mirror of
https://github.com/dani-garcia/vaultwarden
synced 2024-12-14 17:43:46 +01:00
5b430f22bc
- Using my own rust-musl build containers we now support all database types for both Debian and Alpine. - Added new Alpine containers for armv6 and arm64/aarch64 - The Debian builds can also be done wihout dpkg magic stuff, probably some fixes in Rust regarding linking (Or maybe OpenSSL or Diesel), in any case, it works now without hacking dpkg and apt. - Updated toolchain and crates
259 lines
9.6 KiB
Django/Jinja
259 lines
9.6 KiB
Django/Jinja
# syntax=docker/dockerfile:1
|
|
|
|
# This file was generated using a Jinja2 template.
|
|
# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
|
|
|
|
{% set build_stage_base_image = "rust:1.57-buster" %}
|
|
{% if "alpine" in target_file %}
|
|
{% if "amd64" in target_file %}
|
|
{% set build_stage_base_image = "blackdex/rust-musl:x86_64-musl-nightly-2021-12-25" %}
|
|
{% set runtime_stage_base_image = "alpine:3.15" %}
|
|
{% set package_arch_target = "x86_64-unknown-linux-musl" %}
|
|
{% elif "armv7" in target_file %}
|
|
{% set build_stage_base_image = "blackdex/rust-musl:armv7-musleabihf-nightly-2021-12-25" %}
|
|
{% set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.15" %}
|
|
{% set package_arch_target = "armv7-unknown-linux-musleabihf" %}
|
|
{% elif "armv6" in target_file %}
|
|
{% set build_stage_base_image = "blackdex/rust-musl:arm-musleabi-nightly-2021-12-25" %}
|
|
{% set runtime_stage_base_image = "balenalib/rpi-alpine:3.15" %}
|
|
{% set package_arch_target = "arm-unknown-linux-musleabi" %}
|
|
{% elif "arm64" in target_file %}
|
|
{% set build_stage_base_image = "blackdex/rust-musl:aarch64-musl-nightly-2021-12-25" %}
|
|
{% set runtime_stage_base_image = "balenalib/aarch64-alpine:3.15" %}
|
|
{% set package_arch_target = "aarch64-unknown-linux-musl" %}
|
|
{% endif %}
|
|
{% elif "amd64" in target_file %}
|
|
{% set runtime_stage_base_image = "debian:buster-slim" %}
|
|
{% elif "arm64" in target_file %}
|
|
{% set runtime_stage_base_image = "balenalib/aarch64-debian:buster" %}
|
|
{% set package_arch_name = "arm64" %}
|
|
{% set package_arch_target = "aarch64-unknown-linux-gnu" %}
|
|
{% set package_cross_compiler = "aarch64-linux-gnu" %}
|
|
{% elif "armv6" in target_file %}
|
|
{% set runtime_stage_base_image = "balenalib/rpi-debian:buster" %}
|
|
{% set package_arch_name = "armel" %}
|
|
{% set package_arch_target = "arm-unknown-linux-gnueabi" %}
|
|
{% set package_cross_compiler = "arm-linux-gnueabi" %}
|
|
{% elif "armv7" in target_file %}
|
|
{% set runtime_stage_base_image = "balenalib/armv7hf-debian:buster" %}
|
|
{% set package_arch_name = "armhf" %}
|
|
{% set package_arch_target = "armv7-unknown-linux-gnueabihf" %}
|
|
{% set package_cross_compiler = "arm-linux-gnueabihf" %}
|
|
{% endif %}
|
|
{% if package_arch_name is defined %}
|
|
{% set package_arch_prefix = ":" + package_arch_name %}
|
|
{% else %}
|
|
{% set package_arch_prefix = "" %}
|
|
{% endif %}
|
|
{% if package_arch_target is defined %}
|
|
{% set package_arch_target_param = " --target=" + package_arch_target %}
|
|
{% else %}
|
|
{% set package_arch_target_param = "" %}
|
|
{% endif %}
|
|
{% if "buildx" in target_file %}
|
|
{% set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %}
|
|
{% else %}
|
|
{% set mount_rust_cache = "" %}
|
|
{% endif %}
|
|
# Using multistage build:
|
|
# https://docs.docker.com/develop/develop-images/multistage-build/
|
|
# https://whitfin.io/speeding-up-rust-docker-builds/
|
|
####################### VAULT BUILD IMAGE #######################
|
|
{% set vault_version = "2.25.0" %}
|
|
{% set vault_image_digest = "sha256:0df389deac9e83c739a1f4ff595f12f493b6c27cb4a22bb8fcaba9dc49b9b527" %}
