diff options
author | Mathijs van Veluw <[email protected]> | 2023-10-23 00:18:38 +0200 |
---|---|---|
committer | GitHub <[email protected]> | 2023-10-23 00:18:38 +0200 |
commit | d722328f05f65910e00d01c7b156d30ab9ac8986 (patch) | |
tree | 9c193bd2deea807592efb58c48dfa7f7165e6bc8 /docker | |
parent | cb4b683dcd51eff4508bcf50e34d657b8d2225d4 (diff) | |
download | vaultwarden-d722328f05f65910e00d01c7b156d30ab9ac8986.tar.gz vaultwarden-d722328f05f65910e00d01c7b156d30ab9ac8986.zip |
Container building changes (#3958)
* WIP: Container building changes
* Small updates
- Updated to rust 1.73.0
- Updated crates
- Updated documentation
- Added a bake.sh script to make baking easier
* Update GitHub Actions Workflow
- Updated workflow to use qemu and buildx bake
In the future i would like to extract the alpine based binaries and add
them as artifacts to the release.
* Address review remarks and small updates
- Addressed review remarks
- Added `podman-bake.sh` script to build Vaultwarden with podman
- Updated README
- Updated crates
- Added `VW_VERSION` support
- Added annotations
- Updated web-vault to v2023.9.1
Diffstat (limited to 'docker')
29 files changed, 1116 insertions, 2236 deletions
diff --git a/docker/DockerSettings.yaml b/docker/DockerSettings.yaml new file mode 100644 index 00000000..908f9721 --- /dev/null +++ b/docker/DockerSettings.yaml @@ -0,0 +1,28 @@ +--- +vault_version: "v2023.9.1" +vault_image_digest: "sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd" +# Cross Compile Docker Helper Scripts v1.3.0 +# We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts +xx_image_digest: "sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc" +rust_version: 1.73.0 # Rust version to be used +debian_version: bookworm # Debian release name to be used +alpine_version: 3.18 # Alpine version to be used +# For which platforms/architectures will we try to build images +platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"] +# Determine the build images per OS/Arch +build_stage_image: + debian: + image: "docker.io/library/rust:{{rust_version}}-slim-{{debian_version}}" + platform: "$BUILDPLATFORM" + alpine: + image: "build_${TARGETARCH}${TARGETVARIANT}" + platform: "linux/amd64" # The Alpine build images only have linux/amd64 images + arch_image: + amd64: "ghcr.io/blackdex/rust-musl:x86_64-musl-stable-{{rust_version}}" + arm64: "ghcr.io/blackdex/rust-musl:aarch64-musl-stable-{{rust_version}}" + armv7: "ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-{{rust_version}}" + armv6: "ghcr.io/blackdex/rust-musl:arm-musleabi-stable-{{rust_version}}" +# The final image which will be used to distribute the container images +runtime_stage_image: + debian: "docker.io/library/debian:{{debian_version}}-slim" + alpine: "docker.io/library/alpine:{{alpine_version}}" diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine new file mode 100644 index 00000000..8a8332f0 --- /dev/null +++ b/docker/Dockerfile.alpine @@ -0,0 +1,160 @@ +# syntax=docker/dockerfile:1 + +# This file was generated using a Jinja2 template. +# Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` +# This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine` + +# Using multistage build: +# https://docs.docker.com/develop/develop-images/multistage-build/ +# https://whitfin.io/speeding-up-rust-docker-builds/ + +####################### VAULT BUILD IMAGE ####################### +# The web-vault digest specifies a particular web-vault build on Docker Hub. +# Using the digest instead of the tag name provides better security, +# as the digest of an image is immutable, whereas a tag name can later +# be changed to point to a malicious image. +# +# To verify the current digest for a given tag name: +# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, +# click the tag name to view the digest of the image it currently points to. +# - From the command line: +# $ docker pull docker.io/vaultwarden/web-vault:v2023.9.1 +# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.9.1 +# [docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd] +# +# - Conversely, to get the tag name from the digest: +# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd +# [docker.io/vaultwarden/web-vault:v2023.9.1] +# +FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd as vault + +########################## ALPINE BUILD IMAGES ########################## +## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 +## And for Alpine we define all build images here, they will only be loaded when actually used +FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.73.0 as build_amd64 +FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.73.0 as build_arm64 +FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.73.0 as build_armv7 +FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.73.0 as build_armv6 + +########################## BUILD IMAGE ########################## +# hadolint ignore=DL3006 +FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} as build +ARG TARGETARCH +ARG TARGETVARIANT +ARG TARGETPLATFORM + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# Build time options to avoid dpkg warnings and help with reproducible builds. +ENV DEBIAN_FRONTEND=noninteractive \ + LANG=C.UTF-8 \ + TZ=UTC \ + TERM=xterm-256color \ + CARGO_HOME="/root/.cargo" \ + USER="root" \ + # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 + # Debian Bookworm already contains libpq v15 + PQ_LIB_DIR="/usr/local/musl/pq15/lib" + + +# Create CARGO_HOME folder and don't download rust docs +RUN mkdir -pv "${CARGO_HOME}" \ + && rustup set profile minimal + +# Creates a dummy project used to grab dependencies +RUN USER=root cargo new --bin /app +WORKDIR /app + +# Shared variables across Debian and Alpine +RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \ + # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic + if [[ "${TARGETARCH}${TARGETVARIANT}" == "armv6" ]] ; then echo "export RUSTFLAGS='-Clink-arg=-latomic'" >> /env-cargo ; fi && \ + # Output the current contents of the file + cat /env-cargo + +# Enable MiMalloc to improve performance on Alpine builds +ARG DB=sqlite,mysql,postgresql,enable_mimalloc + +RUN source /env-cargo && \ + rustup target add "${CARGO_TARGET}" + +ARG CARGO_PROFILE=release +ARG VW_VERSION + +# Copies over *only* your manifests and build files +COPY ./Cargo.* ./ +COPY ./rust-toolchain.toml ./rust-toolchain.toml +COPY ./build.rs ./build.rs + +# Builds your dependencies and removes the +# dummy project, except the target folder +# This folder contains the compiled dependencies +RUN source /env-cargo && \ + cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ + find . -not -path "./target*" -delete + +# Copies the complete project +# To avoid copying unneeded files, use .dockerignore +COPY . . + +# Builds again, this time it will be the actual source files being build +RUN source /env-cargo && \ + # Make sure that we actually build the project by updating the src/main.rs timestamp + touch src/main.rs && \ + # Create a symlink to the binary target folder to easy copy the binary in the final stage + cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ + if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ + ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \ + else \ + ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \ + fi + + +######################## RUNTIME IMAGE ######################## +# Create a new stage with a minimal image +# because we already have a binary built +# +# To build these images you need to have qemu binfmt support. +# See the following pages to help install these tools locally +# Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation +# Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64 +# +# Or use a Docker image which modifies your host system to support this. +# The GitHub Actions Workflow uses the same image as used below. +# See: https://github.com/tonistiigi/binfmt +# Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm +# To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' +# +# We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742 +FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.18 + +ENV ROCKET_PROFILE="release" \ + ROCKET_ADDRESS=0.0.0.0 \ + ROCKET_PORT=80 \ + SSL_CERT_DIR=/etc/ssl/certs + +# Create data folder and Install needed libraries +RUN mkdir /data && \ + apk --no-cache add \ + ca-certificates \ + curl \ + openssl \ + tzdata + +VOLUME /data +EXPOSE 80 +EXPOSE 3012 + +# Copies the files from the context (Rocket.toml file and web-vault) +# and the binary from the "build" stage to the current stage +WORKDIR / + +COPY docker/healthcheck.sh /healthcheck.sh +COPY docker/start.sh /start.sh + +COPY --from=vault /web-vault ./web-vault +COPY --from=build /app/target/final/vaultwarden . + +HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] + +CMD ["/start.sh"] diff --git a/docker/Dockerfile.buildx b/docker/Dockerfile.buildx deleted file mode 100644 index c250312c..00000000 --- a/docker/Dockerfile.buildx +++ /dev/null @@ -1,34 +0,0 @@ -# syntax=docker/dockerfile:1 -# The cross-built images have the build arch (`amd64`) embedded in the image -# manifest, rather than the target arch. For example: -# -# $ docker inspect vaultwarden/server:latest-armv7 | jq -r '.