dec 21, 2024 · 47ea0c1 · 47ea0c1
1 parent 0b2f013
commit 47ea0c1
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 12 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -2,13 +2,39 @@ FROM rust:latest AS builder
 
 # install lld
 RUN apt-get update && apt-get install -y lld
-# install cargo-auditable
-RUN curl --proto '=https' --tlsv1.2 -LsSf https://github.com/rust-secure-code/cargo-auditable/releases/download/v0.6.6/cargo-auditable-installer.sh | sh
 
+# Set up Rust toolchain
 WORKDIR /app
 COPY ./rust-toolchain.toml .
 RUN rustc --version
 
+# convert docker target to rust target
+ARG TARGETPLATFORM
+
+# for available rust targets, see `rustup target list` or https://doc.rust-lang.org/nightly/rustc/platform-support.html
+# for available docker platforms, see https://github.com/docker/cli/blob/fb2ba5d63ba4166ceeefa21c2fd866b06966874e/cli/command/manifest/util.go#L23
+RUN TARGETTUPLE=$(case $TARGETPLATFORM in \
+    "linux/386") echo i686-unknown-linux-gnu ;; \
+    "linux/amd64") echo x86_64-unknown-linux-gnu ;; \
+    "linux/arm64") echo aarch64-unknown-linux-gnu ;; \
+    "linux/arm") echo arm-unknown-linux-gnueabihf ;; \
+    "linux/arm/v7") echo armv7-unknown-linux-gnueabihf ;; \
+    "linux/riscv64") echo riscv64gc-unknown-linux-gnu ;; \
+    "linux/ppc64le") echo powerpc64le-unknown-linux-gnu ;; \
+    "linux/s390x") echo s390x-unknown-linux-gnu ;; \
+    *) exit 1 ;; \
+    esac) && \
+    echo "TARGETTUPLE=$TARGETTUPLE" >> /etc/environment
+
+# Developer tool versions
+# renovate: datasource=github-releases depName=cargo-binstall packageName=cargo-bins/cargo-binstall
+ENV BINSTALL_VERSION=1.10.17
+# renovate: datasource=crate packageName=cargo-auditable
+ENV CARGO_AUDITABLE_VERSION=0.6.6
+
+RUN curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
+RUN cargo binstall --no-confirm cargo-auditable --version $CARGO_AUDITABLE_VERSION
+
 # Get source
 COPY . .
 
@@ -19,28 +45,33 @@ ENV CARGO_INCREMENTAL=0
 RUN mkdir /out
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/app/target \
-    cargo auditable build --locked --release --target x86_64-unknown-linux-gnu && \
-    cp ./target/x86_64-unknown-linux-gnu/release/mb-mail-service /out/app
+    . /etc/environment && \
+    cargo auditable build --locked --release --target $TARGETTUPLE && \
+    cp ./target/$TARGETTUPLE/release/mb-mail-service /out/app
 
 # find dynamically linked dependencies
-RUN mkdir /libs \
-     && ldd /out/app | grep '=>' | awk '{print $3}' | xargs -I {} cp {} /libs/
+RUN mkdir /out/libs \
+     && ldd /out/app | grep '=>' | awk '{print $(NF-1)}' | xargs -I {} cp {} /out/libs/
+# libraries with a hardcoded path, like ld
+# (see for example https://github.com/vlang/v/issues/8682)
+# Excluding linux-vdso.so, as it is a part of the kernel
+RUN mkdir /out/libs-root \
+    && ldd /out/app | grep -v '=>' | grep -v 'linux-vdso.so' | awk '{print $(NF-1)}' | xargs -I {} install -D {} /out/libs-root{}
 # RUN ldd /out/app
-# RUN ldd /out/app | grep '=>' | awk '{print $3}'
+# ldd /out/app | grep -v 'linux-vdso.so' | awk '{print $(NF-1)}'
 # RUN ls /libs
 
 FROM scratch
 
 WORKDIR /
 
-# Copy ld (see for example https://github.com/vlang/v/issues/8682)
-COPY --from=rust:latest /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
-
 # Copy our build
 COPY --from=builder /out/app ./app 
 
+# Copy hardcoded dynamic libraries
+COPY --from=builder /out/libs-root /
 # Copy dynamic libraries
-COPY --from=builder /libs /libs
+COPY --from=builder /out/libs /libs
 # Tell Linux where to find our libraries
 ENV LD_LIBRARY_PATH=/libs
 

diff --git a/renovate.json b/renovate.json
@@ -16,5 +16,15 @@
       "addLabels": ["will-automerge"]
     }
   ],
-  "platformAutomerge": true
+  "platformAutomerge": true,
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Update _VERSION variables in Dockerfiles",
+      "fileMatch": ["(^|/|\\.)Dockerfile$", "(^|/)Dockerfile\\.[^/]*$"],
+      "matchStrings": [
+        "# renovate: datasource=(?<datasource>[a-z-]+?)(?: depName=(?<depName>.+?))? packageName=(?<packageName>.+?)(?: versioning=(?<versioning>[a-z-]+?))?\\s(?:ENV|ARG) .+?_VERSION=(?<currentValue>.+?)\\s"
+      ]
+    }
+  ]
 }