mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 07:50:02 +02:00 
			
		
		
		
	Container building changes (#3958)
* WIP: Container building changes * Small updates - Updated to rust 1.73.0 - Updated crates - Updated documentation - Added a bake.sh script to make baking easier * Update GitHub Actions Workflow - Updated workflow to use qemu and buildx bake In the future i would like to extract the alpine based binaries and add them as artifacts to the release. * Address review remarks and small updates - Addressed review remarks - Added `podman-bake.sh` script to build Vaultwarden with podman - Updated README - Updated crates - Added `VW_VERSION` support - Added annotations - Updated web-vault to v2023.9.1
This commit is contained in:
		
				
					committed by
					
						 GitHub
						GitHub
					
				
			
			
				
	
			
			
			
						parent
						
							cb4b683dcd
						
					
				
				
					commit
					d722328f05
				
			
							
								
								
									
										37
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										37
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							| @@ -12,6 +12,7 @@ on: | ||||
|       - "rustfmt.toml" | ||||
|       - "diesel.toml" | ||||
|       - "docker/Dockerfile.j2" | ||||
|       - "docker/DockerSettings.yaml" | ||||
|   pull_request: | ||||
|     paths: | ||||
|       - ".github/workflows/build.yml" | ||||
| @@ -23,6 +24,7 @@ on: | ||||
|       - "rustfmt.toml" | ||||
|       - "diesel.toml" | ||||
|       - "docker/Dockerfile.j2" | ||||
|       - "docker/DockerSettings.yaml" | ||||
|  | ||||
| jobs: | ||||
|   build: | ||||
| @@ -32,7 +34,6 @@ jobs: | ||||
|     # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes. | ||||
|     env: | ||||
|       RUSTFLAGS: "-D warnings" | ||||
|       CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse | ||||
|     strategy: | ||||
|       fail-fast: false | ||||
|       matrix: | ||||
| @@ -113,46 +114,46 @@ jobs: | ||||
|           prefix-key: "v2023.07-rust" | ||||
|       # End Enable Rust Caching | ||||
|  | ||||
|       # Run cargo tests (In release mode to speed up future builds) | ||||
|       # Run cargo tests | ||||
|       # First test all features together, afterwards test them separately. | ||||
|       - name: "test features: sqlite,mysql,postgresql,enable_mimalloc" | ||||
|         id: test_sqlite_mysql_postgresql_mimalloc | ||||
|         if: $${{ always() }} | ||||
|         run: | | ||||
|           cargo test --release --features sqlite,mysql,postgresql,enable_mimalloc | ||||
|           cargo test --features sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
|       - name: "test features: sqlite,mysql,postgresql" | ||||
|         id: test_sqlite_mysql_postgresql | ||||
|         if: $${{ always() }} | ||||
|         run: | | ||||
|           cargo test --release --features sqlite,mysql,postgresql | ||||
|           cargo test --features sqlite,mysql,postgresql | ||||
|  | ||||
|       - name: "test features: sqlite" | ||||
|         id: test_sqlite | ||||
|         if: $${{ always() }} | ||||
|         run: | | ||||
|           cargo test --release --features sqlite | ||||
|           cargo test --features sqlite | ||||
|  | ||||
|       - name: "test features: mysql" | ||||
|         id: test_mysql | ||||
|         if: $${{ always() }} | ||||
|         run: | | ||||
|           cargo test --release --features mysql | ||||
|           cargo test --features mysql | ||||
|  | ||||
|       - name: "test features: postgresql" | ||||
|         id: test_postgresql | ||||
|         if: $${{ always() }} | ||||
|         run: | | ||||
|           cargo test --release --features postgresql | ||||
|           cargo test --features postgresql | ||||
|       # End Run cargo tests | ||||
|  | ||||
|  | ||||
|       # Run cargo clippy, and fail on warnings (In release mode to speed up future builds) | ||||
|       # Run cargo clippy, and fail on warnings | ||||
|       - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc" | ||||
|         id: clippy | ||||
|         if: ${{ always() && matrix.channel == 'rust-toolchain' }} | ||||
|         run: | | ||||
|           cargo clippy --release --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings | ||||
|           cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings | ||||
|       # End Run cargo clippy | ||||
|  | ||||
|  | ||||
| @@ -194,21 +195,3 @@ jobs: | ||||
|         run: | | ||||
|           echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "" >> $GITHUB_STEP_SUMMARY | ||||
|  | ||||
|  | ||||
|       # Build the binary to upload to the artifacts | ||||
|       - name: "build features: sqlite,mysql,postgresql" | ||||
|         if: ${{ matrix.channel == 'rust-toolchain' }} | ||||
|         run: | | ||||
|           cargo build --release --features sqlite,mysql,postgresql | ||||
|       # End Build the binary | ||||
|  | ||||
|  | ||||
|       # Upload artifact to Github Actions | ||||
|       - name: "Upload artifact" | ||||
|         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||||
|         if: ${{ matrix.channel == 'rust-toolchain' }} | ||||
|         with: | ||||
|           name: vaultwarden | ||||
|           path: target/release/vaultwarden | ||||
|       # End Upload artifact to Github Actions | ||||
|   | ||||
							
								
								
									
										3
									
								
								.github/workflows/hadolint.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								.github/workflows/hadolint.yml
									
									
									
									
										vendored
									
									
								
							| @@ -16,7 +16,6 @@ jobs: | ||||
|         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | ||||
|       # End Checkout the repo | ||||
|  | ||||
|  | ||||
|       # Download hadolint - https://github.com/hadolint/hadolint/releases | ||||
|       - name: Download hadolint | ||||
|         shell: bash | ||||
| @@ -30,5 +29,5 @@ jobs: | ||||
|       # Test Dockerfiles | ||||
|       - name: Run hadolint | ||||
|         shell: bash | ||||
|         run:  git ls-files --exclude='docker/*/Dockerfile*' --ignored --cached | xargs hadolint | ||||
|         run: hadolint docker/Dockerfile.{debian,alpine} | ||||
|       # End Test Dockerfiles | ||||
|   | ||||
							
								
								
									
										205
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										205
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -6,7 +6,6 @@ on: | ||||
|       - ".github/workflows/release.yml" | ||||
|       - "src/**" | ||||
|       - "migrations/**" | ||||
|       - "hooks/**" | ||||
|       - "docker/**" | ||||
|       - "Cargo.*" | ||||
|       - "build.rs" | ||||
| @@ -15,6 +14,7 @@ on: | ||||
|  | ||||
|     branches: # Only on paths above | ||||
|       - main | ||||
|       - release-build-revision | ||||
|  | ||||
|     tags: # Always, regardless of paths above | ||||
|       - '*' | ||||
| @@ -35,23 +35,20 @@ jobs: | ||||
|         with: | ||||
|           cancel_others: 'true' | ||||
|         # Only run this when not creating a tag | ||||
|         if: ${{ startsWith(github.ref, 'refs/heads/') }} | ||||
|         if: ${{ github.ref_type == 'branch' }} | ||||
|  | ||||
|   docker-build: | ||||
|     runs-on: ubuntu-22.04 | ||||
|     timeout-minutes: 120 | ||||
|     needs: skip_check | ||||
|     # Start a local docker registry to be used to generate multi-arch images. | ||||
|     services: | ||||
|       registry: | ||||
|         image: registry:2 | ||||
|         ports: | ||||
|           - 5000:5000 | ||||
|     if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }} | ||||
|     # TODO: Start a local docker registry to be used to extract the final Alpine static build images | ||||
|     # services: | ||||
|     #   registry: | ||||
|     #     image: registry:2 | ||||
|     #     ports: | ||||
|     #       - 5000:5000 | ||||
|     env: | ||||
|       # Use BuildKit (https://docs.docker.com/build/buildkit/) for better | ||||
|       # build performance and the ability to copy extended file attributes | ||||
|       # (e.g., for executable capabilities) across build phases. | ||||
|       DOCKER_BUILDKIT: 1 | ||||
|       SOURCE_COMMIT: ${{ github.sha }} | ||||
|       SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}" | ||||
|       # The *_REPO variables need to be configured as repository variables | ||||
| @@ -65,7 +62,6 @@ jobs: | ||||
|       # QUAY_REPO needs to be 'quay.io/<user>/<repo>' | ||||
|       # Check for Quay.io credentials in secrets | ||||
|       HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }} | ||||
|     if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }} | ||||
|     strategy: | ||||
|       matrix: | ||||
|         base_image: ["debian","alpine"] | ||||
| @@ -77,18 +73,43 @@ jobs: | ||||
|         with: | ||||
|           fetch-depth: 0 | ||||
|  | ||||
|       # Determine Docker Tag | ||||
|       - name: Init Variables | ||||
|         id: vars | ||||
|       - name: Initialize QEMU binfmt support | ||||
|         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | ||||
|         with: | ||||
|           platforms: "arm64,arm" | ||||
|  | ||||
|       # Start Docker Buildx | ||||
|       - name: Setup Docker Buildx | ||||
|         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | ||||
|         # https://github.com/moby/buildkit/issues/3969 | ||||
|         # Also set max parallelism to 2, the default of 4 breaks GitHub Actions | ||||
|         with: | ||||
|           config-inline: | | ||||
|             [worker.oci] | ||||
|               max-parallelism = 2 | ||||
|           driver-opts: | | ||||
|             network=host | ||||
|  | ||||
|       # Determine Base Tags and Source Version | ||||
|       - name: Determine Base Tags and Source Version | ||||
|         shell: bash | ||||
|         run: | | ||||
|           # Check which main tag we are going to build determined by github.ref | ||||
|           if [[ "${{ github.ref }}" == refs/tags/* ]]; then | ||||
|             echo "DOCKER_TAG=${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_OUTPUT}" | ||||
|           elif [[ "${{ github.ref }}" == refs/heads/* ]]; then | ||||
|             echo "DOCKER_TAG=testing" | tee -a "${GITHUB_OUTPUT}" | ||||
|           # Check which main tag we are going to build determined by github.ref_type | ||||
|           if [[ "${{ github.ref_type }}" == "tag" ]]; then | ||||
|             echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}" | ||||
|           elif [[ "${{ github.ref_type }}" == "branch" ]]; then | ||||
|             echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}" | ||||
|           fi | ||||
|       # End Determine Docker Tag | ||||
|  | ||||
|           # Get the Source Version for this release | ||||
|           GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)" | ||||
|           if [[ -n "${GIT_EXACT_TAG}" ]]; then | ||||
|               echo "SOURCE_VERSION=${GIT_EXACT_TAG}" | tee -a "${GITHUB_ENV}" | ||||
|           else | ||||
|               GIT_LAST_TAG="$(git describe --tags --abbrev=0)" | ||||
|               echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}" | ||||
|           fi | ||||
|       # End Determine Base Tags | ||||
|  | ||||
|       # Login to Docker Hub | ||||
|       - name: Login to Docker Hub | ||||
| @@ -98,6 +119,12 @@ jobs: | ||||
|           password: ${{ secrets.DOCKERHUB_TOKEN }} | ||||
|         if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} | ||||
|  | ||||
|       - name: Add registry for DockerHub | ||||
|         if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} | ||||
|         shell: bash | ||||
|         run: | | ||||
|           echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       # Login to GitHub Container Registry | ||||
|       - name: Login to GitHub Container Registry | ||||
|         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||||
| @@ -107,6 +134,12 @@ jobs: | ||||
|           password: ${{ secrets.GITHUB_TOKEN }} | ||||
|         if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} | ||||
|  | ||||
|       - name: Add registry for ghcr.io | ||||
|         if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} | ||||
|         shell: bash | ||||
|         run: | | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       # Login to Quay.io | ||||
|       - name: Login to Quay.io | ||||
|         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||||
| @@ -116,120 +149,22 @@ jobs: | ||||
|           password: ${{ secrets.QUAY_TOKEN }} | ||||
|         if: ${{ env.HAVE_QUAY_LOGIN == 'true' }} | ||||
|  | ||||
|       # Debian | ||||
|  | ||||
|       # Docker Hub | ||||
|       - name: Build Debian based images (docker.io) | ||||
|       - name: Add registry for Quay.io | ||||
|         if: ${{ env.HAVE_QUAY_LOGIN == 'true' }} | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}" | ||||
|         run: | | ||||
|           ./hooks/build | ||||
|         if: ${{ matrix.base_image == 'debian' && env.HAVE_DOCKERHUB_LOGIN == 'true' }} | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       - name: Push Debian based images (docker.io) | ||||
|         shell: bash | ||||
|       - name: Bake ${{ matrix.base_image }} containers | ||||
|         uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 # v4.0.0 | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}" | ||||
|         run: | | ||||
|           ./hooks/push | ||||
|         if: ${{ matrix.base_image == 'debian' && env.HAVE_DOCKERHUB_LOGIN == 'true' }} | ||||
|  | ||||
|       # GitHub Container Registry | ||||
|       - name: Build Debian based images (ghcr.io) | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.GHCR_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}" | ||||
|         run: | | ||||
|           ./hooks/build | ||||
|         if: ${{ matrix.base_image == 'debian' && env.HAVE_GHCR_LOGIN == 'true' }} | ||||
|  | ||||
|       - name: Push Debian based images (ghcr.io) | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.GHCR_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}" | ||||
|         run: | | ||||
|           ./hooks/push | ||||
|         if: ${{ matrix.base_image == 'debian' && env.HAVE_GHCR_LOGIN == 'true' }} | ||||
|  | ||||
|       # Quay.io | ||||
|       - name: Build Debian based images (quay.io) | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.QUAY_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}" | ||||
|         run: | | ||||
|           ./hooks/build | ||||
|         if: ${{ matrix.base_image == 'debian' && env.HAVE_QUAY_LOGIN == 'true' }} | ||||
|  | ||||
|       - name: Push Debian based images (quay.io) | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.QUAY_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}" | ||||
|         run: | | ||||
|           ./hooks/push | ||||
|         if: ${{ matrix.base_image == 'debian' && env.HAVE_QUAY_LOGIN == 'true' }} | ||||
|  | ||||
|       # Alpine | ||||
|  | ||||
|       # Docker Hub | ||||
|       - name: Build Alpine based images (docker.io) | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine" | ||||
|         run: | | ||||
|           ./hooks/build | ||||
|         if: ${{ matrix.base_image == 'alpine' && env.HAVE_DOCKERHUB_LOGIN == 'true' }} | ||||
|  | ||||
|       - name: Push Alpine based images (docker.io) | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine" | ||||
|         run: | | ||||
|           ./hooks/push | ||||
|         if: ${{ matrix.base_image == 'alpine' && env.HAVE_DOCKERHUB_LOGIN == 'true' }} | ||||
|  | ||||
|       # GitHub Container Registry | ||||
|       - name: Build Alpine based images (ghcr.io) | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.GHCR_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine" | ||||
|         run: | | ||||
|           ./hooks/build | ||||
|         if: ${{ matrix.base_image == 'alpine' && env.HAVE_GHCR_LOGIN == 'true' }} | ||||
|  | ||||
|       - name: Push Alpine based images (ghcr.io) | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.GHCR_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine" | ||||
|         run: | | ||||
|           ./hooks/push | ||||
|         if: ${{ matrix.base_image == 'alpine' && env.HAVE_GHCR_LOGIN == 'true' }} | ||||
|  | ||||
|       # Quay.io | ||||
|       - name: Build Alpine based images (quay.io) | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.QUAY_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine" | ||||
|         run: | | ||||
|           ./hooks/build | ||||
|         if: ${{ matrix.base_image == 'alpine' && env.HAVE_QUAY_LOGIN == 'true' }} | ||||
|  | ||||
|       - name: Push Alpine based images (quay.io) | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKER_REPO: "${{ vars.QUAY_REPO }}" | ||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine" | ||||
|         run: | | ||||
|           ./hooks/push | ||||
|         if: ${{ matrix.base_image == 'alpine' && env.HAVE_QUAY_LOGIN == 'true' }} | ||||
|           BASE_TAGS: "${{ env.BASE_TAGS }}" | ||||
|           SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}" | ||||
|           SOURCE_VERSION: "${{ env.SOURCE_VERSION }}" | ||||
|           SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}" | ||||
|           CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}" | ||||
|         with: | ||||
|           pull: true | ||||
|           push: true | ||||
|           files: docker/docker-bake.hcl | ||||
|           targets: "${{ matrix.base_image }}-multi" | ||||
|   | ||||
| @@ -1,10 +1,12 @@ | ||||
| ignored: | ||||
|   # To prevent issues and make clear some images only work on linux/amd64, we ignore this | ||||
|   - DL3029 | ||||
|   # disable explicit version for apt install | ||||
|   - DL3008 | ||||
|   # disable explicit version for apk install | ||||
|   - DL3018 | ||||
|   # disable check for consecutive `RUN` instructions | ||||
|   - DL3059 | ||||
|   # Ignore shellcheck info message | ||||
|   - SC1091 | ||||
| trustedRegistries: | ||||
|   - docker.io | ||||
|   - ghcr.io | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| --- | ||||
| repos: | ||||
| -   repo: https://github.com/pre-commit/pre-commit-hooks | ||||
|     rev: v4.4.0 | ||||
|     rev: v4.5.0 | ||||
|     hooks: | ||||
|     - id: check-yaml | ||||
|     - id: check-json | ||||
|   | ||||
							
