forked from penumbra-zone/penumbra
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile.dev
152 lines (125 loc) · 5.11 KB
/
Dockerfile.dev
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
FROM rust:1-bullseye AS build-env
# Specify the cargo cache dir as a volume to improve build speed
VOLUME ["/root/.cargo"]
RUN rustup component add rustfmt
RUN apt update && apt install -y libclang-dev clang libssl1.1 libssl-dev openssl
WORKDIR /usr/src
# Use a dummy entrypoint to build each crate, that way dependencies can be cached
# without code changes causing a complete rebuild.
# TODO all these COPY commands add additional layers to the image. I'm not sure
# how big they are but for the distributed images we likely want to use
# a simpler Dockerfile.
COPY Cargo.toml .
RUN mkdir -p pcli/src pd/src &&\
echo "fn main() {}" > pcli/src/main.rs &&\
echo "fn main() {}" > pd/src/main.rs
COPY pcli/build.rs ./pcli
COPY pcli/Cargo.toml ./pcli
COPY pd/Cargo.toml ./pd
COPY pd/build.rs ./pd
# TODO If the protobuf definitions, crypto, or wallet implementations change,
# there will be a complete rebuild. This is maybe possible to avoid.
COPY proto ./proto
COPY chain ./chain
COPY crypto ./crypto
COPY custody ./custody
COPY component ./component
COPY storage ./storage
COPY tct ./tct
COPY decaf377-fmd ./decaf377-fmd
COPY decaf377-ka ./decaf377-ka
COPY measure ./measure
COPY eddy ./eddy
COPY tct-property-test ./tct-property-test
COPY tct-visualize ./tct-visualize
COPY transaction ./transaction
COPY wallet ./wallet
COPY view ./view
COPY testnets ./testnets
COPY .git ./.git
COPY testnets ./testnets
COPY .cargo ./.cargo
# Sorry about all that mess ^, but it's worth it during development.
# Fetch dependencies in a separate layer, so that they can be cached.
RUN cargo fetch --target $(uname -m)-unknown-linux-gnu
RUN cargo build --release --bin pd --target $(uname -m)-unknown-linux-gnu
# Remove the cached builds of internal packages.
RUN rm -rf pcli pd crypto wallet config stake ibc component storage
# Copy the repo source now that dependencies have been built and cached.
COPY . .
RUN cargo build --release --target $(uname -m)-unknown-linux-gnu
# Copy all binaries to /root/bin, for a single place to copy into final image.
RUN mkdir /root/bin
RUN cp /usr/src/target/$(uname -m)-unknown-linux-gnu/release/pcli \
/usr/src/target/$(uname -m)-unknown-linux-gnu/release/pd \
/root/bin
# Determine library dependencies of built binaries and copy to indexed path in /root/lib_abs for copying to final image.
# Absolute path of each library is appended to /root/lib_abs.list for restoring in final image.
RUN mkdir -p /root/lib_abs && touch /root/lib_abs.list
RUN bash -c \
'for BIN in /root/bin/*; do \
readarray -t LIBS < <(ldd "$BIN"); \
i=0; for LIB in "${LIBS[@]}"; do \
PATH1=$(echo $LIB | awk "{print \$1}") ; \
if [ "$PATH1" = "linux-vdso.so.1" ]; then continue; fi; \
PATH2=$(echo $LIB | awk "{print \$3}") ; \
if [ ! -z "$PATH2" ]; then \
cp $PATH2 /root/lib_abs/$i ; \
echo $PATH2 >> /root/lib_abs.list; \
else \
cp $PATH1 /root/lib_abs/$i ; \
echo $PATH1 >> /root/lib_abs.list; \
fi; \
((i = i + 1)) ;\
done; \
done'
# Use minimal busybox from Strangelove infra-toolkit image for final scratch image
FROM ghcr.io/strangelove-ventures/infra-toolkit:v0.0.6 AS busybox-min
RUN addgroup --gid 1000 -S penumbra && adduser --uid 1000 -S penumbra -G penumbra
# Use ln and rm from full featured busybox for assembling final image
FROM busybox:1.34.1-musl AS busybox-full
# Build final image from scratch
FROM scratch
WORKDIR /bin
# Install ln (for making hard links), rm (for cleanup), mv, mkdir, and dirname from full busybox image (will be deleted, only needed for image assembly)
COPY --from=busybox-full /bin/ln /bin/rm /bin/mv /bin/mkdir /bin/dirname ./
# Install minimal busybox image as shell binary (will create hardlinks for the rest of the binaries to this data)
COPY --from=busybox-min /busybox/busybox /bin/sh
# Add hard links for read-only utils, then remove ln and rm
# Will then only have one copy of the busybox minimal binary file with all utils pointing to the same underlying inode
RUN ln sh pwd && \
ln sh ls && \
ln sh cat && \
ln sh less && \
ln sh grep && \
ln sh sleep && \
ln sh env && \
ln sh tar && \
ln sh tee && \
ln sh du
# Install chain binaries
COPY --from=build-env /root/bin /bin
# Copy over libraries
COPY --from=build-env /root/lib_abs /root/lib_abs
COPY --from=build-env /root/lib_abs.list /root/lib_abs.list
# Move libraries to their absolute locations.
RUN sh -c 'i=0; while read FILE; do \
echo "$i: $FILE"; \
DIR="$(dirname "$FILE")"; \
mkdir -p "$DIR"; \
mv /root/lib_abs/$i $FILE; \
i=$((i+1)); \
done < /root/lib_abs.list'
# Remove write utils used to construct image and tmp dir/file for lib copy.
RUN rm -rf ln rm mv mkdir dirname /root/lib_abs /root/lib_abs.list
# Install trusted CA certificates
COPY --from=busybox-min /etc/ssl/cert.pem /etc/ssl/cert.pem
# Install penumbra user
COPY --from=busybox-min /etc/passwd /etc/passwd
COPY --from=busybox-min --chown=1000:1000 /home/penumbra /home/penumbra
WORKDIR /home/penumbra
USER penumbra
ARG DATABASE_URL
ENV DATABASE_URL=$DATABASE_URL
ENV RUST_LOG=warn,pd=info,penumbra=info
CMD [ "RUST_BACKTRACE=1 /usr/bin/pd" ]