|
|
# The web-vault digest specifies a particular web-vault build on Docker Hub.
|
|
# Using the digest instead of the tag name provides better security,
|
|
# as the digest of an image is immutable, whereas a tag name can later
|
|
# be changed to point to a malicious image.
|
|
#
|
|
# To verify the current digest for a given tag name:
|
|
# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
|
|
# click the tag name to view the digest of the image it currently points to.
|
|
# - From the command line:
|
|
# $ docker pull vaultwarden/web-vault:v{{ vault_version }}
|
|
# $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" vaultwarden/web-vault:v{{ vault_version }}
|
|
# [vaultwarden/web-vault@{{ vault_image_digest }}]
|
|
#
|
|
# - Conversely, to get the tag name from the digest:
|
|
# $ docker image inspect --format "{{ '{{' }}.RepoTags}}" vaultwarden/web-vault@{{ vault_image_digest }}
|
|
# [vaultwarden/web-vault:v{{ vault_version }}]
|
|
#
|
|
FROM vaultwarden/web-vault@{{ vault_image_digest }} as vault
|
|
|
|
########################## BUILD IMAGE ##########################
|
|
FROM {{ build_stage_base_image }} as build
|
|
|
|
|
|
|
|
# Build time options to avoid dpkg warnings and help with reproducible builds.
|
|
ENV DEBIAN_FRONTEND=noninteractive \
|
|
LANG=C.UTF-8 \
|
|
TZ=UTC \
|
|
TERM=xterm-256color \
|
|
CARGO_HOME="/root/.cargo" \
|
|
USER="root"
|
|
|
|
{# {% if "alpine" not in target_file and "buildx" in target_file %}
|
|
# Debian based Buildx builds can use some special apt caching to speedup building.
|
|
# By default Debian based images have some rules to keep docker builds clean, we need to remove this.
|
|
# See: https://hub.docker.com/r/docker/dockerfile
|
|
RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
|
|
{% endif %} #}
|
|
|
|
# Create CARGO_HOME folder and don't download rust docs
|
|
RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \
|
|
&& rustup set profile minimal
|
|
|
|
{% if "alpine" in target_file %}
|
|
ENV RUSTFLAGS='-C link-arg=-s'
|
|
{% if "armv7" in target_file %}
|
|
{#- https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html -#}
|
|
ENV CFLAGS_armv7_unknown_linux_musleabihf="-mfpu=vfpv3-d16"
|
|
{% endif %}
|
|
{% elif "arm" in target_file %}
|
|
#
|
|
# Install required build libs for {{ package_arch_name }} architecture.
|
|
# hadolint ignore=DL3059
|
|
RUN dpkg --add-architecture {{ package_arch_name }} \
|
|
&& apt-get update \
|
|
&& apt-get install -y \
|
|
--no-install-recommends \
|
|
libssl-dev{{ package_arch_prefix }} \
|
|
libc6-dev{{ package_arch_prefix }} \
|
|
libpq5{{ package_arch_prefix }} \
|
|
libpq-dev{{ package_arch_prefix }} \
|
|
libmariadb3{{ package_arch_prefix }} \
|
|
libmariadb-dev{{ package_arch_prefix }} \
|
|
libmariadb-dev-compat{{ package_arch_prefix }} \
|
|
gcc-{{ package_cross_compiler }} \
|
|
#
|
|
# Make sure cargo has the right target config
|
|
&& echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \
|
|
&& echo 'linker = "{{ package_cross_compiler }}-gcc"' >> "${CARGO_HOME}/config" \
|
|
&& echo 'rustflags = ["-L/usr/lib/{{ package_cross_compiler }}"]' >> "${CARGO_HOME}/config"
|
|
|
|
# Set arm specific environment values
|
|
ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_compiler }}-gcc" \
|
|
CROSS_COMPILE="1" \
|
|
OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \
|
|
OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}"
|
|
|
|
{% elif "amd64" in target_file %}
|
|
# Install DB packages
|
|