								
								
									
										805
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										805
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										60
									
								
								Cargo.toml
									
									
									
									
									
								
							
							
						
						
									
										60
									
								
								Cargo.toml
									
									
									
									
									
								
							| @@ -3,7 +3,7 @@ name = "vaultwarden" | ||||
| version = "1.0.0" | ||||
| authors = ["Daniel García <dani-garcia@users.noreply.github.com>"] | ||||
| edition = "2021" | ||||
| rust-version = "1.70.0" | ||||
| rust-version = "1.71.1" | ||||
| resolver = "2" | ||||
|  | ||||
| repository = "https://github.com/dani-garcia/vaultwarden" | ||||
| @@ -42,7 +42,7 @@ syslog = "6.1.0" | ||||
| # Logging | ||||
| log = "0.4.20" | ||||
| fern = { version = "0.6.2", features = ["syslog-6", "reopen-1"] } | ||||
| tracing = { version = "0.1.37", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work | ||||
| tracing = { version = "0.1.40", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work | ||||
|  | ||||
| # A `dotenv` implementation for Rust | ||||
| dotenvy = { version = "0.15.7", default-features = false } | ||||
| @@ -51,8 +51,8 @@ dotenvy = { version = "0.15.7", default-features = false } | ||||
| once_cell = "1.18.0" | ||||
|  | ||||
| # Numerical libraries | ||||
| num-traits = "0.2.16" | ||||
| num-derive = "0.4.0" | ||||
| num-traits = "0.2.17" | ||||
| num-derive = "0.4.1" | ||||
|  | ||||
| # Web framework | ||||
| rocket = { version = "0.5.0-rc.3", features = ["tls", "json"], default-features = false } | ||||
| @@ -68,14 +68,14 @@ dashmap = "5.5.3" | ||||
|  | ||||
| # Async futures | ||||
| futures = "0.3.28" | ||||
| tokio = { version = "1.32.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal"] } | ||||
| tokio = { version = "1.33.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal"] } | ||||
|  | ||||
| # A generic serialization/deserialization framework | ||||
| serde = { version = "1.0.188", features = ["derive"] } | ||||
| serde_json = "1.0.105" | ||||
| serde = { version = "1.0.189", features = ["derive"] } | ||||
| serde_json = "1.0.107" | ||||
|  | ||||
| # A safe, extensible ORM and Query builder | ||||
| diesel = { version = "2.1.1", features = ["chrono", "r2d2"] } | ||||
| diesel = { version = "2.1.3", features = ["chrono", "r2d2"] } | ||||
| diesel_migrations = "2.1.0" | ||||
| diesel_logger = { version = "0.3.0", optional = true } | ||||
|  | ||||
| @@ -84,15 +84,15 @@ libsqlite3-sys = { version = "0.26.0", features = ["bundled"], optional = true } | ||||
|  | ||||
| # Crypto-related libraries | ||||
| rand = { version = "0.8.5", features = ["small_rng"] } | ||||
| ring = "0.16.20" | ||||
| ring = "0.17.5" | ||||
|  | ||||
| # UUID generation | ||||
| uuid = { version = "1.4.1", features = ["v4"] } | ||||
| uuid = { version = "1.5.0", features = ["v4"] } | ||||
|  | ||||
| # Date and time libraries | ||||
| chrono = { version = "0.4.28", features = ["clock", "serde"], default-features = false } | ||||
| chrono = { version = "0.4.31", features = ["clock", "serde"], default-features = false } | ||||
| chrono-tz = "0.8.3" | ||||
| time = "0.3.28" | ||||
| time = "0.3.30" | ||||
|  | ||||
| # Job scheduler | ||||
| job_scheduler_ng = "2.0.4" | ||||
| @@ -101,7 +101,7 @@ job_scheduler_ng = "2.0.4" | ||||
| data-encoding = "2.4.0" | ||||
|  | ||||
| # JWT library | ||||
| jsonwebtoken = "8.3.0" | ||||
| jsonwebtoken = "9.0.0" | ||||
|  | ||||
| # TOTP library | ||||
| totp-lite = "2.0.0" | ||||
| @@ -116,24 +116,24 @@ webauthn-rs = "0.3.2" | ||||
| url = "2.4.1" | ||||
|  | ||||
| # Email libraries | ||||
| lettre = { version = "0.10.4", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false } | ||||
| lettre = { version = "0.11.0", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false } | ||||
| percent-encoding = "2.3.0" # URL encoding library used for URL's in the emails | ||||
| email_address = "0.2.4" | ||||
|  | ||||
| # HTML Template library | ||||
| handlebars = { version = "4.3.7", features = ["dir_source"] } | ||||
| handlebars = { version = "4.4.0", features = ["dir_source"] } | ||||
|  | ||||
| # HTTP client (Used for favicons, version check, DUO and HIBP API) | ||||
| reqwest = { version = "0.11.20", features = ["stream", "json", "deflate", "gzip", "brotli", "socks", "cookies", "trust-dns", "native-tls-alpn"] } | ||||
| reqwest = { version = "0.11.22", features = ["stream", "json", "deflate", "gzip", "brotli", "socks", "cookies", "trust-dns", "native-tls-alpn"] } | ||||
|  | ||||
| # Favicon extraction libraries | ||||
| html5gum = "0.5.7" | ||||
| regex = { version = "1.9.4", features = ["std", "perf", "unicode-perl"], default-features = false } | ||||
| regex = { version = "1.10.2", features = ["std", "perf", "unicode-perl"], default-features = false } | ||||
| data-url = "0.3.0" | ||||
| bytes = "1.4.0" | ||||
| bytes = "1.5.0" | ||||
|  | ||||
| # Cache function results (Used for version check and favicon fetching) | ||||
| cached = "0.44.0" | ||||
| cached = { version = "0.46.0", features = ["async"] } | ||||
|  | ||||
| # Used for custom short lived cookie jar during favicon extraction | ||||
| cookie = "0.16.2" | ||||
| @@ -141,6 +141,9 @@ cookie_store = "0.19.1" | ||||
|  | ||||
| # Used by U2F, JWT and PostgreSQL | ||||
| openssl = "0.10.57" | ||||
| # Set openssl-sys fixed to v0.9.92 to prevent building issues with musl, arm and 32bit pointer width | ||||
| # It will force add a dynamically linked library which prevents the build from being static | ||||
| openssl-sys = "=0.9.92" | ||||
|  | ||||
| # CLI argument parsing | ||||
| pico-args = "0.5.0" | ||||
| @@ -150,34 +153,37 @@ paste = "1.0.14" | ||||
| governor = "0.6.0" | ||||
|  | ||||
| # Check client versions for specific features. | ||||
| semver = "1.0.18" | ||||
| semver = "1.0.20" | ||||
|  | ||||
| # Allow overriding the default memory allocator | ||||
| # Mainly used for the musl builds, since the default musl malloc is very slow | ||||
| mimalloc = { version = "0.1.38", features = ["secure"], default-features = false, optional = true } | ||||
| which = "4.4.0" | ||||
| mimalloc = { version = "0.1.39", features = ["secure"], default-features = false, optional = true } | ||||
| which = "5.0.0" | ||||
|  | ||||
| # Argon2 library with support for the PHC format | ||||
| argon2 = "0.5.1" | ||||
| argon2 = "0.5.2" | ||||
|  | ||||
| # Reading a password from the cli for generating the Argon2id ADMIN_TOKEN | ||||
| rpassword = "7.2.0" | ||||
|  | ||||
|  | ||||
| [patch.crates-io] | ||||
| rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'ce441b5f46fdf5cd99cb32b8b8638835e4c2a5fa' } # v0.5 branch | ||||
| # rocket_ws = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'ce441b5f46fdf5cd99cb32b8b8638835e4c2a5fa' } # v0.5 branch | ||||
|  | ||||
|  | ||||
| # Strip debuginfo from the release builds | ||||
| # Also enable thin LTO for some optimizations | ||||
| [profile.release] | ||||
| strip = "debuginfo" | ||||
| lto = "thin" | ||||
|  | ||||
| # Always build argon2 using opt-level 3 | ||||
| # This is a huge speed improvement during testing | ||||
| [profile.dev.package.argon2] | ||||
| opt-level = 3 | ||||
|  | ||||
| # A little bit of a speedup | ||||
| [profile.dev] | ||||
| split-debuginfo = "unpacked" | ||||
|  | ||||
| # Always build argon2 using opt-level 3 | ||||
| # This is a huge speed improvement during testing | ||||
| [profile.dev.package.argon2] | ||||
| opt-level = 3 | ||||
|   | ||||
| @@ -1 +1 @@ | ||||
| docker/amd64/Dockerfile | ||||
| docker/Dockerfile.debian | ||||
							
								
								
									
										28
									
								
								docker/DockerSettings.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								docker/DockerSettings.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,28 @@ | ||||
| --- | ||||
| vault_version: "v2023.9.1" | ||||
| vault_image_digest: "sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd" | ||||
| # Cross Compile Docker Helper Scripts v1.3.0 | ||||
| # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts | ||||
| xx_image_digest: "sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc" | ||||
| rust_version: 1.73.0 # Rust version to be used | ||||
| debian_version: bookworm # Debian release name to be used | ||||
| alpine_version: 3.18 # Alpine version to be used | ||||
| # For which platforms/architectures will we try to build images | ||||
| platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"] | ||||
| # Determine the build images per OS/Arch | ||||
| build_stage_image: | ||||
|   debian: | ||||
|     image: "docker.io/library/rust:{{rust_version}}-slim-{{debian_version}}" | ||||
|     platform: "$BUILDPLATFORM" | ||||
|   alpine: | ||||
|     image: "build_${TARGETARCH}${TARGETVARIANT}" | ||||
|     platform: "linux/amd64" # The Alpine build images only have linux/amd64 images | ||||
|     arch_image: | ||||
|       amd64: "ghcr.io/blackdex/rust-musl:x86_64-musl-stable-{{rust_version}}" | ||||
|       arm64: "ghcr.io/blackdex/rust-musl:aarch64-musl-stable-{{rust_version}}" | ||||
|       armv7: "ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-{{rust_version}}" | ||||
|       armv6: "ghcr.io/blackdex/rust-musl:arm-musleabi-stable-{{rust_version}}" | ||||
| # The final image which will be used to distribute the container images | ||||
| runtime_stage_image: | ||||
|   debian: "docker.io/library/debian:{{debian_version}}-slim" | ||||
|   alpine: "docker.io/library/alpine:{{alpine_version}}" | ||||
							
