From 884f258ac36c4adf11366af614c4bd59a15996aa Mon Sep 17 00:00:00 2001 From: Friedrich Altheide <11352905+FriedrichAltheide@users.noreply.github.com> Date: Wed, 14 Aug 2024 16:27:20 +0200 Subject: [PATCH] use nix based container --- .dockerignore | 2 ++ docker/Dockerfile | 42 +++++++++++++++-------- docker/README.md | 2 +- flake.lock | 85 ++++++++++++----------------------------------- flake.nix | 42 ++++++++++------------- 5 files changed, 72 insertions(+), 101 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..9499b1e --- /dev/null +++ b/.dockerignore @@ -0,0 +1,2 @@ +./result +./target \ No newline at end of file diff --git a/docker/Dockerfile b/docker/Dockerfile index 9902d1e..50ce119 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,21 +1,37 @@ -### alternative tag is e.g. '1.72.0' -ARG RUST_VSN='stable' +# based on https://mitchellh.com/writing/nix-with-dockerfiles -##### Build -FROM docker.io/clux/muslrust:${RUST_VSN} as builder +# Nix builder +FROM nixos/nix:latest AS builder -COPY / ./ -RUN cargo build --release +# Copy our source and setup our working dir. +COPY . /tmp/build +WORKDIR /tmp/build -RUN mkdir -p /rootfs/etc/fpush \ - && mv $(find target/ -name fpush -type f -executable) /rootfs/fpush \ - && touch /rootfs/etc/fpush/settings.json +RUN nix-channel --update -##### Runtime -FROM gcr.io/distroless/static-debian12:nonroot AS prod +# Build our Nix environment +RUN nix \ + --extra-experimental-features "nix-command flakes" \ + --option filter-syscalls false \ + build -COPY --from=builder /rootfs / +# Copy the Nix store closure into a directory. The Nix store closure is the +# entire set of Nix store values that we need for our build. +RUN mkdir /tmp/nix-store-closure +RUN mkdir /tmp/app +RUN cp -R $(nix-store -qR result/) /tmp/nix-store-closure \ + && ln -s $(readlink -f result)/ /tmp/app/fpush + +# Final image is based on scratch. We copy a bunch of Nix dependencies +# but they're fully self-contained so we don't need Nix anymore. +FROM scratch + +WORKDIR /app + +# Copy /nix/store +COPY --from=builder /tmp/nix-store-closure /nix/store +COPY --from=builder /tmp/app /app ENV RUST_LOG=info -ENTRYPOINT ["/fpush","/etc/fpush/settings.json"] +ENTRYPOINT ["/app/fpush/bin/fpush", "/etc/fpush/settings.json"] \ No newline at end of file diff --git a/docker/README.md b/docker/README.md index c567f53..94573c1 100644 --- a/docker/README.md +++ b/docker/README.md @@ -5,7 +5,7 @@ This folder holds an example Dockerfile. To build the image, run the following command from the root of this repository: ```bash -docker build -t localhost/fpush:latest -f docker/Dockerfile . +docker buildx build -t localhost/fpush:latest -f docker/Dockerfile . ``` Run the image with: diff --git a/flake.lock b/flake.lock index f2e840a..ddc64c5 100644 --- a/flake.lock +++ b/flake.lock @@ -2,19 +2,16 @@ "nodes": { "crane": { "inputs": { - "flake-compat": "flake-compat", - "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" - ], - "rust-overlay": "rust-overlay" + ] }, "locked": { - "lastModified": 1666567222, - "narHash": "sha256-AVySilLW+eNM409GSIJYsF6wg5NsxK12Ht2DMSYAgO0=", + "lastModified": 1722960479, + "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=", "owner": "ipetkov", "repo": "crane", - "rev": "2ce1a3313e299b0db63b11f94c863af74b0b08ad", + "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4", "type": "github" }, "original": { @@ -23,44 +20,16 @@ "type": "github" } }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-utils": { - "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", - "type": "github" + "inputs": { + "systems": "systems" }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -71,16 +40,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1685533922, - "narHash": "sha256-y4FCQpYafMQ42l1V+NUrMel9RtFtZo59PzdzflKR/lo=", + "lastModified": 1723541349, + "narHash": "sha256-LrmeqqHdPgAJsVKIJja8jGgRG/CA2y6SGT2TjX5Do68=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3a70dd92993182f8e514700ccf5b1ae9fc8a3b8d", + "rev": "4877ea239f4d02410c3516101faf35a81af0c30e", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -88,32 +57,22 @@ "root": { "inputs": { "crane": "crane", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", "nixpkgs": "nixpkgs" } }, - "rust-overlay": { - "inputs": { - "flake-utils": [ - "crane", - "flake-utils" - ], - "nixpkgs": [ - "crane", - "nixpkgs" - ] - }, + "systems": { "locked": { - "lastModified": 1666494036, - "narHash": "sha256-4mmm+1MBPMD56LMLN9QcEwnfnu41NkA6lDeZGjSrxIw=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "af2e939ba2c7cbb188d06d6650c6353b10b3f2be", + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", "type": "github" }, "original": { - "owner": "oxalica", - "repo": "rust-overlay", + "owner": "nix-systems", + "repo": "default", "type": "github" } } diff --git a/flake.nix b/flake.nix index 0e6b180..0375822 100644 --- a/flake.nix +++ b/flake.nix @@ -2,21 +2,17 @@ description = "Scalable push server for XMPP"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + crane.url = "github:ipetkov/crane"; + crane.inputs.nixpkgs.follows = "nixpkgs"; flake-utils.url = "github:numtide/flake-utils"; - crane = { - url = "github:ipetkov/crane"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = { self, nixpkgs, flake-utils, crane }: flake-utils.lib.eachDefaultSystem (system: let - pkgs = import nixpkgs { - inherit system; - }; - craneLib = crane.lib.${system}; + pkgs = nixpkgs.legacyPackages.${system}; + craneLib = crane.mkLib pkgs; commonArgs = { src = craneLib.cleanCargoSource ./.; @@ -36,21 +32,19 @@ cargoExtraArgs = "--all-features"; } // commonArgs); - devShells = { - default = pkgs.mkShell { - - buildInputs = [ ] ++ commonArgs.buildInputs; - nativeBuildInputs = builtins.attrValues - { - inherit (pkgs) cargo rustc nixpkgs-fmt shellcheck rnix-lsp; - } ++ [ - # This is required to prevent a mangled bash shell in nix develop - # see: https://discourse.nixos.org/t/interactive-bash-with-nix-develop-flake/15486 - (pkgs.hiPrio pkgs.bashInteractive) - - ] ++ commonArgs.nativeBuildInputs; - }; - }; + devShells = { + default = pkgs.mkShell { + buildInputs = [ ] ++ commonArgs.buildInputs; + nativeBuildInputs = builtins.attrValues + { + inherit (pkgs) cargo rustc fmt cargo-udeps cargo-outdated cargo-audit; + } ++ [ + # This is required to prevent a mangled bash shell in nix develop + # see: https://discourse.nixos.org/t/interactive-bash-with-nix-develop-flake/15486 + (pkgs.hiPrio pkgs.bashInteractive) + ] ++ commonArgs.nativeBuildInputs; + }; + }; } ); }