[]|.Architecture' -# amd64 -# -# Recent versions of Docker have started printing a warning when the image's -# claimed arch doesn't match the host arch. For example: -# -# WARNING: The requested image's platform (linux/amd64) does not match the -# detected host platform (linux/arm/v7) and no specific platform was requested -# -# The image still works fine, but the spurious warning creates confusion. -# -# Docker doesn't seem to provide a way to directly set the arch of an image -# at build time. To resolve the build vs. target arch discrepancy, we use -# Docker Buildx to build a new set of images with the correct target arch. -# -# Docker Buildx uses this Dockerfile to build an image for each requested -# platform. Since the Dockerfile basically consists of a single `FROM` -# instruction, we're effectively telling Buildx to build a platform-specific -# image by simply copying the existing cross-built image and setting the -# correct target arch as a side effect. -# -# References: -# -# - https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images -# - https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope -# - https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact -# -ARG LOCAL_REPO -ARG DOCKER_TAG -FROM ${LOCAL_REPO}:${DOCKER_TAG}-${TARGETARCH}${TARGETVARIANT} diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian new file mode 100644 index 00000000..6d4522a7 --- /dev/null +++ b/docker/Dockerfile.debian @@ -0,0 +1,194 @@ +# syntax=docker/dockerfile:1 + +# This file was generated using a Jinja2 template. +# Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` +# This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine` + +# Using multistage build: +# https://docs.docker.com/develop/develop-images/multistage-build/ +# https://whitfin.io/speeding-up-rust-docker-builds/ + +####################### VAULT BUILD IMAGE ####################### +# The web-vault digest specifies a particular web-vault build on Docker Hub. +# Using the digest instead of the tag name provides better security, +# as the digest of an image is immutable, whereas a tag name can later +# be changed to point to a malicious image. +# +# To verify the current digest for a given tag name: +# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, +# click the tag name to view the digest of the image it currently points to. +# - From the command line: +# $ docker pull docker.io/vaultwarden/web-vault:v2023.9.1 +# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.9.1 +# [docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd] +# +# - Conversely, to get the tag name from the digest: +# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd +# [docker.io/vaultwarden/web-vault:v2023.9.1] +# +FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:ccf76db7406378b36cb937c1a3ca884448e32e7f82effd4d97b335cd725c75fd as vault + +########################## Cross Compile Docker Helper Scripts ########################## +## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts +## And these bash scripts do not have any significant difference if at all +FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc AS xx + +########################## BUILD IMAGE ########################## +# hadolint ignore=DL3006 +FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.73.0-slim-bookworm as build +COPY --from=xx / / +ARG TARGETARCH +ARG TARGETVARIANT +ARG TARGETPLATFORM + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# Build time options to avoid dpkg warnings and help with reproducible builds. +ENV DEBIAN_FRONTEND=noninteractive \ + LANG=C.UTF-8 \ + TZ=UTC \ + TERM=xterm-256color \ + CARGO_HOME="/root/.cargo" \ + USER="root" + +# Install clang to get `xx-cargo` working +# Install pkg-config to allow amd64 builds to find all libraries +# Install git so build.rs can determine the correct version +# Install the libc cross packages based upon the debian-arch +RUN apt-get update && \ + apt-get install -y \ + --no-install-recommends \ + clang \ + pkg-config \ + git \ + "libc6-$(xx-info debian-arch)-cross" \ + "libc6-dev-$(xx-info debian-arch)-cross" \ + "linux-libc-dev-$(xx-info debian-arch)-cross" && \ + # Run xx-cargo early, since it sometimes seems to break when run at a later stage + echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo + +RUN xx-apt-get install -y \ + --no-install-recommends \ + gcc \ + libmariadb3 \ + libpq-dev \ + libpq5 \ + libssl-dev && \ + # Force install arch dependend mariadb dev packages + # Installing them the normal way breaks several other packages (again) + apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \ + dpkg --force-all -i ./libmariadb-dev*.deb + +# Create CARGO_HOME folder and don't download rust docs +RUN mkdir -pv "${CARGO_HOME}" \ + && rustup set profile minimal + +# Creates a dummy project used to grab dependencies +RUN USER=root cargo new --bin /app +WORKDIR /app + +# Environment variables for cargo across Debian and Alpine +RUN source /env-cargo && \ + if xx-info is-cross ; then \ + # We can't use xx-cargo since that uses clang, which doesn't work for our libraries. + # Because of this we generate the needed environment variables here which we can load in the needed steps. + echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ + echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ + echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \ + echo "export CROSS_COMPILE=1" >> /env-cargo && \ + echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \ + echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \ + fi && \ + # Output the current contents of the file + cat /env-cargo + +# Configure the DB ARG as late as possible to not invalidate the cached layers above +ARG DB=sqlite,mysql,postgresql + +RUN source /env-cargo && \ + rustup target add "${CARGO_TARGET}" + +ARG CARGO_PROFILE=release +ARG VW_VERSION + +# Copies over *only* your manifests and build files +COPY ./Cargo.* ./ +COPY ./rust-toolchain.toml ./rust-toolchain.toml +COPY ./build.rs ./build.rs + +# Builds your dependencies and removes the +# dummy project, except the target folder +# This folder contains the compiled dependencies +RUN source /env-cargo && \ + cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ + find . -not -path "./target*" -delete + +# Copies the complete project +# To avoid copying unneeded files, use .dockerignore +COPY . . + +# Builds again, this time it will be the actual source files being build +RUN source /env-cargo && \ + # Make sure that we actually build the project by updating the src/main.rs timestamp + touch src/main.rs && \ + # Create a symlink to the binary target folder to easy copy the binary in the final stage + cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ + if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ + ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \ + else \ + ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \ + fi + + +######################## RUNTIME IMAGE ######################## +# Create a new stage with a minimal image +# because we already have a binary built +# +# To build these images you need to have qemu binfmt support. +# See the following pages to help install these tools locally +# Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation +# Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64 +# +# Or use a Docker image which modifies your host system to support this. +# The GitHub Actions Workflow uses the same image as used below. +# See: https://github.com/tonistiigi/binfmt +# Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm +# To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' +# +# We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742 +FROM --platform=$TARGETPLATFORM docker.io/library/debian:bookworm-slim + +ENV ROCKET_PROFILE="release" \ + ROCKET_ADDRESS=0.0.0.0 \ + ROCKET_PORT=80 \ + DEBIAN_FRONTEND=noninteractive + +# Create data folder and Install needed libraries +RUN mkdir /data && \ + apt-get update && apt-get install -y \ + --no-install-recommends \ + ca-certificates \ + curl \ + libmariadb-dev-compat \ + libpq5 \ + openssl && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +VOLUME /data +EXPOSE 80 +EXPOSE 3012 + +# Copies the files from the context (Rocket.toml file and web-vault) +# and the binary from the "build" stage to the current stage +WORKDIR / + +COPY docker/healthcheck.sh /healthcheck.sh +COPY docker/start.sh /start.sh + +COPY --from=vault /web-vault ./web-vault +COPY --from=build /app/target/final/vaultwarden . + +HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] + +CMD ["/start.sh"] diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2 index ab4c4ff4..7fa39bfb 100644 --- a/docker/Dockerfile.j2 +++ b/docker/Dockerfile.j2 @@ -1,68 +1,14 @@ # syntax=docker/dockerfile:1 # This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -{% set rust_version = "1.72.0" %} -{% set debian_version = "bookworm" %} -{% set alpine_version = "3.17" %} -{% set build_stage_base_image = "docker.io/library/rust:%s-%s" % (rust_version, debian_version) %} -{% if "alpine" in target_file %} -{% if "amd64" in target_file %} -{% set build_stage_base_image = "docker.io/blackdex/rust-musl:x86_64-musl-stable-%s-openssl3" % rust_version %} -{% set runtime_stage_base_image = "docker.io/library/alpine:%s" % alpine_version %} -{% set package_arch_target = "x86_64-unknown-linux-musl" %} -{% elif "armv7" in target_file %} -{% set build_stage_base_image = "docker.io/blackdex/rust-musl:armv7-musleabihf-stable-%s-openssl3" % rust_version %} -{% set runtime_stage_base_image = "docker.io/balenalib/armv7hf-alpine:%s" % alpine_version %} -{% set package_arch_target = "armv7-unknown-linux-musleabihf" %} -{% elif "armv6" in target_file %} -{% set build_stage_base_image = "docker.io/blackdex/rust-musl:arm-musleabi-stable-%s-openssl3" % rust_version %} -{% set runtime_stage_base_image = "docker.io/balenalib/rpi-alpine:%s" % alpine_version %} -{% set package_arch_target = "arm-unknown-linux-musleabi" %} -{% elif "arm64" in target_file %} -{% set build_stage_base_image = "docker.io/blackdex/rust-musl:aarch64-musl-stable-%s-openssl3" % rust_version %} -{% set runtime_stage_base_image = "docker.io/balenalib/aarch64-alpine:%s" % alpine_version %} -{% set package_arch_target = "aarch64-unknown-linux-musl" %} -{% endif %} -{% elif "amd64" in target_file %} -{% set runtime_stage_base_image = "docker.io/library/debian:%s-slim" % debian_version %} -{% elif "arm64" in target_file %} -{% set runtime_stage_base_image = "docker.io/balenalib/aarch64-debian:%s" % debian_version %} -{% set package_arch_name = "arm64" %} -{% set package_arch_target = "aarch64-unknown-linux-gnu" %} -{% set package_cross_compiler = "aarch64-linux-gnu" %} -{% elif "armv6" in target_file %} -{% set runtime_stage_base_image = "docker.io/balenalib/rpi-debian:%s" % debian_version %} -{% set package_arch_name = "armel" %} -{% set package_arch_target = "arm-unknown-linux-gnueabi" %} -{% set package_cross_compiler = "arm-linux-gnueabi" %} -{% elif "armv7" in target_file %} -{% set runtime_stage_base_image = "docker.io/balenalib/armv7hf-debian:%s" % debian_version %} -{% set package_arch_name = "armhf" %} -{% set package_arch_target = "armv7-unknown-linux-gnueabihf" %} -{% set package_cross_compiler = "arm-linux-gnueabihf" %} -{% endif %} -{% if package_arch_name is defined %} -{% set package_arch_prefix = ":" + package_arch_name %} -{% else %} -{% set package_arch_prefix = "" %} -{% endif %} -{% if package_arch_target is defined %} -{% set package_arch_target_param = " --target=" + package_arch_target %} -{% else %} -{% set package_arch_target_param = "" %} -{% endif %} -{% if "buildkit" in target_file %} -{% set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %} -{% else %} -{% set mount_rust_cache = "" %} -{% endif %} +# Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` +# This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine` + # Using multistage build: # https://docs.docker.com/develop/develop-images/multistage-build/ # https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -{% set vault_version = "v2023.8.2" %} -{% set vault_image_digest = "sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252" %} + +####################### VAULT BUILD IMAGE ####################### # The web-vault digest specifies a particular web-vault build on Docker Hub. # Using the digest instead of the tag name provides better security, # as the digest of an image is immutable, whereas a tag name can later @@ -80,10 +26,33 @@ # $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }} # [docker.io/vaultwarden/web-vault:{{ vault_version }}] # -FROM docker.io/vaultwarden/web-vault@{{ vault_image_digest }} as vault +FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} as vault + +{% if base == "debian" %} +########################## Cross Compile Docker Helper Scripts ########################## +## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts +## And these bash scripts do not have any significant difference if at all +FROM --platform=linux/amd64 docker.io/tonistiigi/xx@{{ xx_image_digest }} AS xx +{% elif base == "alpine" %} +########################## ALPINE BUILD IMAGES ########################## +## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 +## And for Alpine we define all build images here, they will only be loaded when actually used +{% for arch in build_stage_image[base].arch_image %} +FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].arch_image[arch] }} as build_{{ arch }} +{% endfor %} +{% endif %} + +########################## BUILD IMAGE ########################## +# hadolint ignore=DL3006 +FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].image }} as build +{% if base == "debian" %} +COPY --from=xx / / +{% endif %} +ARG TARGETARCH +ARG TARGETVARIANT +ARG TARGETPLATFORM -########################## BUILD IMAGE ########################## -FROM {{ build_stage_base_image }} as build +SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Build time options to avoid dpkg warnings and help with reproducible builds. ENV DEBIAN_FRONTEND=noninteractive \ @@ -91,133 +60,162 @@ ENV DEBIAN_FRONTEND=noninteractive \ TZ=UTC \ TERM=xterm-256color \ CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ USER="root" +{%- if base == "alpine" %} \ + # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 + # Debian Bookworm already contains libpq v15 + PQ_LIB_DIR="/usr/local/musl/pq15/lib" +{% endif %} -# Create CARGO_HOME folder and don't download rust docs -RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal +{% if base == "debian" %} -{% if "alpine" in target_file %} -# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 -# Debian Bookworm already contains libpq v15 -ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" -{% if "armv6" in target_file %} -# To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic -ENV RUSTFLAGS='-Clink-arg=-latomic' -{% endif %} -{% elif "arm" in target_file %} -# Install build dependencies for the {{ package_arch_name }} architecture -RUN {{ mount_rust_cache -}} dpkg --add-architecture {{ package_arch_name }} \ - && apt-get update \ - && apt-get install -y \ +# Install clang to get `xx-cargo` working +# Install pkg-config to allow amd64 builds to find all libraries +# Install git so build.rs can determine the correct version +# Install the libc cross packages based upon the debian-arch +RUN apt-get update && \ + apt-get install -y \ --no-install-recommends \ - gcc-{{ package_cross_compiler }} \ - libc6-dev{{ package_arch_prefix }} \ - linux-libc-dev{{ package_arch_prefix }} \ - libmariadb-dev{{ package_arch_prefix }} \ - libmariadb-dev-compat{{ package_arch_prefix }} \ - libmariadb3{{ package_arch_prefix }} \ - libpq-dev{{ package_arch_prefix }} \ - libpq5{{ package_arch_prefix }} \ - libssl-dev{{ package_arch_prefix }} \ - # - # Make sure cargo has the right target config - && echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \ - && echo 'linker = "{{ package_cross_compiler }}-gcc"' >> "${CARGO_HOME}/config" \ - && echo 'rustflags = ["-L/usr/lib/{{ package_cross_compiler }}"]' >> "${CARGO_HOME}/config" - -# Set arm specific environment values -ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_compiler }}-gcc" \ - CROSS_COMPILE="1" \ - OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \ - OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}" -{% elif "amd64" in target_file %} -# Install build dependencies -RUN apt-get update \ - && apt-get install -y \ + clang \ + pkg-config \ + git \ + "libc6-$(xx-info debian-arch)-cross" \ + "libc6-dev-$(xx-info debian-arch)-cross" \ + "linux-libc-dev-$(xx-info debian-arch)-cross" && \ + # Run xx-cargo early, since it sometimes seems to break when run at a later stage + echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo + +RUN xx-apt-get install -y \ --no-install-recommends \ - libmariadb-dev \ - libpq-dev + gcc \ + libmariadb3 \ + libpq-dev \ + libpq5 \ + libssl-dev && \ + # Force install arch dependend mariadb dev packages + # Installing them the normal way breaks several other packages (again) + apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \ + dpkg --force-all -i ./libmariadb-dev*.deb {% endif %} +# Create CARGO_HOME folder and don't download rust docs +RUN mkdir -pv "${CARGO_HOME}" \ + && rustup set profile minimal + # Creates a dummy project used to grab dependencies RUN USER=root cargo new --bin /app WORKDIR /app -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -{% if package_arch_target is defined %} -RUN {{ mount_rust_cache -}} rustup target add {{ package_arch_target }} -{% endif %} +{% if base == "debian" %} +# Environment variables for cargo across Debian and Alpine +RUN source /env-cargo && \ + if xx-info is-cross ; then \ + # We can't use xx-cargo since that uses clang, which doesn't work for our libraries. + # Because of this we generate the needed environment variables here which we can load in the needed steps. + echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ + echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ + echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \ + echo "export CROSS_COMPILE=1" >> /env-cargo && \ + echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \ + echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \ + fi && \ + # Output the current contents of the file + cat /env-cargo # Configure the DB ARG as late as possible to not invalidate the cached layers above -{% if "alpine" in target_file %} +ARG DB=sqlite,mysql,postgresql +{% elif base == "alpine" %} +# Shared variables across Debian and Alpine +RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \ + # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic + if [[ "${TARGETARCH}${TARGETVARIANT}" == "armv6" ]] ; then echo "export RUSTFLAGS='-Clink-arg=-latomic'" >> /env-cargo ; fi && \ + # Output the current contents of the file + cat /env-cargo + # Enable MiMalloc to improve performance on Alpine builds ARG DB=sqlite,mysql,postgresql,enable_mimalloc -{% else %} -ARG DB=sqlite,mysql,postgresql {% endif %} +RUN source /env-cargo && \ + rustup target add "${CARGO_TARGET}" + +ARG CARGO_PROFILE=release +ARG VW_VERSION + +# Copies over *only* your manifests and build files +COPY ./Cargo.