								
								
									
										160
									
								
								docker/Dockerfile.alpine
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										160
									
								
								docker/Dockerfile.alpine
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,160 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` | ||||
| # This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine` | ||||
|  | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
|  | ||||
| ####################### VAULT BUILD IMAGE ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.9.1 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.9.1 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.9.1] | ||||
| # | ||||
| FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd as vault | ||||
|  | ||||
| ########################## ALPINE BUILD IMAGES ########################## | ||||
| ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 | ||||
| ## And for Alpine we define all build images here, they will only be loaded when actually used | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.73.0 as build_amd64 | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.73.0 as build_arm64 | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.73.0 as build_armv7 | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.73.0 as build_armv6 | ||||
|  | ||||
| ########################## BUILD IMAGE ########################## | ||||
| # hadolint ignore=DL3006 | ||||
| FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} as build | ||||
| ARG TARGETARCH | ||||
| ARG TARGETVARIANT | ||||
| ARG TARGETPLATFORM | ||||
|  | ||||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     USER="root" \ | ||||
|     # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
|     # Debian Bookworm already contains libpq v15 | ||||
|     PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
|  | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Shared variables across Debian and Alpine | ||||
| RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \ | ||||
|     # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic | ||||
|     if [[ "${TARGETARCH}${TARGETVARIANT}" == "armv6" ]] ; then echo "export RUSTFLAGS='-Clink-arg=-latomic'" >> /env-cargo ; fi && \ | ||||
|     # Output the current contents of the file | ||||
|     cat /env-cargo | ||||
|  | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| RUN source /env-cargo && \ | ||||
|     rustup target add "${CARGO_TARGET}" | ||||
|  | ||||
| ARG CARGO_PROFILE=release | ||||
| ARG VW_VERSION | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN source /env-cargo && \ | ||||
|     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||
|     find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Builds again, this time it will be the actual source files being build | ||||
| RUN source /env-cargo && \ | ||||
|     # Make sure that we actually build the project by updating the src/main.rs timestamp | ||||
|     touch src/main.rs && \ | ||||
|     # Create a symlink to the binary target folder to easy copy the binary in the final stage | ||||
|     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||
|     if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ | ||||
|         ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \ | ||||
|     else \ | ||||
|         ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \ | ||||
|     fi | ||||
|  | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| # | ||||
| # To build these images you need to have qemu binfmt support. | ||||
| # See the following pages to help install these tools locally | ||||
| # Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation | ||||
| # Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64 | ||||
| # | ||||
| # Or use a Docker image which modifies your host system to support this. | ||||
| # The GitHub Actions Workflow uses the same image as used below. | ||||
| # See: https://github.com/tonistiigi/binfmt | ||||
| # Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm | ||||
| # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' | ||||
| # | ||||
| # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742 | ||||
| FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.18 | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 \ | ||||
|     SSL_CERT_DIR=/etc/ssl/certs | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data && \ | ||||
|     apk --no-cache add \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         openssl \ | ||||
|         tzdata | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/final/vaultwarden . | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,34 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
| # The cross-built images have the build arch (`amd64`) embedded in the image | ||||
| # manifest, rather than the target arch. For example: | ||||
| # | ||||
| #   $ docker inspect vaultwarden/server:latest-armv7 | jq -r '.[]|.Architecture' | ||||
| #   amd64 | ||||
| # | ||||
| # Recent versions of Docker have started printing a warning when the image's | ||||
| # claimed arch doesn't match the host arch. For example: | ||||
| # | ||||
| #   WARNING: The requested image's platform (linux/amd64) does not match the | ||||
| #   detected host platform (linux/arm/v7) and no specific platform was requested | ||||
| # | ||||
| # The image still works fine, but the spurious warning creates confusion. | ||||
| # | ||||
| # Docker doesn't seem to provide a way to directly set the arch of an image | ||||
| # at build time. To resolve the build vs. target arch discrepancy, we use | ||||
| # Docker Buildx to build a new set of images with the correct target arch. | ||||
| # | ||||
| # Docker Buildx uses this Dockerfile to build an image for each requested | ||||
| # platform. Since the Dockerfile basically consists of a single `FROM` | ||||
| # instruction, we're effectively telling Buildx to build a platform-specific | ||||
| # image by simply copying the existing cross-built image and setting the | ||||
| # correct target arch as a side effect. | ||||
| # | ||||
| # References: | ||||
| # | ||||
| # - https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images | ||||
| # - https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope | ||||
| # - https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact | ||||
| # | ||||
| ARG LOCAL_REPO | ||||
| ARG DOCKER_TAG | ||||
| FROM ${LOCAL_REPO}:${DOCKER_TAG}-${TARGETARCH}${TARGETVARIANT} | ||||
							
								
								
									
										194
									
								
								docker/Dockerfile.debian
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										194
									