RUN apt-get update \
|
|
&& apt-get install -y \
|
|
--no-install-recommends \
|
|
libmariadb-dev{{ package_arch_prefix }} \
|
|
libpq-dev{{ package_arch_prefix }} \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
{% endif %}
|
|
|
|
# Creates a dummy project used to grab dependencies
|
|
RUN USER=root cargo new --bin /app
|
|
WORKDIR /app
|
|
|
|
# Copies over *only* your manifests and build files
|
|
COPY ./Cargo.* ./
|
|
COPY ./rust-toolchain ./rust-toolchain
|
|
COPY ./build.rs ./build.rs
|
|
|
|
{% if package_arch_target is defined %}
|
|
RUN {{ mount_rust_cache -}} rustup target add {{ package_arch_target }}
|
|
{% endif %}
|
|
|
|
# Configure the DB ARG as late as possible to not invalidate the cached layers above
|
|
ARG DB=sqlite,mysql,postgresql
|
|
|
|
# Builds your dependencies and removes the
|
|
# dummy project, except the target folder
|
|
# This folder contains the compiled dependencies
|
|
RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} \
|
|
&& find . -not -path "./target*" -delete
|
|
|
|
# Copies the complete project
|
|
# To avoid copying unneeded files, use .dockerignore
|
|
COPY . .
|
|
|
|
# Make sure that we actually build the project
|
|
RUN touch src/main.rs
|
|
|
|
# Builds again, this time it'll just be
|
|
# your actual source files being built
|
|
# hadolint ignore=DL3059
|
|
RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }}
|
|
{% if "alpine" in target_file %}
|
|
{% if "armv7" in target_file %}
|
|
# hadolint ignore=DL3059
|
|
RUN musl-strip target/{{ package_arch_target }}/release/vaultwarden
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
######################## RUNTIME IMAGE ########################
|
|
# Create a new stage with a minimal image
|
|
# because we already have a binary built
|
|
FROM {{ runtime_stage_base_image }}
|
|
|
|
ENV ROCKET_ENV="staging" \
|
|
ROCKET_PORT=80 \
|
|
ROCKET_WORKERS=10
|
|
{%- if "alpine" in runtime_stage_base_image %} \
|
|
SSL_CERT_DIR=/etc/ssl/certs
|
|
{% endif %}
|
|
|
|
|
|
{% if "amd64" not in target_file %}
|
|
# hadolint ignore=DL3059
|
|
RUN [ "cross-build-start" ]
|
|
{% endif %}
|
|
|
|
# Create data folder and Install needed libraries
|
|
RUN mkdir /data \
|
|
{% if "alpine" in runtime_stage_base_image %}
|
|
&& apk add --no-cache \
|
|
openssl \
|
|
tzdata \
|
|
curl \
|
|
dumb-init \
|
|
ca-certificates
|
|
{% else %}
|
|
&& apt-get update && apt-get install -y \
|
|
--no-install-recommends \
|
|
openssl \
|
|
ca-certificates \
|
|
curl \
|
|
dumb-init \
|
|
libmariadb-dev-compat \
|
|
libpq5 \
|
|
&& apt-get clean \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
{% endif %}
|
|
|
|
{% if "amd64" not in target_file %}
|
|
# hadolint ignore=DL3059
|
|
RUN [ "cross-build-end" ]
|
|
{% endif %}
|
|
|
|
VOLUME /data
|
|
EXPOSE 80
|
|
EXPOSE 3012
|
|
|
|
# Copies the files from the context (Rocket.toml file and web-vault)
|
|
# and the binary from the "build" stage to the current stage
|
|
WORKDIR /
|
|
COPY Rocket.toml .
|
|
COPY --from=vault /web-vault ./web-vault
|
|
{% if package_arch_target is defined %}
|
|
COPY --from=build /app/target/{{ package_arch_target }}/release/vaultwarden .
|
|
{% else %}
|
|
COPY --from=build /app/target/release/vaultwarden .
|
|
{% endif %}
|
|
|
|
COPY docker/healthcheck.sh /healthcheck.sh
|
|
COPY docker/start.sh /start.sh
|
|
|
|
HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
|
|
|
|
# Configures the startup!
|
|
ENTRYPOINT ["/usr/bin/dumb-init", "--"]
|
|
CMD ["/start.sh"]
|