* ./ +COPY ./rust-toolchain.toml ./rust-toolchain.toml +COPY ./build.rs ./build.rs + # Builds your dependencies and removes the # dummy project, except the target folder # This folder contains the compiled dependencies -RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} \ - && find . -not -path "./target*" -delete +RUN source /env-cargo && \ + cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ + find . -not -path "./target*" -delete # Copies the complete project # To avoid copying unneeded files, use .dockerignore COPY . . -# Make sure that we actually build the project -RUN touch src/main.rs +# Builds again, this time it will be the actual source files being build +RUN source /env-cargo && \ + # Make sure that we actually build the project by updating the src/main.rs timestamp + touch src/main.rs && \ + # Create a symlink to the binary target folder to easy copy the binary in the final stage + cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ + if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ + ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \ + else \ + ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \ + fi -# Builds again, this time it'll just be -# your actual source files being built -RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} ######################## RUNTIME IMAGE ######################## # Create a new stage with a minimal image # because we already have a binary built -FROM {{ runtime_stage_base_image }} +# +# To build these images you need to have qemu binfmt support. +# See the following pages to help install these tools locally +# Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation +# Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64 +# +# Or use a Docker image which modifies your host system to support this. +# The GitHub Actions Workflow uses the same image as used below. +# See: https://github.com/tonistiigi/binfmt +# Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm +# To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' +# +# We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742 +FROM --platform=$TARGETPLATFORM {{ runtime_stage_image[base] }} ENV ROCKET_PROFILE="release" \ ROCKET_ADDRESS=0.0.0.0 \ ROCKET_PORT=80 -{%- if "alpine" in runtime_stage_base_image %} \ +{%- if base == "debian" %} \ + DEBIAN_FRONTEND=noninteractive +{% elif base == "alpine" %} \ SSL_CERT_DIR=/etc/ssl/certs {% endif %} - -{% if "amd64" not in target_file %} -RUN [ "cross-build-start" ] -{% endif %} - # Create data folder and Install needed libraries -RUN mkdir /data \ -{% if "alpine" in runtime_stage_base_image %} - && apk add --no-cache \ +RUN mkdir /data && \ +{% if base == "debian" %} + apt-get update && apt-get install -y \ + --no-install-recommends \ + ca-certificates \ + curl \ + libmariadb-dev-compat \ + libpq5 \ + openssl && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* +{% elif base == "alpine" %} + apk --no-cache add \ ca-certificates \ curl \ openssl \ tzdata -{% else %} - && apt-get update && apt-get install -y \ - --no-install-recommends \ - ca-certificates \ - curl \ - libmariadb-dev-compat \ - libpq5 \ - openssl \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* -{% endif %} - -{% if "amd64" not in target_file %} -RUN [ "cross-build-end" ] {% endif %} VOLUME /data @@ -227,16 +225,13 @@ EXPOSE 3012 # Copies the files from the context (Rocket.toml file and web-vault) # and the binary from the "build" stage to the current stage WORKDIR / -COPY --from=vault /web-vault ./web-vault -{% if package_arch_target is defined %} -COPY --from=build /app/target/{{ package_arch_target }}/release/vaultwarden . -{% else %} -COPY --from=build /app/target/release/vaultwarden . -{% endif %} COPY docker/healthcheck.sh /healthcheck.sh COPY docker/start.sh /start.sh +COPY --from=vault /web-vault ./web-vault +COPY --from=build /app/target/final/vaultwarden . + HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] CMD ["/start.sh"] diff --git a/docker/Makefile b/docker/Makefile index d7c0ab80..e8c0760a 100644 --- a/docker/Makefile +++ b/docker/Makefile @@ -1,15 +1,4 @@ -OBJECTS := $(shell find ./ -mindepth 2 -name 'Dockerfile*') - -all: $(OBJECTS) - -%/Dockerfile: Dockerfile.j2 render_template - ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" - -%/Dockerfile.alpine: Dockerfile.j2 render_template - ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" - -%/Dockerfile.buildkit: Dockerfile.j2 render_template - ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" - -%/Dockerfile.buildkit.alpine: Dockerfile.j2 render_template - ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" +all: + ./render_template Dockerfile.j2 '{"base": "debian"}' > Dockerfile.debian + ./render_template Dockerfile.j2 '{"base": "alpine"}' > Dockerfile.alpine +.PHONY: all diff --git a/docker/README.md b/docker/README.md index 1dbfe22c..3c74043c 100644 --- a/docker/README.md +++ b/docker/README.md @@ -1,3 +1,183 @@ -The arch-specific directory names follow the arch identifiers used by the Docker official images: +# Vaultwarden Container Building -https://github.com/docker-library/official-images/blob/master/README.md#architectures-other-than-amd64 +To build and release new testing and stable releases of Vaultwarden we use `docker buildx bake`.<br> +This can be used locally by running the command yourself, but it is also used by GitHub Actions. + +This makes it easier for us to test and maintain the different architectures we provide.<br> +We also just have two Dockerfile's one for Debian and one for Alpine based images.<br> +With just these two files we can build both Debian and Alpine images for the following platforms: + - amd64 (linux/amd64) + - arm64 (linux/arm64) + - armv7 (linux/arm/v7) + - armv6 (linux/arm/v6) + +To build these containers you need to enable QEMU binfmt support to be able to run/emulate architectures which are different then your host.<br> +This ensures the container build process can run binaries from other architectures.<br> + +**NOTE**: Run all the examples below from the root of the repo.<br> + + +## How to install QEMU binfmt support + +This is different per host OS, but most support this in some way.<br> + +### Ubuntu/Debian +```bash +apt install binfmt-support qemu-user-static +``` + +### Arch Linux (others based upon it) +```bash +pacman -S qemu-user-static qemu-user-static-binfmt +``` + +### Fedora +```bash +dnf install qemu-user-static +``` + +### Others +There also is an option to use an other docker container to provide support for this. +```bash +# To install and activate +docker run --privileged --rm tonistiigi/binfmt --install arm64,arm +# To unistall +docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' +``` + + +## Single architecture container building + +You can build a container per supported architecture as long as you have QEMU binfmt support installed on your system.<br> + +```bash +# Default bake triggers a Debian build using the hosts architecture +docker buildx bake --file docker/docker-bake.hcl + +# Bake Debian ARM64 using a debug build +CARGO_PROFILE=dev \ +SOURCE_COMMIT="$(git rev-parse HEAD)" \ +docker buildx bake --file docker/docker-bake.hcl debian-arm64 + +# Bake Alpine ARMv6 as a release build +SOURCE_COMMIT="$(git rev-parse HEAD)" \ +docker buildx bake --file docker/docker-bake.hcl alpine-armv6 +``` + + +## Local Multi Architecture container building + +Start the initialization, this only needs to be done once. + +```bash +# Create and use a new buildx builder instance which connects to the host network +docker buildx create --name vaultwarden --use --driver-opt network=host + +# Validate it runs +docker buildx inspect --bootstrap + +# Create a local container registry directly reachable on the localhost +docker run -d --name registry --network host registry:2 +``` + +After that is done, you should be able to build and push to the local registry.<br> +Use the following command with the modified variables to bake the Alpine images.<br> +Replace `alpine` with `debian` if you want to build the debian multi arch images. + +```bash +# Start a buildx bake using a debug build +CARGO_PROFILE=dev \ +SOURCE_COMMIT="$(git rev-parse HEAD)" \ +CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \ +docker buildx bake --file docker/docker-bake.hcl alpine-multi +``` + + +## Using the `bake.sh` script + +To make it a bit more easier to trigger a build, there also is a `bake.sh` script.<br> +This script calls `docker buildx bake` with all the right parameters and also generates the `SOURCE_COMMIT` and `SOURCE_VERSION` variables.<br> +This script can be called from both the repo root or within the docker directory. + +So, if you want to build a Multi Arch Alpine container pushing to your localhost registry you can run this from within the docker directory. (Just make sure you executed the initialization steps above first) +```bash +CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \ +./bake.sh alpine-multi +``` + +Or if you want to just build a Debian container from the repo root, you can run this. +```bash +docker/bake.sh +``` + +You can append both `alpine` and `debian` with `-amd64`, `-arm64`, `-armv7` or `-armv6`, which will trigger a build for that specific platform.<br> +This will also append those values to the tag so you can see the builded container when running `docker images`. + +You can also append extra arguments after the target if you want. This can be useful for example to print what bake will use. +```bash +docker/bake.sh alpine-all --print +``` + +### Testing baked images + +To test these images you can run these images by using the correct tag and provide the platform.<br> +For example, after you have build an arm64 image via `./bake.sh debian-arm64` you can run: +```bash +docker run --rm -it \ + -e DISABLE_ADMIN_TOKEN=true \ + -e I_REALLY_WANT_VOLATILE_STORAGE=true \ + -p8080:80 --platform=linux/arm64 \ + vaultwarden/server:testing-arm64 +``` + + +## Using the `podman-bake.sh` script + +To also make building easier using podman, there is a `podman-bake.sh` script.<br> +This script calls `podman buildx build` with the needed parameters and the same as `bake.sh`, it will generate some variables automatically.