								
								docker/Dockerfile.debian
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,194 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` | ||||
| # This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine` | ||||
|  | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
|  | ||||
| ####################### VAULT BUILD IMAGE ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.9.1 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.9.1 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.9.1] | ||||
| # | ||||
| FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd as vault | ||||
|  | ||||
| ########################## Cross Compile Docker Helper Scripts ########################## | ||||
| ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts | ||||
| ## And these bash scripts do not have any significant difference if at all | ||||
| FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc AS xx | ||||
|  | ||||
| ########################## BUILD IMAGE ########################## | ||||
| # hadolint ignore=DL3006 | ||||
| FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.73.0-slim-bookworm as build | ||||
| COPY --from=xx / / | ||||
| ARG TARGETARCH | ||||
| ARG TARGETVARIANT | ||||
| ARG TARGETPLATFORM | ||||
|  | ||||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     USER="root" | ||||
|  | ||||
| # Install clang to get `xx-cargo` working | ||||
| # Install pkg-config to allow amd64 builds to find all libraries | ||||
| # Install git so build.rs can determine the correct version | ||||
| # Install the libc cross packages based upon the debian-arch | ||||
| RUN apt-get update && \ | ||||
|     apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         clang \ | ||||
|         pkg-config \ | ||||
|         git \ | ||||
|         "libc6-$(xx-info debian-arch)-cross" \ | ||||
|         "libc6-dev-$(xx-info debian-arch)-cross" \ | ||||
|         "linux-libc-dev-$(xx-info debian-arch)-cross" && \ | ||||
|     # Run xx-cargo early, since it sometimes seems to break when run at a later stage | ||||
|     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo | ||||
|  | ||||
| RUN xx-apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc \ | ||||
|         libmariadb3 \ | ||||
|         libpq-dev \ | ||||
|         libpq5 \ | ||||
|         libssl-dev && \ | ||||
|     # Force install arch dependend mariadb dev packages | ||||
|     # Installing them the normal way breaks several other packages (again) | ||||
|     apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \ | ||||
|     dpkg --force-all -i ./libmariadb-dev*.deb | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Environment variables for cargo across Debian and Alpine | ||||
| RUN source /env-cargo && \ | ||||
|     if xx-info is-cross ; then \ | ||||
|         # We can't use xx-cargo since that uses clang, which doesn't work for our libraries. | ||||
|         # Because of this we generate the needed environment variables here which we can load in the needed steps. | ||||
|         echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||
|         echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||
|         echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \ | ||||
|         echo "export CROSS_COMPILE=1" >> /env-cargo && \ | ||||
|         echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \ | ||||
|         echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \ | ||||
|     fi && \ | ||||
|     # Output the current contents of the file | ||||
|     cat /env-cargo | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| RUN source /env-cargo && \ | ||||
|     rustup target add "${CARGO_TARGET}" | ||||
|  | ||||
| ARG CARGO_PROFILE=release | ||||
| ARG VW_VERSION | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN source /env-cargo && \ | ||||
|     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||
|     find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Builds again, this time it will be the actual source files being build | ||||
| RUN source /env-cargo && \ | ||||
|     # Make sure that we actually build the project by updating the src/main.rs timestamp | ||||
|     touch src/main.rs && \ | ||||
|     # Create a symlink to the binary target folder to easy copy the binary in the final stage | ||||
|     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||
|     if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ | ||||
|         ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \ | ||||
|     else \ | ||||
|         ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \ | ||||
|     fi | ||||
|  | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| # | ||||
| # To build these images you need to have qemu binfmt support. | ||||
| # See the following pages to help install these tools locally | ||||
| # Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation | ||||
| # Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64 | ||||
| # | ||||
| # Or use a Docker image which modifies your host system to support this. | ||||
| # The GitHub Actions Workflow uses the same image as used below. | ||||
| # See: https://github.com/tonistiigi/binfmt | ||||
| # Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm | ||||
| # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' | ||||
| # | ||||
| # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742 | ||||
| FROM --platform=$TARGETPLATFORM docker.io/library/debian:bookworm-slim | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 \ | ||||
|     DEBIAN_FRONTEND=noninteractive | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data && \ | ||||
|     apt-get update && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         libmariadb-dev-compat \ | ||||
|         libpq5 \ | ||||
|         openssl && \ | ||||
|     apt-get clean && \ | ||||
|     rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/final/vaultwarden . | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,68 +1,14 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| {% set rust_version = "1.72.0" %} | ||||
| {% set debian_version = "bookworm" %} | ||||
| {% set alpine_version = "3.17" %} | ||||
| {% set build_stage_base_image = "docker.io/library/rust:%s-%s" % (rust_version, debian_version) %} | ||||
| {% if "alpine" in target_file %} | ||||
| {%   if "amd64" in target_file %} | ||||
| {%     set build_stage_base_image = "docker.io/blackdex/rust-musl:x86_64-musl-stable-%s-openssl3" % rust_version %} | ||||
| {%     set runtime_stage_base_image = "docker.io/library/alpine:%s" % alpine_version %} | ||||
| {%     set package_arch_target = "x86_64-unknown-linux-musl" %} | ||||
| {%   elif "armv7" in target_file %} | ||||
| {%     set build_stage_base_image = "docker.io/blackdex/rust-musl:armv7-musleabihf-stable-%s-openssl3" % rust_version %} | ||||
| {%     set runtime_stage_base_image = "docker.io/balenalib/armv7hf-alpine:%s" % alpine_version %} | ||||
| {%     set package_arch_target = "armv7-unknown-linux-musleabihf" %} | ||||
| {%   elif "armv6" in target_file %} | ||||
| {%     set build_stage_base_image = "docker.io/blackdex/rust-musl:arm-musleabi-stable-%s-openssl3" % rust_version %} | ||||
| {%     set runtime_stage_base_image = "docker.io/balenalib/rpi-alpine:%s" % alpine_version %} | ||||
| {%     set package_arch_target = "arm-unknown-linux-musleabi" %} | ||||
| {%   elif "arm64" in target_file %} | ||||
| {%     set build_stage_base_image = "docker.io/blackdex/rust-musl:aarch64-musl-stable-%s-openssl3" % rust_version %} | ||||
| {%     set runtime_stage_base_image = "docker.io/balenalib/aarch64-alpine:%s" % alpine_version %} | ||||
| {%     set package_arch_target = "aarch64-unknown-linux-musl" %} | ||||
| {%   endif %} | ||||
| {% elif "amd64" in target_file %} | ||||
| {%   set runtime_stage_base_image = "docker.io/library/debian:%s-slim" % debian_version %} | ||||
| {% elif "arm64" in target_file %} | ||||
| {%   set runtime_stage_base_image = "docker.io/balenalib/aarch64-debian:%s" % debian_version %} | ||||
| {%   set package_arch_name = "arm64" %} | ||||
| {%   set package_arch_target = "aarch64-unknown-linux-gnu" %} | ||||
| {%   set package_cross_compiler = "aarch64-linux-gnu" %} | ||||
| {% elif "armv6" in target_file %} | ||||
| {%   set runtime_stage_base_image = "docker.io/balenalib/rpi-debian:%s" % debian_version %} | ||||
| {%   set package_arch_name = "armel" %} | ||||
| {%   set package_arch_target = "arm-unknown-linux-gnueabi" %} | ||||
| {%   set package_cross_compiler = "arm-linux-gnueabi" %} | ||||
| {% elif "armv7" in target_file %} | ||||
| {%   set runtime_stage_base_image = "docker.io/balenalib/armv7hf-debian:%s" % debian_version %} | ||||
| {%   set package_arch_name = "armhf" %} | ||||
| {%   set package_arch_target = "armv7-unknown-linux-gnueabihf" %} | ||||
| {%   set package_cross_compiler = "arm-linux-gnueabihf" %} | ||||
| {% endif %} | ||||
| {% if package_arch_name is defined %} | ||||
| {%   set package_arch_prefix = ":" + package_arch_name %} | ||||
| {% else %} | ||||
| {%   set package_arch_prefix = "" %} | ||||
| {% endif %} | ||||
| {% if package_arch_target is defined %} | ||||
| {%   set package_arch_target_param = " --target=" + package_arch_target %} | ||||
| {% else %} | ||||
| {%   set package_arch_target_param = "" %} | ||||
| {% endif %} | ||||
| {% if "buildkit" in target_file %} | ||||
| {%   set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %} | ||||
| {% else %} | ||||
| {%   set mount_rust_cache = "" %} | ||||
| {% endif %} | ||||
| # Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` | ||||
| # This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine` | ||||
|  | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| {% set vault_version = "v2023.8.2" %} | ||||
| {% set vault_image_digest = "sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252" %} | ||||
|  | ||||
| ####################### VAULT BUILD IMAGE ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| @@ -80,10 +26,33 @@ | ||||
| #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }} | ||||
| #     [docker.io/vaultwarden/web-vault:{{ vault_version }}] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@{{ vault_image_digest }} as vault | ||||
| FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM {{ build_stage_base_image }} as build | ||||
| {% if base == "debian" %} | ||||
| ########################## Cross Compile Docker Helper Scripts ########################## | ||||
| ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts | ||||
| ## And these bash scripts do not have any significant difference if at all | ||||
| FROM --platform=linux/amd64 docker.io/tonistiigi/xx@{{ xx_image_digest }} AS xx | ||||
| {% elif base == "alpine" %} | ||||
| ########################## ALPINE BUILD IMAGES ########################## | ||||
| ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 | ||||
| ## And for Alpine we define all build images here, they will only be loaded when actually used | ||||
| {% for arch in build_stage_image[base].arch_image %} | ||||
| FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].arch_image[arch] }} as build_{{ arch }} | ||||
| {% endfor %} | ||||
| {% endif %} | ||||
|  | ||||
| ########################## BUILD IMAGE ########################## | ||||
| # hadolint ignore=DL3006 | ||||
| FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].image }} as build | ||||
| {% if base == "debian" %} | ||||
| COPY --from=xx / / | ||||
| {% endif %} | ||||
| ARG TARGETARCH | ||||
| ARG TARGETVARIANT | ||||
| ARG TARGETPLATFORM | ||||
|  | ||||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
| @@ -91,133 +60,162 @@ ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
| {%- if base == "alpine" %} \ | ||||
|     # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
|     # Debian Bookworm already contains libpq v15 | ||||
|     PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
| {% endif %} | ||||
|  | ||||
| {% if base == "debian" %} | ||||
|  | ||||
| # Install clang to get `xx-cargo` working | ||||
| # Install pkg-config to allow amd64 builds to find all libraries | ||||
| # Install git so build.rs can determine the correct version | ||||
| # Install the libc cross packages based upon the debian-arch | ||||
| RUN apt-get update && \ | ||||
|     apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         clang \ | ||||
|         pkg-config \ | ||||
|         git \ | ||||
|         "libc6-$(xx-info debian-arch)-cross" \ | ||||
|         "libc6-dev-$(xx-info debian-arch)-cross" \ | ||||
|         "linux-libc-dev-$(xx-info debian-arch)-cross" && \ | ||||
|     # Run xx-cargo early, since it sometimes seems to break when run at a later stage | ||||
|     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo | ||||
|  | ||||
| RUN xx-apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc \ | ||||
|         libmariadb3 \ | ||||
|         libpq-dev \ | ||||
|         libpq5 \ | ||||
|         libssl-dev && \ | ||||
|     # Force install arch dependend mariadb dev packages | ||||
|     # Installing them the normal way breaks several other packages (again) | ||||
|     apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \ | ||||
|     dpkg --force-all -i ./libmariadb-dev*.deb | ||||
| {% endif %} | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \ | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| {% if "alpine" in target_file %} | ||||
| # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
| # Debian Bookworm already contains libpq v15 | ||||
| ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
| {%   if "armv6" in target_file %} | ||||
| # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic | ||||
| ENV RUSTFLAGS='-Clink-arg=-latomic' | ||||
| {%   endif %} | ||||
| {% elif "arm" in target_file %} | ||||
| # Install build dependencies for the {{ package_arch_name }} architecture | ||||
| RUN {{ mount_rust_cache -}} dpkg --add-architecture {{ package_arch_name }} \ | ||||
|     && apt-get update \ | ||||
|     && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc-{{ package_cross_compiler }} \ | ||||
|         libc6-dev{{ package_arch_prefix }} \ | ||||
|         linux-libc-dev{{ package_arch_prefix }} \ | ||||
|         libmariadb-dev{{ package_arch_prefix }} \ | ||||
|         libmariadb-dev-compat{{ package_arch_prefix }} \ | ||||
|         libmariadb3{{ package_arch_prefix }} \ | ||||
|         libpq-dev{{ package_arch_prefix }} \ | ||||
|         libpq5{{ package_arch_prefix }} \ | ||||
|         libssl-dev{{ package_arch_prefix }} \ | ||||
|     # | ||||
|     # Make sure cargo has the right target config | ||||
|     && echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'linker = "{{ package_cross_compiler }}-gcc"' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'rustflags = ["-L/usr/lib/{{ package_cross_compiler }}"]' >> "${CARGO_HOME}/config" | ||||
|  | ||||
| # Set arm specific environment values | ||||
| ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_compiler }}-gcc" \ | ||||
|     CROSS_COMPILE="1" \ | ||||
|     OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \ | ||||
|     OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}" | ||||
| {% elif "amd64" in target_file %} | ||||
| # Install build dependencies | ||||
| RUN apt-get update \ | ||||
|     && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         libmariadb-dev \ | ||||
|         libpq-dev | ||||
| {% endif %} | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| {% if base == "debian" %} | ||||
| # Environment variables for cargo across Debian and Alpine | ||||
| RUN source /env-cargo && \ | ||||
|     if xx-info is-cross ; then \ | ||||
|         # We can't use xx-cargo since that uses clang, which doesn't work for our libraries. | ||||
|         # Because of this we generate the needed environment variables here which we can load in the needed steps. | ||||
|         echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||
|         echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||
|         echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \ | ||||
|         echo "export CROSS_COMPILE=1" >> /env-cargo && \ | ||||
|         echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \ | ||||
|         echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \ | ||||
|     fi && \ | ||||
|     # Output the current contents of the file | ||||
|     cat /env-cargo | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
| {% elif base == "alpine" %} | ||||
| # Shared variables across Debian and Alpine | ||||
| RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \ | ||||
|     # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic | ||||
|     if [[ "${TARGETARCH}${TARGETVARIANT}" == "armv6" ]] ; then echo "export RUSTFLAGS='-Clink-arg=-latomic'" >> /env-cargo ; fi && \ | ||||
|     # Output the current contents of the file | ||||
|     cat /env-cargo | ||||
|  | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
| {% endif %} | ||||
|  | ||||
| RUN source /env-cargo && \ | ||||
|     rustup target add "${CARGO_TARGET}" | ||||
|  | ||||
| ARG CARGO_PROFILE=release | ||||
| ARG VW_VERSION | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| {% if package_arch_target is defined %} | ||||
| RUN {{ mount_rust_cache -}} rustup target add {{ package_arch_target }} | ||||
| {% endif %} | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| {% if "alpine" in target_file %} | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
| {% else %} | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
| {% endif %} | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} \ | ||||
|     && find . -not -path "./target*" -delete | ||||
| RUN source /env-cargo && \ | ||||
|     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||
|     find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
| # Builds again, this time it will be the actual source files being build | ||||
| RUN source /env-cargo && \ | ||||
|     # Make sure that we actually build the project by updating the src/main.rs timestamp | ||||
|     touch src/main.rs && \ | ||||
|     # Create a symlink to the binary target folder to easy copy the binary in the final stage | ||||
|     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||
|     if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ | ||||
|         ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \ | ||||
|     else \ | ||||
|         ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \ | ||||
|     fi | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM {{ runtime_stage_base_image }} | ||||
| # | ||||
| # To build these images you need to have qemu binfmt support. | ||||
| # See the following pages to help install these tools locally | ||||
| # Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation | ||||
| # Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64 | ||||
| # | ||||
| # Or use a Docker image which modifies your host system to support this. | ||||
| # The GitHub Actions Workflow uses the same image as used below. | ||||
| # See: https://github.com/tonistiigi/binfmt | ||||
| # Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm | ||||
| # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' | ||||
| # | ||||
| # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742 | ||||
| FROM --platform=$TARGETPLATFORM {{ runtime_stage_image[base] }} | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 | ||||
| {%- if "alpine" in runtime_stage_base_image %} \ | ||||
| {%- if base == "debian" %} \ | ||||
|     DEBIAN_FRONTEND=noninteractive | ||||
| {% elif base == "alpine" %} \ | ||||
|     SSL_CERT_DIR=/etc/ssl/certs | ||||
| {% endif %} | ||||
|  | ||||
|  | ||||
| {% if "amd64" not in target_file %} | ||||
| RUN [ "cross-build-start" ] | ||||
| {% endif %} | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
| {% if "alpine" in runtime_stage_base_image %} | ||||
|     && apk add --no-cache \ | ||||
| RUN mkdir /data && \ | ||||
| {% if base == "debian" %} | ||||
|     apt-get update && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         libmariadb-dev-compat \ | ||||
|         libpq5 \ | ||||
|         openssl && \ | ||||
|     apt-get clean && \ | ||||
|     rm -rf /var/lib/apt/lists/* | ||||
| {% elif base == "alpine" %} | ||||
|     apk --no-cache add \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         openssl \ | ||||
|         tzdata | ||||
| {% else %} | ||||
|     && apt-get update && apt-get install -y \ | ||||
|     --no-install-recommends \ | ||||
|     ca-certificates \ | ||||
|     curl \ | ||||
|     libmariadb-dev-compat \ | ||||
|     libpq5 \ | ||||
|     openssl \ | ||||
|     && apt-get clean \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
| {% endif %} | ||||
|  | ||||
| {% if "amd64" not in target_file %} | ||||
| RUN [ "cross-build-end" ] | ||||
| {% endif %} | ||||
|  | ||||
| VOLUME /data | ||||
| @@ -227,16 +225,13 @@ EXPOSE 3012 | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| {% if package_arch_target is defined %} | ||||
| COPY --from=build /app/target/{{ package_arch_target }}/release/vaultwarden . | ||||
| {% else %} | ||||
| COPY --from=build /app/target/release/vaultwarden . | ||||
| {% endif %} | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/final/vaultwarden . | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
|   | ||||
| @@ -1,15 +1,4 @@ | ||||
| OBJECTS := $(shell find ./ -mindepth 2 -name 'Dockerfile*') | ||||
|  | ||||
| all: $(OBJECTS) | ||||
|  | ||||
| %/Dockerfile: Dockerfile.j2 render_template | ||||
| 	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" | ||||
|  | ||||
| %/Dockerfile.alpine: Dockerfile.j2 render_template | ||||
| 	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" | ||||
|  | ||||
| %/Dockerfile.buildkit: Dockerfile.j2 render_template | ||||
| 	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" | ||||
|  | ||||
| %/Dockerfile.buildkit.alpine: Dockerfile.j2 render_template | ||||
| 	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" | ||||
| all: | ||||
| 	./render_template Dockerfile.j2 '{"base": "debian"}' > Dockerfile.debian | ||||
| 	./render_template Dockerfile.j2 '{"base": "alpine"}' > Dockerfile.alpine | ||||
| .PHONY: all | ||||
|   | ||||
							
								
								
									
										184
									
								
								docker/README.md
									
									
									
									
									
								
							
							
						
						
									
										184
									
								
								docker/README.md
									
									
									
									
									
