diff --git a/Dockerfile b/Dockerfile index e9f28a2..6e70adc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,13 +2,39 @@ FROM rust:latest AS builder # install lld RUN apt-get update && apt-get install -y lld -# install cargo-auditable -RUN curl --proto '=https' --tlsv1.2 -LsSf https://github.com/rust-secure-code/cargo-auditable/releases/download/v0.6.6/cargo-auditable-installer.sh | sh +# Set up Rust toolchain WORKDIR /app COPY ./rust-toolchain.toml . RUN rustc --version +# convert docker target to rust target +ARG TARGETPLATFORM + +# for available rust targets, see `rustup target list` or https://doc.rust-lang.org/nightly/rustc/platform-support.html +# for available docker platforms, see https://github.com/docker/cli/blob/fb2ba5d63ba4166ceeefa21c2fd866b06966874e/cli/command/manifest/util.go#L23 +RUN TARGETTUPLE=$(case $TARGETPLATFORM in \ + "linux/386") echo i686-unknown-linux-gnu ;; \ + "linux/amd64") echo x86_64-unknown-linux-gnu ;; \ + "linux/arm64") echo aarch64-unknown-linux-gnu ;; \ + "linux/arm") echo arm-unknown-linux-gnueabihf ;; \ + "linux/arm/v7") echo armv7-unknown-linux-gnueabihf ;; \ + "linux/riscv64") echo riscv64gc-unknown-linux-gnu ;; \ + "linux/ppc64le") echo powerpc64le-unknown-linux-gnu ;; \ + "linux/s390x") echo s390x-unknown-linux-gnu ;; \ + *) exit 1 ;; \ + esac) && \ + echo "TARGETTUPLE=$TARGETTUPLE" >> /etc/environment + +# Developer tool versions +# renovate: datasource=github-releases depName=cargo-binstall packageName=cargo-bins/cargo-binstall +ENV BINSTALL_VERSION=1.10.17 +# renovate: datasource=crate packageName=cargo-auditable +ENV CARGO_AUDITABLE_VERSION=0.6.6 + +RUN curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash +RUN cargo binstall --no-confirm cargo-auditable --version $CARGO_AUDITABLE_VERSION + # Get source COPY . . @@ -19,28 +45,33 @@ ENV CARGO_INCREMENTAL=0 RUN mkdir /out RUN --mount=type=cache,target=/usr/local/cargo/registry \ --mount=type=cache,target=/app/target \ - cargo auditable build --locked --release --target x86_64-unknown-linux-gnu && \ - cp ./target/x86_64-unknown-linux-gnu/release/mb-mail-service /out/app + . /etc/environment && \ + cargo auditable build --locked --release --target $TARGETTUPLE && \ + cp ./target/$TARGETTUPLE/release/mb-mail-service /out/app # find dynamically linked dependencies -RUN mkdir /libs \ - && ldd /out/app | grep '=>' | awk '{print $3}' | xargs -I {} cp {} /libs/ +RUN mkdir /out/libs \ + && ldd /out/app | grep '=>' | awk '{print $(NF-1)}' | xargs -I {} cp {} /out/libs/ +# libraries with a hardcoded path, like ld +# (see for example https://github.com/vlang/v/issues/8682) +# Excluding linux-vdso.so, as it is a part of the kernel +RUN mkdir /out/libs-root \ + && ldd /out/app | grep -v '=>' | grep -v 'linux-vdso.so' | awk '{print $(NF-1)}' | xargs -I {} install -D {} /out/libs-root{} # RUN ldd /out/app -# RUN ldd /out/app | grep '=>' | awk '{print $3}' +# ldd /out/app | grep -v 'linux-vdso.so' | awk '{print $(NF-1)}' # RUN ls /libs FROM scratch WORKDIR / -# Copy ld (see for example https://github.com/vlang/v/issues/8682) -COPY --from=rust:latest /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 - # Copy our build COPY --from=builder /out/app ./app +# Copy hardcoded dynamic libraries +COPY --from=builder /out/libs-root / # Copy dynamic libraries -COPY --from=builder /libs /libs +COPY --from=builder /out/libs /libs # Tell Linux where to find our libraries ENV LD_LIBRARY_PATH=/libs diff --git a/renovate.json b/renovate.json index 54d0fda..9218ca0 100644 --- a/renovate.json +++ b/renovate.json @@ -16,5 +16,15 @@ "addLabels": ["will-automerge"] } ], - "platformAutomerge": true + "platformAutomerge": true, + "customManagers": [ + { + "customType": "regex", + "description": "Update _VERSION variables in Dockerfiles", + "fileMatch": ["(^|/|\\.)Dockerfile$", "(^|/)Dockerfile\\.[^/]*$"], + "matchStrings": [ + "# renovate: datasource=(?[a-z-]+?)(?: depName=(?.+?))? packageName=(?.+?)(?: versioning=(?[a-z-]+?))?\\s(?:ENV|ARG) .+?_VERSION=(?.+?)\\s" + ] + } + ] }