<br> +This script can be called from both the repo root or within the docker directory. + +**NOTE:** Unlike the `bake.sh` script, this only supports a single `CONTAINER_REGISTRIES`, and a single `BASE_TAGS` value, no comma separated values. It also only supports building separate architectures, no Multi Arch containers. + +To build an Alpine arm64 image with only sqlite support and mimalloc, run this: +```bash +DB="sqlite,enable_mimalloc" \ +./podman-bake.sh alpine-arm64 +``` + +Or if you want to just build a Debian container from the repo root, you can run this. +```bash +docker/podman-bake.sh +``` + +You can append extra arguments after the target if you want. This can be useful for example to disable cache like this. +```bash +./podman-bake.sh alpine-arm64 --no-cache +``` + +For the podman builds you can, just like the `bake.sh` script, also append the architecture to build for that specific platform.<br> + +### Testing podman builded images + +The command to start a podman built container is almost the same as for the docker/bake built containers. The images start with `localhost/`, so you need to prepend that. + +```bash +podman run --rm -it \ + -e DISABLE_ADMIN_TOKEN=true \ + -e I_REALLY_WANT_VOLATILE_STORAGE=true \ + -p8080:80 --platform=linux/arm64 \ + localhost/vaultwarden/server:testing-arm64 +``` + + +## Variables supported +| Variable | default | description | +| --------------------- | ------------------ | ----------- | +| CARGO_PROFILE | null | Which cargo profile to use. `null` means what is defined in the Dockerfile | +| DB | null | Which `features` to build. `null` means what is defined in the Dockerfile | +| SOURCE_REPOSITORY_URL | null | The source repository form where this build is triggered | +| SOURCE_COMMIT | null | The commit hash of the current commit for this build | +| SOURCE_VERSION | null | The current exact tag of this commit, else the last tag and the first 8 chars of the source commit | +| BASE_TAGS | testing | Tags to be used. Can be a comma separated value like "latest,1.29.2" | +| CONTAINER_REGISTRIES | vaultwarden/server | Comma separated value of container registries. Like `ghcr.io/dani-garcia/vaultwarden,docker.io/vaultwarden/server` | +| VW_VERSION | null | To override the `SOURCE_VERSION` value. This is also used by the `build.rs` code for example | diff --git a/docker/amd64/Dockerfile b/docker/amd64/Dockerfile deleted file mode 100644 index 2efaf77a..00000000 --- a/docker/amd64/Dockerfile +++ /dev/null @@ -1,119 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/library/rust:1.72.0-bookworm as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Install build dependencies -RUN apt-get update \ - && apt-get install -y \ - --no-install-recommends \ - libmariadb-dev \ - libpq-dev - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -ARG DB=sqlite,mysql,postgresql - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN cargo build --features ${DB} --release - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/library/debian:bookworm-slim - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 - - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apt-get update && apt-get install -y \ - --no-install-recommends \ - ca-certificates \ - curl \ - libmariadb-dev-compat \ - libpq5 \ - openssl \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/amd64/Dockerfile.alpine b/docker/amd64/Dockerfile.alpine deleted file mode 100644 index 3e4f3efd..00000000 --- a/docker/amd64/Dockerfile.alpine +++ /dev/null @@ -1,116 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/blackdex/rust-musl:x86_64-musl-stable-1.72.0-openssl3 as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 -# Debian Bookworm already contains libpq v15 -ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN rustup target add x86_64-unknown-linux-musl - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -# Enable MiMalloc to improve performance on Alpine builds -ARG DB=sqlite,mysql,postgresql,enable_mimalloc - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/library/alpine:3.17 - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 \ - SSL_CERT_DIR=/etc/ssl/certs - - - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apk add --no-cache \ - ca-certificates \ - curl \ - openssl \ - tzdata - - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/amd64/Dockerfile.buildkit b/docker/amd64/Dockerfile.buildkit deleted file mode 100644 index eac7a5ea..00000000 --- a/docker/amd64/Dockerfile.buildkit +++ /dev/null @@ -1,119 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/library/rust:1.72.0-bookworm as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Install build dependencies -RUN apt-get update \ - && apt-get install -y \ - --no-install-recommends \ - libmariadb-dev \ - libpq-dev - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -ARG DB=sqlite,mysql,postgresql - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/library/debian:bookworm-slim - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 - - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apt-get update && apt-get install -y \ - --no-install-recommends \ - ca-certificates \ - curl \ - libmariadb-dev-compat \ - libpq5 \ - openssl \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/amd64/Dockerfile.buildkit.alpine b/docker/amd64/Dockerfile.buildkit.alpine deleted file mode 100644 index c1f199f5..00000000 --- a/docker/amd64/Dockerfile.buildkit.alpine +++ /dev/null @@ -1,116 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/blackdex/rust-musl:x86_64-musl-stable-1.72.0-openssl3 as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 -# Debian Bookworm already contains libpq v15 -ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add x86_64-unknown-linux-musl - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -# Enable MiMalloc to improve performance on Alpine builds -ARG DB=sqlite,mysql,postgresql,enable_mimalloc - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/library/alpine:3.17 - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 \ - SSL_CERT_DIR=/etc/ssl/certs - - - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apk add --no-cache \ - ca-certificates \ - curl \ - openssl \ - tzdata - - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/arm64/Dockerfile b/docker/arm64/Dockerfile deleted file mode 100644 index 910568d0..00000000 --- a/docker/arm64/Dockerfile +++ /dev/null @@ -1,141 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/library/rust:1.72.0-bookworm as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Install build dependencies for the arm64 architecture -RUN dpkg --add-architecture arm64 \ - && apt-get update \ - && apt-get install -y \ - --no-install-recommends \ - gcc-aarch64-linux-gnu \ - libc6-dev:arm64 \ - linux-libc-dev:arm64 \ - libmariadb-dev:arm64 \ - libmariadb-dev-compat:arm64 \ - libmariadb3:arm64 \ - libpq-dev:arm64 \ - libpq5:arm64 \ - libssl-dev:arm64 \ - # - # Make sure cargo has the right target config - && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \ - && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \ - && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config" - -# Set arm specific environment values -ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \ - CROSS_COMPILE="1" \ - OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \ - OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN rustup target add aarch64-unknown-linux-gnu - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -ARG DB=sqlite,mysql,postgresql - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/aarch64-debian:bookworm - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apt-get update && apt-get install -y \ - --no-install-recommends \ - ca-certificates \ - curl \ - libmariadb-dev-compat \ - libpq5 \ - openssl \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/arm64/Dockerfile.alpine b/docker/arm64/Dockerfile.alpine deleted file mode 100644 index e23c306a..00000000 --- a/docker/arm64/Dockerfile.alpine +++ /dev/null @@ -1,118 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/blackdex/rust-musl:aarch64-musl-stable-1.72.0-openssl3 as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 -# Debian Bookworm already contains libpq v15 -ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN rustup target add aarch64-unknown-linux-musl - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -# Enable MiMalloc to improve performance on Alpine builds -ARG DB=sqlite,mysql,postgresql,enable_mimalloc - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/aarch64-alpine:3.17 - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 \ - SSL_CERT_DIR=/etc/ssl/certs - - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apk add --no-cache \ - ca-certificates \ - curl \ - openssl \ - tzdata - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/arm64/Dockerfile.buildkit b/docker/arm64/Dockerfile.buildkit deleted file mode 100644 index 7f370c4e..00000000 --- a/docker/arm64/Dockerfile.buildkit +++ /dev/null @@ -1,141 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/library/rust:1.72.0-bookworm as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Install build dependencies for the arm64 architecture -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry dpkg --add-architecture arm64 \ - && apt-get update \ - && apt-get install -y \ - --no-install-recommends \ - gcc-aarch64-linux-gnu \ - libc6-dev:arm64 \ - linux-libc-dev:arm64 \ - libmariadb-dev:arm64 \ - libmariadb-dev-compat:arm64 \ - libmariadb3:arm64 \ - libpq-dev:arm64 \ - libpq5:arm64 \ - libssl-dev:arm64 \ - # - # Make sure cargo has the right target config - && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \ - && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \ - && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config" - -# Set arm specific