								
							| @@ -1,3 +1,183 @@ | ||||
| The arch-specific directory names follow the arch identifiers used by the Docker official images: | ||||
| # Vaultwarden Container Building | ||||
|  | ||||
| https://github.com/docker-library/official-images/blob/master/README.md#architectures-other-than-amd64 | ||||
| To build and release new testing and stable releases of Vaultwarden we use `docker buildx bake`.<br> | ||||
| This can be used locally by running the command yourself, but it is also used by GitHub Actions. | ||||
|  | ||||
| This makes it easier for us to test and maintain the different architectures we provide.<br> | ||||
| We also just have two Dockerfile's one for Debian and one for Alpine based images.<br> | ||||
| With just these two files we can build both Debian and Alpine images for the following platforms: | ||||
|  - amd64 (linux/amd64) | ||||
|  - arm64 (linux/arm64) | ||||
|  - armv7 (linux/arm/v7) | ||||
|  - armv6 (linux/arm/v6) | ||||
|  | ||||
| To build these containers you need to enable QEMU binfmt support to be able to run/emulate architectures which are different then your host.<br> | ||||
| This ensures the container build process can run binaries from other architectures.<br> | ||||
|  | ||||
| **NOTE**: Run all the examples below from the root of the repo.<br> | ||||
|  | ||||
|  | ||||
| ## How to install QEMU binfmt support | ||||
|  | ||||
| This is different per host OS, but most support this in some way.<br> | ||||
|  | ||||
| ### Ubuntu/Debian | ||||
| ```bash | ||||
| apt install binfmt-support qemu-user-static | ||||
| ``` | ||||
|  | ||||
| ### Arch Linux (others based upon it) | ||||
| ```bash | ||||
| pacman -S qemu-user-static qemu-user-static-binfmt | ||||
| ``` | ||||
|  | ||||
| ### Fedora | ||||
| ```bash | ||||
| dnf install qemu-user-static | ||||
| ``` | ||||
|  | ||||
| ### Others | ||||
| There also is an option to use an other docker container to provide support for this. | ||||
| ```bash | ||||
| # To install and activate | ||||
| docker run --privileged --rm tonistiigi/binfmt --install arm64,arm | ||||
| # To unistall | ||||
| docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' | ||||
| ``` | ||||
|  | ||||
|  | ||||
| ## Single architecture container building | ||||
|  | ||||
| You can build a container per supported architecture as long as you have QEMU binfmt support installed on your system.<br> | ||||
|  | ||||
| ```bash | ||||
| # Default bake triggers a Debian build using the hosts architecture | ||||
| docker buildx bake --file docker/docker-bake.hcl | ||||
|  | ||||
| # Bake Debian ARM64 using a debug build | ||||
| CARGO_PROFILE=dev \ | ||||
| SOURCE_COMMIT="$(git rev-parse HEAD)" \ | ||||
| docker buildx bake --file docker/docker-bake.hcl debian-arm64 | ||||
|  | ||||
| # Bake Alpine ARMv6 as a release build | ||||
| SOURCE_COMMIT="$(git rev-parse HEAD)" \ | ||||
| docker buildx bake --file docker/docker-bake.hcl alpine-armv6 | ||||
| ``` | ||||
|  | ||||
|  | ||||
| ## Local Multi Architecture container building | ||||
|  | ||||
| Start the initialization, this only needs to be done once. | ||||
|  | ||||
| ```bash | ||||
| # Create and use a new buildx builder instance which connects to the host network | ||||
| docker buildx create --name vaultwarden --use --driver-opt network=host | ||||
|  | ||||
| # Validate it runs | ||||
| docker buildx inspect --bootstrap | ||||
|  | ||||
| # Create a local container registry directly reachable on the localhost | ||||
| docker run -d --name registry --network host registry:2 | ||||
| ``` | ||||
|  | ||||
| After that is done, you should be able to build and push to the local registry.<br> | ||||
| Use the following command with the modified variables to bake the Alpine images.<br> | ||||
| Replace `alpine` with `debian` if you want to build the debian multi arch images. | ||||
|  | ||||
| ```bash | ||||
| # Start a buildx bake using a debug build | ||||
| CARGO_PROFILE=dev \ | ||||
| SOURCE_COMMIT="$(git rev-parse HEAD)" \ | ||||
| CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \ | ||||
| docker buildx bake --file docker/docker-bake.hcl alpine-multi | ||||
| ``` | ||||
|  | ||||
|  | ||||
| ## Using the `bake.sh` script | ||||
|  | ||||
| To make it a bit more easier to trigger a build, there also is a `bake.sh` script.<br> | ||||
| This script calls `docker buildx bake` with all the right parameters and also generates the `SOURCE_COMMIT` and `SOURCE_VERSION` variables.<br> | ||||
| This script can be called from both the repo root or within the docker directory. | ||||
|  | ||||
| So, if you want to build a Multi Arch Alpine container pushing to your localhost registry you can run this from within the docker directory. (Just make sure you executed the initialization steps above first) | ||||
| ```bash | ||||
| CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \ | ||||
| ./bake.sh alpine-multi | ||||
| ``` | ||||
|  | ||||
| Or if you want to just build a Debian container from the repo root, you can run this. | ||||
| ```bash | ||||
| docker/bake.sh | ||||
| ``` | ||||
|  | ||||
| You can append both `alpine` and `debian` with `-amd64`, `-arm64`, `-armv7` or `-armv6`, which will trigger a build for that specific platform.<br> | ||||
| This will also append those values to the tag so you can see the builded container when running `docker images`. | ||||
|  | ||||
| You can also append extra arguments after the target if you want. This can be useful for example to print what bake will use. | ||||
| ```bash | ||||
| docker/bake.sh alpine-all --print | ||||
| ``` | ||||
|  | ||||
| ### Testing baked images | ||||
|  | ||||
| To test these images you can run these images by using the correct tag and provide the platform.<br> | ||||
| For example, after you have build an arm64 image via `./bake.sh debian-arm64` you can run: | ||||
| ```bash | ||||
| docker run --rm -it \ | ||||
|   -e DISABLE_ADMIN_TOKEN=true \ | ||||
|   -e I_REALLY_WANT_VOLATILE_STORAGE=true \ | ||||
|   -p8080:80 --platform=linux/arm64 \ | ||||
|   vaultwarden/server:testing-arm64 | ||||
| ``` | ||||
|  | ||||
|  | ||||
| ## Using the `podman-bake.sh` script | ||||
|  | ||||
| To also make building easier using podman, there is a `podman-bake.sh` script.<br> | ||||
| This script calls `podman buildx build` with the needed parameters and the same as `bake.sh`, it will generate some variables automatically.<br> | ||||
| This script can be called from both the repo root or within the docker directory. | ||||
|  | ||||
| **NOTE:** Unlike the `bake.sh` script, this only supports a single `CONTAINER_REGISTRIES`, and a single `BASE_TAGS` value, no comma separated values. It also only supports building separate architectures, no Multi Arch containers. | ||||
|  | ||||
| To build an Alpine arm64 image with only sqlite support and mimalloc, run this: | ||||
| ```bash | ||||
| DB="sqlite,enable_mimalloc" \ | ||||
| ./podman-bake.sh alpine-arm64 | ||||
| ``` | ||||
|  | ||||
| Or if you want to just build a Debian container from the repo root, you can run this. | ||||
| ```bash | ||||
| docker/podman-bake.sh | ||||
| ``` | ||||
|  | ||||
| You can append extra arguments after the target if you want. This can be useful for example to disable cache like this. | ||||
| ```bash | ||||
| ./podman-bake.sh alpine-arm64 --no-cache | ||||
| ``` | ||||
|  | ||||
| For the podman builds you can, just like the `bake.sh` script, also append the architecture to build for that specific platform.<br> | ||||
|  | ||||
| ### Testing podman builded images | ||||
|  | ||||
| The command to start a podman built container is almost the same as for the docker/bake built containers. The images start with `localhost/`, so you need to prepend that. | ||||
|  | ||||
| ```bash | ||||
| podman run --rm -it \ | ||||
|   -e DISABLE_ADMIN_TOKEN=true \ | ||||
|   -e I_REALLY_WANT_VOLATILE_STORAGE=true \ | ||||
|   -p8080:80 --platform=linux/arm64 \ | ||||
|   localhost/vaultwarden/server:testing-arm64 | ||||
| ``` | ||||
|  | ||||
|  | ||||
| ## Variables supported | ||||
| | Variable              | default | description | | ||||
| | --------------------- | ------------------ | ----------- | | ||||
| | CARGO_PROFILE         | null               | Which cargo profile to use. `null` means what is defined in the Dockerfile                                         | | ||||
| | DB                    | null               | Which `features` to build. `null` means what is defined in the Dockerfile                                          | | ||||
| | SOURCE_REPOSITORY_URL | null               | The source repository form where this build is triggered                                                           | | ||||
| | SOURCE_COMMIT         | null               | The commit hash of the current commit for this build                                                               | | ||||
| | SOURCE_VERSION        | null               | The current exact tag of this commit, else the last tag and the first 8 chars of the source commit                 | | ||||
| | BASE_TAGS             | testing            | Tags to be used. Can be a comma separated value like "latest,1.29.2"                                               | | ||||
| | CONTAINER_REGISTRIES  | vaultwarden/server | Comma separated value of container registries. Like `ghcr.io/dani-garcia/vaultwarden,docker.io/vaultwarden/server` | | ||||
| | VW_VERSION            | null               | To override the `SOURCE_VERSION` value. This is also used by the `build.rs` code for example                       | | ||||
|   | ||||
| @@ -1,119 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/library/rust:1.72.0-bookworm as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Install build dependencies | ||||
| RUN apt-get update \ | ||||
|     && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         libmariadb-dev \ | ||||
|         libpq-dev | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN cargo build --features ${DB} --release \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN cargo build --features ${DB} --release | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/library/debian:bookworm-slim | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 | ||||
|  | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apt-get update && apt-get install -y \ | ||||
|     --no-install-recommends \ | ||||
|     ca-certificates \ | ||||
|     curl \ | ||||
|     libmariadb-dev-compat \ | ||||
|     libpq5 \ | ||||
|     openssl \ | ||||
|     && apt-get clean \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,116 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/blackdex/rust-musl:x86_64-musl-stable-1.72.0-openssl3 as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
| # Debian Bookworm already contains libpq v15 | ||||
| ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN rustup target add x86_64-unknown-linux-musl | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/library/alpine:3.17 | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 \ | ||||
|     SSL_CERT_DIR=/etc/ssl/certs | ||||
|  | ||||
|  | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apk add --no-cache \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         openssl \ | ||||
|         tzdata | ||||
|  | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,119 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/library/rust:1.72.0-bookworm as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Install build dependencies | ||||
| RUN apt-get update \ | ||||
|     && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         libmariadb-dev \ | ||||
|         libpq-dev | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/library/debian:bookworm-slim | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 | ||||
|  | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apt-get update && apt-get install -y \ | ||||
|     --no-install-recommends \ | ||||
|     ca-certificates \ | ||||
|     curl \ | ||||
|     libmariadb-dev-compat \ | ||||
|     libpq5 \ | ||||
|     openssl \ | ||||
|     && apt-get clean \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,116 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/blackdex/rust-musl:x86_64-musl-stable-1.72.0-openssl3 as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
| # Debian Bookworm already contains libpq v15 | ||||
| ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add x86_64-unknown-linux-musl | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/library/alpine:3.17 | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 \ | ||||
|     SSL_CERT_DIR=/etc/ssl/certs | ||||
|  | ||||
|  | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apk add --no-cache \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         openssl \ | ||||
|         tzdata | ||||
|  | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,141 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/library/rust:1.72.0-bookworm as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Install build dependencies for the arm64 architecture | ||||
| RUN dpkg --add-architecture arm64 \ | ||||
|     && apt-get update \ | ||||
|     && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc-aarch64-linux-gnu \ | ||||
|         libc6-dev:arm64 \ | ||||
|         linux-libc-dev:arm64 \ | ||||
|         libmariadb-dev:arm64 \ | ||||
|         libmariadb-dev-compat:arm64 \ | ||||
|         libmariadb3:arm64 \ | ||||
|         libpq-dev:arm64 \ | ||||
|         libpq5:arm64 \ | ||||
|         libssl-dev:arm64 \ | ||||
|     # | ||||
|     # Make sure cargo has the right target config | ||||
|     && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config" | ||||
|  | ||||
| # Set arm specific environment values | ||||
| ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \ | ||||
|     CROSS_COMPILE="1" \ | ||||
|     OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \ | ||||
|     OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN rustup target add aarch64-unknown-linux-gnu | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/aarch64-debian:bookworm | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apt-get update && apt-get install -y \ | ||||
|     --no-install-recommends \ | ||||
|     ca-certificates \ | ||||
|     curl \ | ||||
|     libmariadb-dev-compat \ | ||||
|     libpq5 \ | ||||
|     openssl \ | ||||
|     && apt-get clean \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,118 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/blackdex/rust-musl:aarch64-musl-stable-1.72.0-openssl3 as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
| # Debian Bookworm already contains libpq v15 | ||||
| ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN rustup target add aarch64-unknown-linux-musl | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/aarch64-alpine:3.17 | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 \ | ||||
|     SSL_CERT_DIR=/etc/ssl/certs | ||||
|  | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apk add --no-cache \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         openssl \ | ||||
|         tzdata | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,141 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/library/rust:1.72.0-bookworm as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Install build dependencies for the arm64 architecture | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry dpkg --add-architecture arm64 \ | ||||
|     && apt-get update \ | ||||
|     && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc-aarch64-linux-gnu \ | ||||
|         libc6-dev:arm64 \ | ||||
|         linux-libc-dev:arm64 \ | ||||
|         libmariadb-dev:arm64 \ | ||||
|         libmariadb-dev-compat:arm64 \ | ||||
|         libmariadb3:arm64 \ | ||||
|         libpq-dev:arm64 \ | ||||
|         libpq5:arm64 \ | ||||
|         libssl-dev:arm64 \ | ||||
|     # | ||||
|     # Make sure cargo has the right target config | ||||
|     && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config" | ||||
|  | ||||
| # Set arm specific environment values | ||||
| ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \ | ||||
|     CROSS_COMPILE="1" \ | ||||
|     OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \ | ||||
|     OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-gnu | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/aarch64-debian:bookworm | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apt-get update && apt-get install -y \ | ||||
|     --no-install-recommends \ | ||||
|     ca-certificates \ | ||||
|     curl \ | ||||
|     libmariadb-dev-compat \ | ||||
|     libpq5 \ | ||||
|     openssl \ | ||||
|     && apt-get clean \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,118 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/blackdex/rust-musl:aarch64-musl-stable-1.72.0-openssl3 as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
| # Debian Bookworm already contains libpq v15 | ||||
| ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-musl | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/aarch64-alpine:3.17 | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 \ | ||||
|     SSL_CERT_DIR=/etc/ssl/certs | ||||
|  | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apk add --no-cache \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         openssl \ | ||||
|         tzdata | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,141 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/library/rust:1.72.0-bookworm as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Install build dependencies for the armel architecture | ||||
| RUN dpkg --add-architecture armel \ | ||||
|     && apt-get update \ | ||||
|     && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc-arm-linux-gnueabi \ | ||||
|         libc6-dev:armel \ | ||||
|         linux-libc-dev:armel \ | ||||
|         libmariadb-dev:armel \ | ||||
|         libmariadb-dev-compat:armel \ | ||||
|         libmariadb3:armel \ | ||||
|         libpq-dev:armel \ | ||||
|         libpq5:armel \ | ||||
|         libssl-dev:armel \ | ||||
|     # | ||||
|     # Make sure cargo has the right target config | ||||
|     && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config" | ||||
|  | ||||
| # Set arm specific environment values | ||||
| ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \ | ||||
|     CROSS_COMPILE="1" \ | ||||
|     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \ | ||||
|     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN rustup target add arm-unknown-linux-gnueabi | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/rpi-debian:bookworm | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apt-get update && apt-get install -y \ | ||||
|     --no-install-recommends \ | ||||
|     ca-certificates \ | ||||
|     curl \ | ||||
|     libmariadb-dev-compat \ | ||||
|     libpq5 \ | ||||
|     openssl \ | ||||
|     && apt-get clean \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,120 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/blackdex/rust-musl:arm-musleabi-stable-1.72.0-openssl3 as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
| # Debian Bookworm already contains libpq v15 | ||||
| ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
| # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic | ||||
| ENV RUSTFLAGS='-Clink-arg=-latomic' | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN rustup target add arm-unknown-linux-musleabi | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/rpi-alpine:3.17 | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 \ | ||||
|     SSL_CERT_DIR=/etc/ssl/certs | ||||
|  | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apk add --no-cache \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         openssl \ | ||||
|         tzdata | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,141 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/library/rust:1.72.0-bookworm as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Install build dependencies for the armel architecture | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry dpkg --add-architecture armel \ | ||||
|     && apt-get update \ | ||||
|     && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc-arm-linux-gnueabi \ | ||||
|         libc6-dev:armel \ | ||||
|         linux-libc-dev:armel \ | ||||
|         libmariadb-dev:armel \ | ||||
|         libmariadb-dev-compat:armel \ | ||||
|         libmariadb3:armel \ | ||||
|         libpq-dev:armel \ | ||||
|         libpq5:armel \ | ||||
|         libssl-dev:armel \ | ||||
|     # | ||||
|     # Make sure cargo has the right target config | ||||
|     && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config" | ||||
|  | ||||
| # Set arm specific environment values | ||||
| ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \ | ||||
|     CROSS_COMPILE="1" \ | ||||
|     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \ | ||||
|     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-gnueabi | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/rpi-debian:bookworm | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apt-get update && apt-get install -y \ | ||||
|     --no-install-recommends \ | ||||
|     ca-certificates \ | ||||
|     curl \ | ||||
|     libmariadb-dev-compat \ | ||||
|     libpq5 \ | ||||
|     openssl \ | ||||
|     && apt-get clean \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,120 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/blackdex/rust-musl:arm-musleabi-stable-1.72.0-openssl3 as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
| # Debian Bookworm already contains libpq v15 | ||||
| ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
| # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic | ||||
| ENV RUSTFLAGS='-Clink-arg=-latomic' | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-musleabi | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/rpi-alpine:3.17 | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 \ | ||||
|     SSL_CERT_DIR=/etc/ssl/certs | ||||
|  | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apk add --no-cache \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         openssl \ | ||||
|         tzdata | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,141 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/library/rust:1.72.0-bookworm as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Install build dependencies for the armhf architecture | ||||
| RUN dpkg --add-architecture armhf \ | ||||
|     && apt-get update \ | ||||
|     && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc-arm-linux-gnueabihf \ | ||||
|         libc6-dev:armhf \ | ||||
|         linux-libc-dev:armhf \ | ||||
|         libmariadb-dev:armhf \ | ||||
|         libmariadb-dev-compat:armhf \ | ||||
|         libmariadb3:armhf \ | ||||
|         libpq-dev:armhf \ | ||||
|         libpq5:armhf \ | ||||
|         libssl-dev:armhf \ | ||||
|     # | ||||
|     # Make sure cargo has the right target config | ||||
|     && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config" | ||||
|  | ||||
| # Set arm specific environment values | ||||
| ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \ | ||||
|     CROSS_COMPILE="1" \ | ||||
|     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \ | ||||
|     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN rustup target add armv7-unknown-linux-gnueabihf | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/armv7hf-debian:bookworm | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apt-get update && apt-get install -y \ | ||||
|     --no-install-recommends \ | ||||
|     ca-certificates \ | ||||
|     curl \ | ||||
|     libmariadb-dev-compat \ | ||||
|     libpq5 \ | ||||
|     openssl \ | ||||
|     && apt-get clean \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,118 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/blackdex/rust-musl:armv7-musleabihf-stable-1.72.0-openssl3 as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
| # Debian Bookworm already contains libpq v15 | ||||
| ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN rustup target add armv7-unknown-linux-musleabihf | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/armv7hf-alpine:3.17 | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 \ | ||||
|     SSL_CERT_DIR=/etc/ssl/certs | ||||
|  | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apk add --no-cache \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         openssl \ | ||||
|         tzdata | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,141 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/library/rust:1.72.0-bookworm as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Install build dependencies for the armhf architecture | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry dpkg --add-architecture armhf \ | ||||
|     && apt-get update \ | ||||
|     && apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc-arm-linux-gnueabihf \ | ||||
|         libc6-dev:armhf \ | ||||
|         linux-libc-dev:armhf \ | ||||
|         libmariadb-dev:armhf \ | ||||
|         libmariadb-dev-compat:armhf \ | ||||
|         libmariadb3:armhf \ | ||||
|         libpq-dev:armhf \ | ||||
|         libpq5:armhf \ | ||||
|         libssl-dev:armhf \ | ||||
|     # | ||||
|     # Make sure cargo has the right target config | ||||
|     && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \ | ||||
|     && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config" | ||||
|  | ||||
| # Set arm specific environment values | ||||
| ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \ | ||||
|     CROSS_COMPILE="1" \ | ||||
|     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \ | ||||
|     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-gnueabihf | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/armv7hf-debian:bookworm | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apt-get update && apt-get install -y \ | ||||
|     --no-install-recommends \ | ||||
|     ca-certificates \ | ||||
|     curl \ | ||||
|     libmariadb-dev-compat \ | ||||
|     libpq5 \ | ||||
|     openssl \ | ||||
|     && apt-get clean \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
| @@ -1,118 +0,0 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | ||||
| # Using multistage build: | ||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||
| ####################### VAULT BUILD IMAGE  ####################### | ||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||
| # Using the digest instead of the tag name provides better security, | ||||
| # as the digest of an image is immutable, whereas a tag name can later | ||||
| # be changed to point to a malicious image. | ||||
| # | ||||
| # To verify the current digest for a given tag name: | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.8.2] | ||||
| # | ||||
| FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault | ||||
|  | ||||
| ########################## BUILD IMAGE  ########################## | ||||
| FROM docker.io/blackdex/rust-musl:armv7-musleabihf-stable-1.72.0-openssl3 as build | ||||
|  | ||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|     LANG=C.UTF-8 \ | ||||
|     TZ=UTC \ | ||||
|     TERM=xterm-256color \ | ||||
|     CARGO_HOME="/root/.cargo" \ | ||||
|     REGISTRIES_CRATES_IO_PROTOCOL=sparse \ | ||||
|     USER="root" | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
|  | ||||
| # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||
| # Debian Bookworm already contains libpq v15 | ||||
| ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
|  | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-musleabihf | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| # This folder contains the compiled dependencies | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \ | ||||
|     && find . -not -path "./target*" -delete | ||||
|  | ||||
| # Copies the complete project | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| # Make sure that we actually build the project | ||||
| RUN touch src/main.rs | ||||
|  | ||||
| # Builds again, this time it'll just be | ||||
| # your actual source files being built | ||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf | ||||
|  | ||||
| ######################## RUNTIME IMAGE  ######################## | ||||
| # Create a new stage with a minimal image | ||||
| # because we already have a binary built | ||||
| FROM docker.io/balenalib/armv7hf-alpine:3.17 | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
|     ROCKET_PORT=80 \ | ||||
|     SSL_CERT_DIR=/etc/ssl/certs | ||||
|  | ||||
|  | ||||
| RUN [ "cross-build-start" ] | ||||
|  | ||||
| # Create data folder and Install needed libraries | ||||
| RUN mkdir /data \ | ||||
|     && apk add --no-cache \ | ||||
|         ca-certificates \ | ||||
|         curl \ | ||||
|         openssl \ | ||||
|         tzdata | ||||
|  | ||||
| RUN [ "cross-build-end" ] | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden . | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
|  | ||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||
|  | ||||
| CMD ["/start.sh"] | ||||
							
