90 lines
No EOL
3.1 KiB
Docker
90 lines
No EOL
3.1 KiB
Docker
# syntax=docker/dockerfile:1.7
|
|
# rust-engine/Dockerfile
|
|
|
|
# --- Stage 1: Builder ---
|
|
# Use a stable Rust version
|
|
FROM rust:slim AS builder
|
|
WORKDIR /usr/src/app
|
|
|
|
# Install build dependencies needed for sqlx
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
pkg-config \
|
|
libssl-dev \
|
|
curl \
|
|
build-essential \
|
|
ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
# Allow optional override of toolchain (e.g., nightly or a pinned version). Leave empty to use image default.
|
|
ARG RUSTUP_TOOLCHAIN=
|
|
|
|
# Use rustup and cargo from the official Rust image location
|
|
ENV PATH="/usr/local/cargo/bin:${PATH}"
|
|
|
|
# Copy manifest files first to leverage Docker layer caching for dependencies
|
|
COPY Cargo.toml Cargo.lock rust-toolchain.toml ./
|
|
|
|
# Ensure the pinned toolchain from rust-toolchain.toml (or provided ARG) is installed only if missing
|
|
RUN set -eux; \
|
|
if [ -n "${RUSTUP_TOOLCHAIN}" ]; then \
|
|
if ! rustup toolchain list | grep -q "^${RUSTUP_TOOLCHAIN}"; then \
|
|
rustup toolchain install "${RUSTUP_TOOLCHAIN}"; \
|
|
fi; \
|
|
rustup default "${RUSTUP_TOOLCHAIN}"; \
|
|
else \
|
|
if [ -f rust-toolchain.toml ]; then \
|
|
TOOLCHAIN=$(sed -n 's/^channel *= *"\(.*\)"/\1/p' rust-toolchain.toml | head -n1); \
|
|
if [ -n "$TOOLCHAIN" ]; then \
|
|
if ! rustup toolchain list | grep -q "^$TOOLCHAIN"; then \
|
|
rustup toolchain install "$TOOLCHAIN"; \
|
|
fi; \
|
|
rustup default "$TOOLCHAIN"; \
|
|
fi; \
|
|
fi; \
|
|
fi; \
|
|
rustup show active-toolchain || true
|
|
|
|
# Create a dummy src to allow cargo to download dependencies into the cache layer
|
|
RUN mkdir -p src && echo "fn main() { println!(\"cargo cache build\"); }" > src/main.rs
|
|
|
|
# Warm up dependency caches without compiling a dummy binary
|
|
RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
|
|
--mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
|
|
cargo fetch
|
|
|
|
|
|
# Remove dummy main.rs before copying the real source
|
|
RUN rm -f src/main.rs
|
|
COPY src ./src
|
|
# Build the real binary
|
|
RUN cargo build --release --locked
|
|
|
|
# --- Stage 2: Final, small image ---
|
|
|
|
FROM debian:bookworm-slim
|
|
# Install only necessary runtime dependencies (no upgrade, just ca-certificates)
|
|
RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*
|
|
|
|
# Add a non-root user for security
|
|
RUN useradd --system --uid 10001 --no-create-home --shell /usr/sbin/nologin appuser
|
|
|
|
# Copy the compiled binary from the builder stage
|
|
|
|
COPY --from=builder /usr/src/app/target/release/rust-engine /usr/local/bin/rust-engine
|
|
|
|
# Create writable storage and logs directories for appuser
|
|
RUN chown appuser:appuser /usr/local/bin/rust-engine \
|
|
&& mkdir -p /var/log /app/storage /app/demo-data \
|
|
&& touch /var/log/astra-errors.log \
|
|
&& chown -R appuser:appuser /var/log /app
|
|
|
|
# Set working directory to a writable location
|
|
WORKDIR /app
|
|
|
|
# Switch to non-root user
|
|
USER appuser
|
|
|
|
EXPOSE 8000
|
|
# Redirect all output to /var/log/astra-errors.log for easy monitoring
|
|
ENTRYPOINT ["/bin/sh", "-c", "/usr/local/bin/rust-engine >> /var/log/astra-errors.log 2>&1"] |