environment values -ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \ - CROSS_COMPILE="1" \ - OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \ - OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-gnu - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -ARG DB=sqlite,mysql,postgresql - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/aarch64-debian:bookworm - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apt-get update && apt-get install -y \ - --no-install-recommends \ - ca-certificates \ - curl \ - libmariadb-dev-compat \ - libpq5 \ - openssl \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/arm64/Dockerfile.buildkit.alpine b/docker/arm64/Dockerfile.buildkit.alpine deleted file mode 100644 index 8cad80d3..00000000 --- a/docker/arm64/Dockerfile.buildkit.alpine +++ /dev/null @@ -1,118 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/blackdex/rust-musl:aarch64-musl-stable-1.72.0-openssl3 as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 -# Debian Bookworm already contains libpq v15 -ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-musl - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -# Enable MiMalloc to improve performance on Alpine builds -ARG DB=sqlite,mysql,postgresql,enable_mimalloc - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/aarch64-alpine:3.17 - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 \ - SSL_CERT_DIR=/etc/ssl/certs - - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apk add --no-cache \ - ca-certificates \ - curl \ - openssl \ - tzdata - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/armv6/Dockerfile b/docker/armv6/Dockerfile deleted file mode 100644 index 6480c9a6..00000000 --- a/docker/armv6/Dockerfile +++ /dev/null @@ -1,141 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/library/rust:1.72.0-bookworm as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Install build dependencies for the armel architecture -RUN dpkg --add-architecture armel \ - && apt-get update \ - && apt-get install -y \ - --no-install-recommends \ - gcc-arm-linux-gnueabi \ - libc6-dev:armel \ - linux-libc-dev:armel \ - libmariadb-dev:armel \ - libmariadb-dev-compat:armel \ - libmariadb3:armel \ - libpq-dev:armel \ - libpq5:armel \ - libssl-dev:armel \ - # - # Make sure cargo has the right target config - && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \ - && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \ - && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config" - -# Set arm specific environment values -ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \ - CROSS_COMPILE="1" \ - OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \ - OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN rustup target add arm-unknown-linux-gnueabi - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -ARG DB=sqlite,mysql,postgresql - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/rpi-debian:bookworm - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apt-get update && apt-get install -y \ - --no-install-recommends \ - ca-certificates \ - curl \ - libmariadb-dev-compat \ - libpq5 \ - openssl \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/armv6/Dockerfile.alpine b/docker/armv6/Dockerfile.alpine deleted file mode 100644 index acec859a..00000000 --- a/docker/armv6/Dockerfile.alpine +++ /dev/null @@ -1,120 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/blackdex/rust-musl:arm-musleabi-stable-1.72.0-openssl3 as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 -# Debian Bookworm already contains libpq v15 -ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" -# To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic -ENV RUSTFLAGS='-Clink-arg=-latomic' - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN rustup target add arm-unknown-linux-musleabi - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -# Enable MiMalloc to improve performance on Alpine builds -ARG DB=sqlite,mysql,postgresql,enable_mimalloc - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/rpi-alpine:3.17 - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 \ - SSL_CERT_DIR=/etc/ssl/certs - - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apk add --no-cache \ - ca-certificates \ - curl \ - openssl \ - tzdata - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/armv6/Dockerfile.buildkit b/docker/armv6/Dockerfile.buildkit deleted file mode 100644 index 6211d9a3..00000000 --- a/docker/armv6/Dockerfile.buildkit +++ /dev/null @@ -1,141 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/library/rust:1.72.0-bookworm as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Install build dependencies for the armel architecture -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry dpkg --add-architecture armel \ - && apt-get update \ - && apt-get install -y \ - --no-install-recommends \ - gcc-arm-linux-gnueabi \ - libc6-dev:armel \ - linux-libc-dev:armel \ - libmariadb-dev:armel \ - libmariadb-dev-compat:armel \ - libmariadb3:armel \ - libpq-dev:armel \ - libpq5:armel \ - libssl-dev:armel \ - # - # Make sure cargo has the right target config - && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \ - && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \ - && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config" - -# Set arm specific environment values -ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \ - CROSS_COMPILE="1" \ - OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \ - OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-gnueabi - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -ARG DB=sqlite,mysql,postgresql - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/rpi-debian:bookworm - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apt-get update && apt-get install -y \ - --no-install-recommends \ - ca-certificates \ - curl \ - libmariadb-dev-compat \ - libpq5 \ - openssl \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/armv6/Dockerfile.buildkit.alpine b/docker/armv6/Dockerfile.buildkit.alpine deleted file mode 100644 index 21315cb3..00000000 --- a/docker/armv6/Dockerfile.buildkit.alpine +++ /dev/null @@ -1,120 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/blackdex/rust-musl:arm-musleabi-stable-1.72.0-openssl3 as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 -# Debian Bookworm already contains libpq v15 -ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" -# To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic -ENV RUSTFLAGS='-Clink-arg=-latomic' - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-musleabi - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -# Enable MiMalloc to improve performance on Alpine builds -ARG DB=sqlite,mysql,postgresql,enable_mimalloc - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/rpi-alpine:3.17 - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 \ - SSL_CERT_DIR=/etc/ssl/certs - - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apk add --no-cache \ - ca-certificates \ - curl \ - openssl \ - tzdata - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/armv7/Dockerfile b/docker/armv7/Dockerfile deleted file mode 100644 index b5174133..00000000 --- a/docker/armv7/Dockerfile +++ /dev/null @@ -1,141 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/library/rust:1.72.0-bookworm as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Install build dependencies for the armhf architecture -RUN dpkg --add-architecture armhf \ - && apt-get update \ - && apt-get install -y \ - --no-install-recommends \ - gcc-arm-linux-gnueabihf \ - libc6-dev:armhf \ - linux-libc-dev:armhf \ - libmariadb-dev:armhf \ - libmariadb-dev-compat:armhf \ - libmariadb3:armhf \ - libpq-dev:armhf \ - libpq5:armhf \ - libssl-dev:armhf \ - # - # Make sure cargo has the right target config - && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \ - && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \ - && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config" - -# Set arm specific environment values -ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \ - CROSS_COMPILE="1" \ - OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \ - OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN rustup target add armv7-unknown-linux-gnueabihf - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -ARG DB=sqlite,mysql,postgresql - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/armv7hf-debian:bookworm - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apt-get update && apt-get install -y \ - --no-install-recommends \ - ca-certificates \ - curl \ - libmariadb-dev-compat \ - libpq5 \ - openssl \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/armv7/Dockerfile.alpine b/docker/armv7/Dockerfile.alpine deleted file mode 100644 index 450d1963..00000000 --- a/docker/armv7/Dockerfile.alpine +++ /dev/null @@ -1,118 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/blackdex/rust-musl:armv7-musleabihf-stable-1.72.0-openssl3 as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 -# Debian Bookworm already contains libpq v15 -ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN rustup target add armv7-unknown-linux-musleabihf - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -# Enable MiMalloc to improve performance on Alpine builds -ARG DB=sqlite,mysql,postgresql,enable_mimalloc - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/armv7hf-alpine:3.17 - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 \ - SSL_CERT_DIR=/etc/ssl/certs - - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apk add --no-cache \ - ca-certificates \ - curl \ - openssl \ - tzdata - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/armv7/Dockerfile.buildkit