								
								
									
										15
									
								
								docker/bake.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										15
									
								
								docker/bake.sh
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,15 @@ | ||||
| #!/usr/bin/env bash | ||||
|  | ||||
| # Determine the basedir of this script. | ||||
| # It should be located in the same directory as the docker-bake.hcl | ||||
| # This ensures you can run this script from both inside and outside of the docker directory | ||||
| BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")" || exit; pwd)/$(basename "${SP}")") | ||||
|  | ||||
| # Load build env's | ||||
| source "${BASEDIR}/bake_env.sh" | ||||
|  | ||||
| # Be verbose on what is being executed | ||||
| set -x | ||||
|  | ||||
| # Make sure we set the context to `..` so it will go up one directory | ||||
| docker buildx bake --progress plain --set "*.context=${BASEDIR}/.." -f "${BASEDIR}/docker-bake.hcl" "$@" | ||||
							
								
								
									
										33
									
								
								docker/bake_env.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										33
									
								
								docker/bake_env.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,33 @@ | ||||
| #!/usr/bin/env bash | ||||
|  | ||||
| # If SOURCE_COMMIT is provided via env skip this | ||||
| if [ -z "${SOURCE_COMMIT+x}" ]; then | ||||
|     SOURCE_COMMIT="$(git rev-parse HEAD)" | ||||
| fi | ||||
|  | ||||
| # If VW_VERSION is provided via env use it as SOURCE_VERSION | ||||
| # Else define it using git | ||||
| if [[ -n "${VW_VERSION}" ]]; then | ||||
|     SOURCE_VERSION="${VW_VERSION}" | ||||
| else | ||||
|     GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null)" | ||||
|     if [[ -n "${GIT_EXACT_TAG}" ]]; then | ||||
|         SOURCE_VERSION="${GIT_EXACT_TAG}" | ||||
|     else | ||||
|         GIT_LAST_TAG="$(git describe --tags --abbrev=0)" | ||||
|         SOURCE_VERSION="${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | ||||
|         GIT_BRANCH="$(git rev-parse --abbrev-ref HEAD)" | ||||
|         case "${GIT_BRANCH}" in | ||||
|             main|master|HEAD) | ||||
|                 # Do not add the branch name for these branches | ||||
|                 ;; | ||||
|             *) | ||||
|                 SOURCE_VERSION="${SOURCE_VERSION} (${GIT_BRANCH})" | ||||
|                 ;; | ||||
|         esac | ||||
|     fi | ||||
| fi | ||||
|  | ||||
| # Export the rendered variables above so bake will use them | ||||
| export SOURCE_COMMIT | ||||
| export SOURCE_VERSION | ||||
							
								
								
									
										229
									
								
								docker/docker-bake.hcl
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										229
									
								
								docker/docker-bake.hcl
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,229 @@ | ||||
| // ==== Baking Variables ==== | ||||
|  | ||||
| // Set which cargo profile to use, dev or release for example | ||||
| // Use the value provided in the Dockerfile as default | ||||
| variable "CARGO_PROFILE" { | ||||
|   default = null | ||||
| } | ||||
|  | ||||
| // Set which DB's (features) to enable | ||||
| // Use the value provided in the Dockerfile as default | ||||
| variable "DB" { | ||||
|   default = null | ||||
| } | ||||
|  | ||||
| // The repository this build was triggered from | ||||
| variable "SOURCE_REPOSITORY_URL" { | ||||
|   default = null | ||||
| } | ||||
|  | ||||
| // The commit hash of of the current commit this build was triggered on | ||||
| variable "SOURCE_COMMIT" { | ||||
|   default = null | ||||
| } | ||||
|  | ||||
| // The version of this build | ||||
| // Typically the current exact tag of this commit, | ||||
| // else the last tag and the first 8 characters of the source commit | ||||
| variable "SOURCE_VERSION" { | ||||
|   default = null | ||||
| } | ||||
|  | ||||
| // This can be used to overwrite SOURCE_VERSION | ||||
| // It will be used during the build.rs building stage | ||||
| variable "VW_VERSION" { | ||||
|   default = null | ||||
| } | ||||
|  | ||||
| // The base tag(s) to use | ||||
| // This can be a comma separated value like "testing,1.29.2" | ||||
| variable "BASE_TAGS" { | ||||
|   default = "testing" | ||||
| } | ||||
|  | ||||
| // Which container registries should be used for the tagging | ||||
| // This can be a comma separated value | ||||
| // Use a full URI like `ghcr.io/dani-garcia/vaultwarden,docker.io/vaultwarden/server` | ||||
| variable "CONTAINER_REGISTRIES" { | ||||
|   default = "vaultwarden/server" | ||||
| } | ||||
|  | ||||
|  | ||||
| // ==== Baking Groups ==== | ||||
|  | ||||
| group "default" { | ||||
|   targets = ["debian"] | ||||
| } | ||||
|  | ||||
|  | ||||
| // ==== Shared Baking ==== | ||||
| function "labels" { | ||||
|   params = [] | ||||
|   result = { | ||||
|     "org.opencontainers.image.description" = "Unofficial Bitwarden compatible server written in Rust - ${SOURCE_VERSION}" | ||||
|     "org.opencontainers.image.licenses" = "AGPL-3.0-only" | ||||
|     "org.opencontainers.image.documentation" = "https://github.com/dani-garcia/vaultwarden/wiki" | ||||
|     "org.opencontainers.image.url" = "https://github.com/dani-garcia/vaultwarden" | ||||
|     "org.opencontainers.image.created" =  "${formatdate("YYYY-MM-DD'T'hh:mm:ssZZZZZ", timestamp())}" | ||||
|     "org.opencontainers.image.source" = "${SOURCE_REPOSITORY_URL}" | ||||
|     "org.opencontainers.image.revision" = "${SOURCE_COMMIT}" | ||||
|     "org.opencontainers.image.version" = "${SOURCE_VERSION}" | ||||
|   } | ||||
| } | ||||
|  | ||||
| target "_default_attributes" { | ||||
|   labels = labels() | ||||
|   args = { | ||||
|     DB = "${DB}" | ||||
|     CARGO_PROFILE = "${CARGO_PROFILE}" | ||||
|     VW_VERSION = "${VW_VERSION}" | ||||
|   } | ||||
| } | ||||
|  | ||||
|  | ||||
| // ==== Debian Baking ==== | ||||
|  | ||||
| // Default Debian target, will build a container using the hosts platform architecture | ||||
| target "debian" { | ||||
|   inherits = ["_default_attributes"] | ||||
|   dockerfile = "docker/Dockerfile.debian" | ||||
|   tags = generate_tags("", platform_tag()) | ||||
|   output = [join(",", flatten([["type=docker"], image_index_annotations()]))] | ||||
| } | ||||
|  | ||||
| // Multi Platform target, will build one tagged manifest with all supported architectures | ||||
| // This is mainly used by GitHub Actions to build and push new containers | ||||
| target "debian-multi" { | ||||
|   inherits = ["debian"] | ||||
|   platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"] | ||||
|   tags = generate_tags("", "") | ||||
|   output = [join(",", flatten([["type=registry"], image_index_annotations()]))] | ||||
| } | ||||
|  | ||||
| // Per platform targets, to individually test building per platform locally | ||||
| target "debian-amd64" { | ||||
|   inherits = ["debian"] | ||||
|   platforms = ["linux/amd64"] | ||||
|   tags = generate_tags("", "-amd64") | ||||
| } | ||||
|  | ||||
| target "debian-arm64" { | ||||
|   inherits = ["debian"] | ||||
|   platforms = ["linux/arm64"] | ||||
|   tags = generate_tags("", "-arm64") | ||||
| } | ||||
|  | ||||
| target "debian-armv7" { | ||||
|   inherits = ["debian"] | ||||
|   platforms = ["linux/arm/v7"] | ||||
|   tags = generate_tags("", "-armv7") | ||||
| } | ||||
|  | ||||
| target "debian-armv6" { | ||||
|   inherits = ["debian"] | ||||
|   platforms = ["linux/arm/v6"] | ||||
|   tags = generate_tags("", "-armv6") | ||||
| } | ||||
|  | ||||
| // A Group to build all platforms individually for local testing | ||||
| group "debian-all" { | ||||
|   targets = ["debian-amd64", "debian-arm64", "debian-armv7", "debian-armv6"] | ||||
| } | ||||
|  | ||||
|  | ||||
| // ==== Alpine Baking ==== | ||||
|  | ||||
| // Default Alpine target, will build a container using the hosts platform architecture | ||||
| target "alpine" { | ||||
|   inherits = ["_default_attributes"] | ||||
|   dockerfile = "docker/Dockerfile.alpine" | ||||
|   tags = generate_tags("-alpine", platform_tag()) | ||||
|   output = [join(",", flatten([["type=docker"], image_index_annotations()]))] | ||||
| } | ||||
|  | ||||
| // Multi Platform target, will build one tagged manifest with all supported architectures | ||||
| // This is mainly used by GitHub Actions to build and push new containers | ||||
| target "alpine-multi" { | ||||
|   inherits = ["alpine"] | ||||
|   platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"] | ||||
|   tags = generate_tags("-alpine", "") | ||||
|   output = [join(",", flatten([["type=registry"], image_index_annotations()]))] | ||||
| } | ||||
|  | ||||
| // Per platform targets, to individually test building per platform locally | ||||
| target "alpine-amd64" { | ||||
|   inherits = ["alpine"] | ||||
|   platforms = ["linux/amd64"] | ||||
|   tags = generate_tags("-alpine", "-amd64") | ||||
| } | ||||
|  | ||||
| target "alpine-arm64" { | ||||
|   inherits = ["alpine"] | ||||
|   platforms = ["linux/arm64"] | ||||
|   tags = generate_tags("-alpine", "-arm64") | ||||
| } | ||||
|  | ||||
| target "alpine-armv7" { | ||||
|   inherits = ["alpine"] | ||||
|   platforms = ["linux/arm/v7"] | ||||
|   tags = generate_tags("-alpine", "-armv7") | ||||
| } | ||||
|  | ||||
| target "alpine-armv6" { | ||||
|   inherits = ["alpine"] | ||||
|   platforms = ["linux/arm/v6"] | ||||
|   tags = generate_tags("-alpine", "-armv6") | ||||
| } | ||||
|  | ||||
| // A Group to build all platforms individually for local testing | ||||
| group "alpine-all" { | ||||
|   targets = ["alpine-amd64", "alpine-arm64", "alpine-armv7", "alpine-armv6"] | ||||
| } | ||||
|  | ||||
|  | ||||
| // ==== Bake everything locally ==== | ||||
|  | ||||
| group "all" { | ||||
|   targets = ["debian-all", "alpine-all"] | ||||
| } | ||||
|  | ||||
|  | ||||
| // ==== Baking functions ==== | ||||
|  | ||||
| // This will return the local platform as amd64, arm64 or armv7 for example | ||||
| // It can be used for creating a local image tag | ||||
| function "platform_tag" { | ||||
|   params = [] | ||||
|   result = "-${replace(replace(BAKE_LOCAL_PLATFORM, "linux/", ""), "/", "")}" | ||||
| } | ||||
|  | ||||
|  | ||||
| function "get_container_registries" { | ||||
|   params = [] | ||||
|   result = flatten(split(",", CONTAINER_REGISTRIES)) | ||||
| } | ||||
|  | ||||
| function "get_base_tags" { | ||||
|   params = [] | ||||
|   result = flatten(split(",", BASE_TAGS)) | ||||
| } | ||||
|  | ||||
| function "generate_tags" { | ||||
|   params = [ | ||||
|     suffix,   // What to append to the BASE_TAG when needed, like `-alpine` for example | ||||
|     platform  // the platform we are building for if needed | ||||
|   ] | ||||
|   result = flatten([ | ||||
|     for registry in get_container_registries() : | ||||
|       [for base_tag in get_base_tags() : | ||||
|         concat(["${registry}:${base_tag}${suffix}${platform}"])] | ||||
|   ]) | ||||
| } | ||||
|  | ||||
| function "image_index_annotations" { | ||||
|   params = [] | ||||
|   result = flatten([ | ||||
|     for key, value in labels() : | ||||
|       value != null ? formatlist("annotation-index.%s=%s", "${key}", "${value}") : [] | ||||
|   ]) | ||||
| } | ||||
| @@ -10,7 +10,7 @@ CONFIG_FILE="${DATA_FOLDER}"/config.json | ||||
| # Given a config key, return the corresponding config value from the | ||||
| # config file. If the key doesn't exist, return an empty string. | ||||
| get_config_val() { | ||||
|     local key="$1" | ||||
|     key="$1" | ||||
|     # Extract a line of the form: | ||||
|     #   "domain": "https://bw.example.com/path", | ||||
|     grep "\"${key}\":" "${CONFIG_FILE}" | | ||||
|   | ||||
							
								
								
									
										105
									
								
								docker/podman-bake.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										105
									
								
								docker/podman-bake.sh
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,105 @@ | ||||
| #!/usr/bin/env bash | ||||
|  | ||||
| # Determine the basedir of this script. | ||||
| # It should be located in the same directory as the docker-bake.hcl | ||||
| # This ensures you can run this script from both inside and outside of the docker directory | ||||
| BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")" || exit; pwd)/$(basename "${SP}")") | ||||
|  | ||||
| # Load build env's | ||||
| source "${BASEDIR}/bake_env.sh" | ||||
|  | ||||
| # Check if a target is given as first argument | ||||
| # If not we assume the defaults and pass the given arguments to the podman command | ||||
| case "${1}" in | ||||
|     alpine*|debian*) | ||||
|         TARGET="${1}" | ||||
|         # Now shift the $@ array so we only have the rest of the arguments | ||||
|         # This allows us too append these as extra arguments too the podman buildx build command | ||||
|         shift | ||||
|     ;; | ||||
| esac | ||||
|  | ||||
| LABEL_ARGS=( | ||||
|     --label org.opencontainers.image.description="Unofficial Bitwarden compatible server written in Rust" | ||||
|     --label org.opencontainers.image.licenses="AGPL-3.0-only" | ||||
|     --label org.opencontainers.image.documentation="https://github.com/dani-garcia/vaultwarden/wiki" | ||||
|     --label org.opencontainers.image.url="https://github.com/dani-garcia/vaultwarden" | ||||
|     --label org.opencontainers.image.created="$(date --utc --iso-8601=seconds)" | ||||
| ) | ||||
| if [[ -n "${SOURCE_REPOSITORY_URL}" ]]; then | ||||
|     LABEL_ARGS+=(--label org.opencontainers.image.source="${SOURCE_REPOSITORY_URL}") | ||||
| fi | ||||
| if [[ -n "${SOURCE_COMMIT}" ]]; then | ||||
|     LABEL_ARGS+=(--label org.opencontainers.image.revision="${SOURCE_COMMIT}") | ||||
| fi | ||||
| if [[ -n "${SOURCE_VERSION}" ]]; then | ||||
|     LABEL_ARGS+=(--label org.opencontainers.image.version="${SOURCE_VERSION}") | ||||
| fi | ||||
|  | ||||
| # Check if and which --build-arg arguments we need to configure | ||||
| BUILD_ARGS=() | ||||
| if [[ -n "${DB}" ]]; then | ||||
|     BUILD_ARGS+=(--build-arg DB="${DB}") | ||||
| fi | ||||
| if [[ -n "${CARGO_PROFILE}" ]]; then | ||||
|     BUILD_ARGS+=(--build-arg CARGO_PROFILE="${CARGO_PROFILE}") | ||||
| fi | ||||
| if [[ -n "${VW_VERSION}" ]]; then | ||||
|     BUILD_ARGS+=(--build-arg VW_VERSION="${VW_VERSION}") | ||||
| fi | ||||
|  | ||||
| # Set the default BASE_TAGS if non are provided | ||||
| if [[ -z "${BASE_TAGS}" ]]; then | ||||
|     BASE_TAGS="testing" | ||||
| fi | ||||
|  | ||||
| # Set the default CONTAINER_REGISTRIES if non are provided | ||||
| if [[ -z "${CONTAINER_REGISTRIES}" ]]; then | ||||
|     CONTAINER_REGISTRIES="vaultwarden/server" | ||||
| fi | ||||
|  | ||||
| # Check which Dockerfile we need to use, default is debian | ||||
| case "${TARGET}" in | ||||
|     alpine*) | ||||
|         BASE_TAGS="${BASE_TAGS}-alpine" | ||||
|         DOCKERFILE="Dockerfile.alpine" | ||||
|         ;; | ||||
|     *) | ||||
|         DOCKERFILE="Dockerfile.debian" | ||||
|         ;; | ||||
| esac | ||||
|  | ||||
| # Check which platform we need to build and append the BASE_TAGS with the architecture | ||||
| case "${TARGET}" in | ||||
|     *-arm64) | ||||
|         BASE_TAGS="${BASE_TAGS}-arm64" | ||||
|         PLATFORM="linux/arm64" | ||||
|         ;; | ||||
|     *-armv7) | ||||
|         BASE_TAGS="${BASE_TAGS}-armv7" | ||||
|         PLATFORM="linux/arm/v7" | ||||
|         ;; | ||||
|     *-armv6) | ||||
|         BASE_TAGS="${BASE_TAGS}-armv6" | ||||
|         PLATFORM="linux/arm/v6" | ||||
|         ;; | ||||
|     *) | ||||
|         BASE_TAGS="${BASE_TAGS}-amd64" | ||||
|         PLATFORM="linux/amd64" | ||||
|         ;; | ||||
| esac | ||||
|  | ||||
| # Be verbose on what is being executed | ||||
| set -x | ||||
|  | ||||
| # Build the image with podman | ||||
| # We use the docker format here since we are using `SHELL`, which is not supported by OCI | ||||
| # shellcheck disable=SC2086 | ||||
| podman buildx build \ | ||||
|   --platform="${PLATFORM}" \ | ||||
|   --tag="${CONTAINER_REGISTRIES}:${BASE_TAGS}" \ | ||||
|   --format=docker \ | ||||
|   "${LABEL_ARGS[@]}" \ | ||||
|   "${BUILD_ARGS[@]}" \ | ||||
|   --file="${BASEDIR}/${DOCKERFILE}" "$@" \ | ||||
|   "${BASEDIR}/.." | ||||
| @@ -1,17 +1,31 @@ | ||||
| #!/usr/bin/env python3 | ||||
|  | ||||
| import os, argparse, json | ||||
|  | ||||
| import os | ||||
| import argparse | ||||
| import json | ||||
| import yaml | ||||
| import jinja2 | ||||
|  | ||||
| # Load settings file | ||||
| with open("DockerSettings.yaml", 'r') as yaml_file: | ||||
| 	yaml_data = yaml.safe_load(yaml_file) | ||||
|  | ||||
| settings_env = jinja2.Environment( | ||||
| 	loader=jinja2.FileSystemLoader(os.getcwd()), | ||||
| ) | ||||
| settings_yaml = yaml.safe_load(settings_env.get_template("DockerSettings.yaml").render(yaml_data)) | ||||
|  | ||||
| args_parser = argparse.ArgumentParser() | ||||
| args_parser.add_argument('template_file', help='Jinja2 template file to render.') | ||||
| args_parser.add_argument('render_vars', help='JSON-encoded data to pass to the templating engine.') | ||||
| cli_args = args_parser.parse_args() | ||||
|  | ||||
| # Merge the default config yaml with the json arguments given. | ||||
| render_vars = json.loads(cli_args.render_vars) | ||||
| settings_yaml.update(render_vars) | ||||
|  | ||||
| environment = jinja2.Environment( | ||||
| 	loader=jinja2.FileSystemLoader(os.getcwd()), | ||||
| 	trim_blocks=True, | ||||
| ) | ||||
| print(environment.get_template(cli_args.template_file).render(render_vars)) | ||||
| print(environment.get_template(cli_args.template_file).render(settings_yaml)) | ||||
|   | ||||
| @@ -1,20 +0,0 @@ | ||||
| The hooks in this directory are used to create multi-arch images using Docker Hub automated builds. | ||||
|  | ||||
| Docker Hub hooks provide these predefined [environment variables](https://docs.docker.com/docker-hub/builds/advanced/#environment-variables-for-building-and-testing): | ||||
|  | ||||
| * `SOURCE_BRANCH`: the name of the branch or the tag that is currently being tested. | ||||
| * `SOURCE_COMMIT`: the SHA1 hash of the commit being tested. | ||||
| * `COMMIT_MSG`: the message from the commit being tested and built. | ||||
| * `DOCKER_REPO`: the name of the Docker repository being built. | ||||
| * `DOCKERFILE_PATH`: the dockerfile currently being built. | ||||
| * `DOCKER_TAG`: the Docker repository tag being built. | ||||
| * `IMAGE_NAME`: the name and tag of the Docker repository being built. (This variable is a combination of `DOCKER_REPO:DOCKER_TAG`.) | ||||
|  | ||||
| The current multi-arch image build relies on the original vaultwarden Dockerfiles, which use cross-compilation for architectures other than `amd64`, and don't yet support all arch/distro combinations. However, cross-compilation is much faster than QEMU-based builds (e.g., using `docker buildx`). This situation may need to be revisited at some point. | ||||
|  | ||||
| ## References | ||||
|  | ||||
| * https://docs.docker.com/docker-hub/builds/advanced/ | ||||
| * https://docs.docker.com/engine/reference/commandline/manifest/ | ||||
| * https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/ | ||||
| * https://success.docker.com/article/how-do-i-authenticate-with-the-v2-api | ||||
| @@ -1,15 +0,0 @@ | ||||
| #!/usr/bin/env bash | ||||
|  | ||||
| # The default Debian-based images support these arches for all database backends. | ||||
| arches=( | ||||
|     amd64 | ||||
|     armv6 | ||||
|     armv7 | ||||
|     arm64 | ||||
| ) | ||||
| export arches | ||||
|  | ||||
| if [[ "${DOCKER_TAG}" == *alpine ]]; then | ||||
|     distro_suffix=.alpine | ||||
| fi | ||||
| export distro_suffix | ||||
							