b/docker/armv7/Dockerfile.buildkit deleted file mode 100644 index aa291135..00000000 --- a/docker/armv7/Dockerfile.buildkit +++ /dev/null @@ -1,141 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/library/rust:1.72.0-bookworm as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Install build dependencies for the armhf architecture -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry dpkg --add-architecture armhf \ - && apt-get update \ - && apt-get install -y \ - --no-install-recommends \ - gcc-arm-linux-gnueabihf \ - libc6-dev:armhf \ - linux-libc-dev:armhf \ - libmariadb-dev:armhf \ - libmariadb-dev-compat:armhf \ - libmariadb3:armhf \ - libpq-dev:armhf \ - libpq5:armhf \ - libssl-dev:armhf \ - # - # Make sure cargo has the right target config - && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \ - && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \ - && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config" - -# Set arm specific environment values -ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \ - CROSS_COMPILE="1" \ - OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \ - OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-gnueabihf - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -ARG DB=sqlite,mysql,postgresql - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/armv7hf-debian:bookworm - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apt-get update && apt-get install -y \ - --no-install-recommends \ - ca-certificates \ - curl \ - libmariadb-dev-compat \ - libpq5 \ - openssl \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/armv7/Dockerfile.buildkit.alpine b/docker/armv7/Dockerfile.buildkit.alpine deleted file mode 100644 index 58a32af9..00000000 --- a/docker/armv7/Dockerfile.buildkit.alpine +++ /dev/null @@ -1,118 +0,0 @@ -# syntax=docker/dockerfile:1 - -# This file was generated using a Jinja2 template. -# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. -# Using multistage build: -# https://docs.docker.com/develop/develop-images/multistage-build/ -# https://whitfin.io/speeding-up-rust-docker-builds/ -####################### VAULT BUILD IMAGE ####################### -# The web-vault digest specifies a particular web-vault build on Docker Hub. -# Using the digest instead of the tag name provides better security, -# as the digest of an image is immutable, whereas a tag name can later -# be changed to point to a malicious image. -# -# To verify the current digest for a given tag name: -# - From https://hub.docker.com/r/vaultwarden/web-vault/tags, -# click the tag name to view the digest of the image it currently points to. -# - From the command line: -# $ docker pull docker.io/vaultwarden/web-vault:v2023.8.2 -# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.8.2 -# [docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252] -# -# - Conversely, to get the tag name from the digest: -# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 -# [docker.io/vaultwarden/web-vault:v2023.8.2] -# -FROM docker.io/vaultwarden/web-vault@sha256:b361e79309ef2c4368f880f350166daade41eb0927a9adf376c76e3713027252 as vault - -########################## BUILD IMAGE ########################## -FROM docker.io/blackdex/rust-musl:armv7-musleabihf-stable-1.72.0-openssl3 as build - -# Build time options to avoid dpkg warnings and help with reproducible builds. -ENV DEBIAN_FRONTEND=noninteractive \ - LANG=C.UTF-8 \ - TZ=UTC \ - TERM=xterm-256color \ - CARGO_HOME="/root/.cargo" \ - REGISTRIES_CRATES_IO_PROTOCOL=sparse \ - USER="root" - -# Create CARGO_HOME folder and don't download rust docs -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ - && rustup set profile minimal - -# Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 -# Debian Bookworm already contains libpq v15 -ENV PQ_LIB_DIR="/usr/local/musl/pq15/lib" - -# Creates a dummy project used to grab dependencies -RUN USER=root cargo new --bin /app -WORKDIR /app - -# Copies over *only* your manifests and build files -COPY ./Cargo.* ./ -COPY ./rust-toolchain.toml ./rust-toolchain.toml -COPY ./build.rs ./build.rs - -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-musleabihf - -# Configure the DB ARG as late as possible to not invalidate the cached layers above -# Enable MiMalloc to improve performance on Alpine builds -ARG DB=sqlite,mysql,postgresql,enable_mimalloc - -# Builds your dependencies and removes the -# dummy project, except the target folder -# This folder contains the compiled dependencies -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \ - && find . -not -path "./target*" -delete - -# Copies the complete project -# To avoid copying unneeded files, use .dockerignore -COPY . . - -# Make sure that we actually build the project -RUN touch src/main.rs - -# Builds again, this time it'll just be -# your actual source files being built -RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf - -######################## RUNTIME IMAGE ######################## -# Create a new stage with a minimal image -# because we already have a binary built -FROM docker.io/balenalib/armv7hf-alpine:3.17 - -ENV ROCKET_PROFILE="release" \ - ROCKET_ADDRESS=0.0.0.0 \ - ROCKET_PORT=80 \ - SSL_CERT_DIR=/etc/ssl/certs - - -RUN [ "cross-build-start" ] - -# Create data folder and Install needed libraries -RUN mkdir /data \ - && apk add --no-cache \ - ca-certificates \ - curl \ - openssl \ - tzdata - -RUN [ "cross-build-end" ] - -VOLUME /data -EXPOSE 80 -EXPOSE 3012 - -# Copies the files from the context (Rocket.toml file and web-vault) -# and the binary from the "build" stage to the current stage -WORKDIR / -COPY --from=vault /web-vault ./web-vault -COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden . - -COPY docker/healthcheck.sh /healthcheck.sh -COPY docker/start.sh /start.sh - -HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] - -CMD ["/start.sh"] diff --git a/docker/bake.sh b/docker/bake.sh new file mode 100755 index 00000000..8aeac2fb --- /dev/null +++ b/docker/bake.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +# Determine the basedir of this script. +# It should be located in the same directory as the docker-bake.hcl +# This ensures you can run this script from both inside and outside of the docker directory +BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")" || exit; pwd)/$(basename "${SP}")") + +# Load build env's +source "${BASEDIR}/bake_env.sh" + +# Be verbose on what is being executed +set -x + +# Make sure we set the context to `..` so it will go up one directory +docker buildx bake --progress plain --set "*.context=${BASEDIR}/.." -f "${BASEDIR}/docker-bake.hcl" "$@" diff --git a/docker/bake_env.sh b/docker/bake_env.sh new file mode 100644 index 00000000..343f8952 --- /dev/null +++ b/docker/bake_env.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# If SOURCE_COMMIT is provided via env skip this +if [ -z "${SOURCE_COMMIT+x}" ]; then + SOURCE_COMMIT="$(git rev-parse HEAD)" +fi + +# If VW_VERSION is provided via env use it as SOURCE_VERSION +# Else define it using git +if [[ -n "${VW_VERSION}" ]]; then + SOURCE_VERSION="${VW_VERSION}" +else + GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null)" + if [[ -n "${GIT_EXACT_TAG}" ]]; then + SOURCE_VERSION="${GIT_EXACT_TAG}" + else + GIT_LAST_TAG="$(git describe --tags --abbrev=0)" + SOURCE_VERSION="${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" + GIT_BRANCH="$(git rev-parse --abbrev-ref HEAD)" + case "${GIT_BRANCH}" in + main|master|HEAD) + # Do not add the branch name for these branches + ;; + *) + SOURCE_VERSION="${SOURCE_VERSION} (${GIT_BRANCH})" + ;; + esac + fi +fi + +# Export the rendered variables above so bake will use them +export SOURCE_COMMIT +export SOURCE_VERSION diff --git a/docker/docker-bake.hcl b/docker/docker-bake.hcl new file mode 100644 index 00000000..332b46c9 --- /dev/null +++ b/docker/docker-bake.hcl @@ -0,0 +1,229 @@ +// ==== Baking Variables ==== + +// Set which cargo profile to use, dev or release for example +// Use the value provided in the Dockerfile as default +variable "CARGO_PROFILE" { + default = null +} + +// Set which DB's (features) to enable +// Use the value provided in the Dockerfile as default +variable "DB" { + default = null +} + +// The repository this build was triggered from +variable "SOURCE_REPOSITORY_URL" { + default = null +} + +// The commit hash of of the current commit this build was triggered on +variable "SOURCE_COMMIT" { + default = null +} + +// The version of this build +// Typically the current exact tag of this commit, +// else the last tag and the first 8 characters of the source commit +variable "SOURCE_VERSION" { + default = null +} + +// This can be used to overwrite SOURCE_VERSION +// It will be used during the build.rs building stage +variable "VW_VERSION" { + default = null +} + +// The base tag(s) to use +// This can be a comma separated value like "testing,1.29.2" +variable "BASE_TAGS" { + default = "testing" +} + +// Which container registries should be used for the tagging +// This can be a comma separated value +// Use a full URI like `ghcr.io/dani-garcia/vaultwarden,docker.io/vaultwarden/server` +variable "CONTAINER_REGISTRIES" { + default = "vaultwarden/server" +} + + +// ==== Baking Groups ==== + +group "default" { + targets = ["debian"] +} + + +// ==== Shared Baking ==== +function "labels" { + params = [] + result = { + "org.opencontainers.image.description" = "Unofficial Bitwarden compatible server written in Rust - ${SOURCE_VERSION}" + "org.opencontainers.image.licenses" = "AGPL-3.0-only" + "org.opencontainers.image.documentation" = "https://github.com/dani-garcia/vaultwarden/wiki" + "org.opencontainers.image.url" = "https://github.com/dani-garcia/vaultwarden" + "org.opencontainers.image.created" = "${formatdate("YYYY-MM-DD'T'hh:mm:ssZZZZZ", timestamp())}" + "org.opencontainers.image.source" = "${SOURCE_REPOSITORY_URL}" + "org.opencontainers.image.revision" = "${SOURCE_COMMIT}" + "org.opencontainers.image.version" = "${SOURCE_VERSION}" + } +} + +target "_default_attributes" { + labels = labels() + args = { + DB = "${DB}" + CARGO_PROFILE = "${CARGO_PROFILE}" + VW_VERSION = "${VW_VERSION}" + } +} + + +// ==== Debian Baking ==== + +// Default Debian target, will build a container using the hosts platform architecture +target "debian" { + inherits = ["_default_attributes"] + dockerfile = "docker/Dockerfile.debian" + tags = generate_tags("", platform_tag()) + output = [join(",", flatten([["type=docker"], image_index_annotations()]))] +} + +// Multi Platform target, will build one tagged manifest with all supported architectures +// This is mainly used by GitHub Actions to build and push new containers +target "debian-multi" { + inherits = ["debian"] + platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"] + tags = generate_tags("", "") + output = [join(",", flatten([["type=registry"], image_index_annotations()]))] +} + +// Per platform targets, to individually test building per platform locally +target "debian-amd64" { + inherits = ["debian"] + platforms = ["linux/amd64"] + tags = generate_tags("", "-amd64") +} + +target "debian-arm64" { + inherits = ["debian"] + platforms = ["linux/arm64"] + tags = generate_tags("", "-arm64") +} + +target "debian-armv7" { + inherits = ["debian"] + platforms = ["linux/arm/v7"] + tags = generate_tags("", "-armv7") +} + +target "debian-armv6" { + inherits = ["debian"] + platforms = ["linux/arm/v6"] + tags = generate_tags("", "-armv6") +} + +// A Group to build all platforms individually for local testing +group "debian-all" { + targets = ["debian-amd64", "debian-arm64", "debian-armv7", "debian-armv6"] +} + + +// ==== Alpine Baking ==== + +// Default Alpine target, will build a container using the hosts platform architecture +target "alpine" { + inherits = ["_default_attributes"] + dockerfile = "docker/Dockerfile.alpine" + tags = generate_tags("-alpine", platform_tag()) + output = [join(",", flatten([["type=docker"], image_index_annotations()]))] +} + +// Multi Platform target, will build one tagged manifest with all supported architectures +// This is mainly used by GitHub Actions to build and push new containers +target "alpine-multi" { + inherits = ["alpine"] + platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"] + tags = generate_tags("-alpine", "") + output = [join(",", flatten([["type=registry"], image_index_annotations()]))] +} + +// Per platform targets, to individually test building per platform locally +target "alpine-amd64" { + inherits = ["alpine"] + platforms = ["linux/amd64"] + tags = generate_tags("-alpine", "-amd64") +} + +target "alpine-arm64" { + inherits = ["alpine"] + platforms = ["linux/arm64"] + tags = generate_tags("-alpine", "-arm64") +} + +target "alpine-armv7" { + inherits = ["alpine"] + platforms = ["linux/arm/v7"] + tags = generate_tags("-alpine", "-armv7") +} + +target "alpine-armv6" { + inherits = ["alpine"] + platforms = ["linux/arm/v6"] + tags = generate_tags("-alpine", "-armv6") +} + +// A Group to build all platforms individually for local testing +group "alpine-all" { + targets = ["alpine-amd64", "alpine-arm64", "alpine-armv7", "alpine-armv6"] +} + + +// ==== Bake everything locally ==== + +group "all" { + targets = ["debian-all", "alpine-all"] +} + + +// ==== Baking functions ==== + +// This will return the local platform as amd64, arm64 or armv7 for example +// It can be used for creating a local image tag +function "platform_tag" { + params = [] + result = "-${replace(replace(BAKE_LOCAL_PLATFORM, "linux/", ""), "/", "")}" +} + + +function "get_container_registries" { + params = [] + result = flatten(split(",", CONTAINER_REGISTRIES)) +} + +function "get_base_tags" { + params = [] + result = flatten(split(",", BASE_TAGS)) +} + +function "generate_tags" { + params = [ + suffix, // What to append to the BASE_TAG when needed, like `-alpine` for example + platform // the platform we are building for if needed + ] + result = flatten([ + for registry in get_container_registries() : + [for base_tag in get_base_tags() : + concat(["${registry}:${base_tag}${suffix}${platform}"])] + ]) +} + +function "image_index_annotations" { + params = [] + result = flatten([ + for key, value in labels() : + value != null ? formatlist("annotation-index.%s=%s", "${key}", "${value}") : [] + ]) +} diff --git a/docker/healthcheck.sh b/docker/healthcheck.sh index ee95d57d..5021b187 100755 --- a/docker/healthcheck.sh +++ b/docker/healthcheck.sh @@ -10,7 +10,7 @@ CONFIG_FILE="${DATA_FOLDER}"/config.json # Given a config key, return the corresponding config value from the # config file. If the key doesn't exist, return an empty string. get_config_val() { - local key="$1" + key="$1" # Extract a line of the form: # "domain": "https://bw.example.com/path", grep "\"${key}\":" "${CONFIG_FILE}" | diff --git a/docker/podman-bake.sh b/docker/podman-bake.sh new file mode 100755 index 00000000..9c97825e --- /dev/null +++ b/docker/podman-bake.sh @@ -0,0 +1,105 @@ +#!/usr/bin/env bash + +# Determine the basedir of this script. +# It should be located in the same directory as the docker-bake.hcl +# This ensures you can run this script from both inside and outside of the docker directory +BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")" || exit; pwd)/$(basename "${SP}")") + +# Load build env's +source "${BASEDIR}/bake_env.sh" + +# Check if a target is given as first argument +# If not we assume the defaults and pass the given arguments to the podman command +case "${1}" in + alpine*|debian*) + TARGET="${1}" + # Now shift the $@ array so we only have the rest of the arguments + # This allows us too append these as extra arguments too the podman buildx build command + shift + ;; +esac + +LABEL_ARGS=( + --label org.opencontainers.image.description="Unofficial Bitwarden compatible server written in Rust" + --label org.opencontainers.image.licenses="AGPL-3.0-only" + --label org.opencontainers.image.documentation="https://github.com/dani-garcia/vaultwarden/wiki" + --label org.opencontainers.image.url="https://github.com/dani-garcia/vaultwarden" + --label org.opencontainers.image.created="$(date --utc --iso-8601=seconds)" +) +if [[ -n "${SOURCE_REPOSITORY_URL}" ]]; then + LABEL_ARGS+=(--label org.opencontainers.image.source="${SOURCE_REPOSITORY_URL}") +fi +if [[ -n "${SOURCE_COMMIT}" ]]; then + LABEL_ARGS+=(--label org.opencontainers.image.revision="${SOURCE_COMMIT}") +fi +if [[ -n "${SOURCE_VERSION}" ]]; then + LABEL_ARGS+=(--label org.opencontainers.image.version="${SOURCE_VERSION}") +fi + +# Check if and which --build-arg arguments we need to configure +BUILD_ARGS=() +if [[ -n "${DB}" ]]; then + BUILD_ARGS+=(--build-arg DB="${DB}") +fi +if [[ -n "${CARGO_PROFILE}" ]]; then + BUILD_ARGS+=(--build-arg CARGO_PROFILE="${CARGO_PROFILE}") +fi +if [[ -n "${VW_VERSION}" ]]; then + BUILD_ARGS+=(--build-arg VW_VERSION="${VW_VERSION}") +fi + +# Set the default BASE_TAGS if non are provided +if [[ -z "${BASE_TAGS}" ]]; then + BASE_TAGS="testing" +fi + +# Set the default CONTAINER_REGISTRIES if non are provided +if [[ -z "${CONTAINER_REGISTRIES}" ]]; then + CONTAINER_REGISTRIES="vaultwarden/server" +fi + +# Check which Dockerfile we need to use, default is debian +case "${TARGET}" in + alpine*) + BASE_TAGS="${BASE_TAGS}-alpine" + DOCKERFILE="Dockerfile.alpine" + ;; + *) + DOCKERFILE="Dockerfile.debian" + ;; +esac + +# Check which platform we need to build and append the BASE_TAGS with the architecture +case "${TARGET}" in + *-arm64) + BASE_TAGS="${BASE_TAGS}-arm64" + PLATFORM="linux/arm64" + ;; + *-armv7) + BASE_TAGS="${BASE_TAGS}-armv7" + PLATFORM="linux/arm/v7" + ;; + *-armv6) + BASE_TAGS="${BASE_TAGS}-armv6" + PLATFORM="linux/arm/v6" + ;; + *) + BASE_TAGS="${BASE_TAGS}-amd64" + PLATFORM="linux/amd64" + ;; +esac + +# Be verbose on what is being executed +set -x + +# Build the image with podman +# We use the docker format here since we are using `SHELL`, which is not supported by OCI +# shellcheck disable=SC2086 +podman buildx build \ + --platform="${PLATFORM}" \ + --tag="${CONTAINER_REGISTRIES}:${BASE_TAGS}" \ + --format=docker \ + "${LABEL_ARGS[@]}" \ + "${BUILD_ARGS[@]}" \ + --file="${BASEDIR}/${DOCKERFILE}" "$@" \ + "${BASEDIR}/.." diff --git a/docker/render_template b/docker/render_template index c9978d5a..401e0ad0 100755 --- a/docker/render_template +++ b/docker/render_template @@ -1,17 +1,31 @@ #!/usr/bin/env python3 -import os, argparse, json - +import os +import argparse +import json +import yaml import jinja2 +# Load settings file +with open("DockerSettings.yaml", 'r') as yaml_file: + yaml_data = yaml.safe_load(yaml_file) + +settings_env = jinja2.Environment( + loader=jinja2.FileSystemLoader(os.getcwd()), +) +settings_yaml = yaml.safe_load(settings_env.get_template("DockerSettings.yaml").render(yaml_data)) + args_parser = argparse.ArgumentParser() args_parser.add_argument('template_file', help='Jinja2 template file to render.') args_parser.add_argument('render_vars', help='JSON-encoded data to pass to the templating engine.') cli_args = args_parser.parse_args() +# Merge the default config yaml with the json arguments given. render_vars = json.loads(cli_args.render_vars) +settings_yaml.update(render_vars) + environment = jinja2.Environment( loader=jinja2.FileSystemLoader(os.getcwd()), trim_blocks=True, ) -print(environment.get_template(cli_args.template_file).render(render_vars)) +print(environment.get_template(cli_args.template_file).render(settings_yaml)) |