								
								
									
										51
									
								
								hooks/build
									
									
									
									
									
								
							
							
						
						
									
										51
									
								
								hooks/build
									
									
									
									
									
								
							| @@ -1,51 +0,0 @@ | ||||
| #!/usr/bin/env bash | ||||
|  | ||||
| echo ">>> Building images..." | ||||
|  | ||||
| # shellcheck source=arches.sh | ||||
| source ./hooks/arches.sh | ||||
|  | ||||
| if [[ -z "${SOURCE_COMMIT}" ]]; then | ||||
|     # This var is typically predefined by Docker Hub, but it won't be | ||||
|     # when testing locally. | ||||
|     SOURCE_COMMIT="$(git rev-parse HEAD)" | ||||
| fi | ||||
|  | ||||
| # Construct a version string in the style of `build.rs`. | ||||
| GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null)" | ||||
| if [[ -n "${GIT_EXACT_TAG}" ]]; then | ||||
|     SOURCE_VERSION="${GIT_EXACT_TAG}" | ||||
| else | ||||
|     GIT_LAST_TAG="$(git describe --tags --abbrev=0)" | ||||
|     SOURCE_VERSION="${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | ||||
| fi | ||||
|  | ||||
| LABELS=( | ||||
|     # https://github.com/opencontainers/image-spec/blob/master/annotations.md | ||||
|     org.opencontainers.image.created="$(date --utc --iso-8601=seconds)" | ||||
|     org.opencontainers.image.documentation="https://github.com/dani-garcia/vaultwarden/wiki" | ||||
|     org.opencontainers.image.licenses="AGPL-3.0-only" | ||||
|     org.opencontainers.image.revision="${SOURCE_COMMIT}" | ||||
|     org.opencontainers.image.source="${SOURCE_REPOSITORY_URL}" | ||||
|     org.opencontainers.image.url="https://github.com/dani-garcia/vaultwarden" | ||||
|     org.opencontainers.image.version="${SOURCE_VERSION}" | ||||
| ) | ||||
| LABEL_ARGS=() | ||||
| for label in "${LABELS[@]}"; do | ||||
|     LABEL_ARGS+=(--label "${label}") | ||||
| done | ||||
|  | ||||
| # Check if DOCKER_BUILDKIT is set, if so, use the Dockerfile.buildkit as template | ||||
| if [[ -n "${DOCKER_BUILDKIT}" ]]; then | ||||
|     buildkit_suffix=.buildkit | ||||
| fi | ||||
|  | ||||
| set -ex | ||||
|  | ||||
| for arch in "${arches[@]}"; do | ||||
|     docker build \ | ||||
|            "${LABEL_ARGS[@]}" \ | ||||
|            -t "${DOCKER_REPO}:${DOCKER_TAG}-${arch}" \ | ||||
|            -f "docker/${arch}/Dockerfile${buildkit_suffix}${distro_suffix}" \ | ||||
|            . | ||||
| done | ||||
| @@ -1,28 +0,0 @@ | ||||
| #!/usr/bin/env bash | ||||
|  | ||||
| set -ex | ||||
|  | ||||
| # If requested, print some environment info for troubleshooting. | ||||
| if [[ -n "${DOCKER_HUB_DEBUG}" ]]; then | ||||
|     id | ||||
|     pwd | ||||
|     df -h | ||||
|     env | ||||
|     docker info | ||||
|     docker version | ||||
| fi | ||||
|  | ||||
| # Install build dependencies. | ||||
| deps=( | ||||
|     jq | ||||
| ) | ||||
| apt-get update | ||||
| apt-get install -y "${deps[@]}" | ||||
|  | ||||
| # Docker Hub uses a shallow clone and doesn't fetch tags, which breaks some | ||||
| # Git operations that we perform later, so fetch the complete history and | ||||
| # tags first. Note that if the build is cached, the clone may have been | ||||
| # unshallowed already; if so, unshallowing will fail, so skip it. | ||||
| if [[ -f .git/shallow ]]; then | ||||
|     git fetch --unshallow --tags | ||||
| fi | ||||
							
								
								
									
										111
									
								
								hooks/push
									
									
									
									
									
								
							
							
						
						
									
										111
									
								
								hooks/push
									
									
									
									
									
								
							| @@ -1,111 +0,0 @@ | ||||
| #!/usr/bin/env bash | ||||
|  | ||||
| # shellcheck source=arches.sh | ||||
| source ./hooks/arches.sh | ||||
|  | ||||
| export DOCKER_CLI_EXPERIMENTAL=enabled | ||||
|  | ||||
| # Join a list of args with a single char. | ||||
| # Ref: https://stackoverflow.com/a/17841619 | ||||
| join() { local IFS="$1"; shift; echo "$*"; } | ||||
|  | ||||
| set -ex | ||||
|  | ||||
| echo ">>> Starting local Docker registry when needed..." | ||||
|  | ||||
| # Docker Buildx's `docker-container` driver is needed for multi-platform | ||||
| # builds, but it can't access existing images on the Docker host (like the | ||||
| # cross-compiled ones we just built). Those images first need to be pushed to | ||||
| # a registry -- Docker Hub could be used, but since it's not trivial to clean | ||||
| # up those intermediate images on Docker Hub, it's easier to just run a local | ||||
| # Docker registry, which gets cleaned up automatically once the build job ends. | ||||
| # | ||||
| # https://docs.docker.com/registry/deploying/ | ||||
| # https://hub.docker.com/_/registry | ||||
| # | ||||
| # Use host networking so the buildx container can access the registry via | ||||
| # localhost. | ||||
| # | ||||
| # First check if there already is a registry container running, else skip it. | ||||
| # This will only happen either locally or running it via Github Actions | ||||
| # | ||||
| if ! timeout 5 bash -c 'cat < /dev/null > /dev/tcp/localhost/5000'; then | ||||
|     # defaults to port 5000 | ||||
|     docker run -d --name registry --network host registry:2 | ||||
| fi | ||||
|  | ||||
| # Docker Hub sets a `DOCKER_REPO` env var with the format `index.docker.io/user/repo`. | ||||
| # Strip the registry portion to construct a local repo path for use in `Dockerfile.buildx`. | ||||
| LOCAL_REGISTRY="localhost:5000" | ||||
| REPO="${DOCKER_REPO#*/}" | ||||
| LOCAL_REPO="${LOCAL_REGISTRY}/${REPO}" | ||||
|  | ||||
| echo ">>> Pushing images to local registry..." | ||||
|  | ||||
| for arch in "${arches[@]}"; do | ||||
|     docker_image="${DOCKER_REPO}:${DOCKER_TAG}-${arch}" | ||||
|     local_image="${LOCAL_REPO}:${DOCKER_TAG}-${arch}" | ||||
|     docker tag "${docker_image}" "${local_image}" | ||||
|     docker push "${local_image}" | ||||
| done | ||||
|  | ||||
| echo ">>> Setting up Docker Buildx..." | ||||
|  | ||||
| # Same as earlier, use host networking so the buildx container can access the | ||||
| # registry via localhost. | ||||
| # | ||||
| # Ref: https://github.com/docker/buildx/issues/94#issuecomment-534367714 | ||||
| # | ||||
| # Check if there already is a builder running, else skip this and use the existing. | ||||
| # This will only happen either locally or running it via Github Actions | ||||
| # | ||||
| if ! docker buildx inspect builder > /dev/null 2>&1 ; then | ||||
|     docker buildx create --name builder --use --driver-opt network=host | ||||
| fi | ||||
|  | ||||
| echo ">>> Running Docker Buildx..." | ||||
|  | ||||
| tags=("${DOCKER_REPO}:${DOCKER_TAG}") | ||||
|  | ||||
| # If the Docker tag starts with a version number, assume the latest release | ||||
| # is being pushed. Add an extra tag (`latest` or `alpine`, as appropriate) | ||||
| # to make it easier for users to track the latest release. | ||||
| if [[ "${DOCKER_TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+ ]]; then | ||||
|     if [[ "${DOCKER_TAG}" == *alpine ]]; then | ||||
|         tags+=("${DOCKER_REPO}:alpine") | ||||
|     else | ||||
|         tags+=("${DOCKER_REPO}:latest") | ||||
|     fi | ||||
| fi | ||||
|  | ||||
| tag_args=() | ||||
| for tag in "${tags[@]}"; do | ||||
|     tag_args+=(--tag "${tag}") | ||||
| done | ||||
|  | ||||
| # Docker Buildx takes a list of target platforms (OS/arch/variant), so map | ||||
| # the arch list to a platform list (assuming the OS is always `linux`). | ||||
| declare -A arch_to_platform=( | ||||
|     [amd64]="linux/amd64" | ||||
|     [armv6]="linux/arm/v6" | ||||
|     [armv7]="linux/arm/v7" | ||||
|     [arm64]="linux/arm64" | ||||
| ) | ||||
| platforms=() | ||||
| for arch in "${arches[@]}"; do | ||||
|     platforms+=("${arch_to_platform[$arch]}") | ||||
| done | ||||
| platform="$(join "," "${platforms[@]}")" | ||||
|  | ||||
| # Run the build, pushing the resulting images and multi-arch manifest list to | ||||
| # Docker Hub. The Dockerfile is read from stdin to avoid sending any build | ||||
| # context, which isn't needed here since the actual cross-compiled images | ||||
| # have already been built. | ||||
| docker buildx build \ | ||||
|        --network host \ | ||||
|        --build-arg LOCAL_REPO="${LOCAL_REPO}" \ | ||||
|        --build-arg DOCKER_TAG="${DOCKER_TAG}" \ | ||||
|        --platform "${platform}" \ | ||||
|        "${tag_args[@]}" \ | ||||
|        --push \ | ||||
|        - < ./docker/Dockerfile.buildx | ||||
| @@ -1,4 +1,4 @@ | ||||
| [toolchain] | ||||
| channel = "1.72.0" | ||||
| channel = "1.73.0" | ||||
| components = [ "rustfmt", "clippy" ] | ||||
| profile = "minimal" | ||||
|   | ||||
		Reference in New Issue
	
	Block a user