[#31] Release is now rootless (rip caching)

master^2
Jef Roosens 2021-04-17 14:09:31 +02:00
parent 0b2b986205
commit adbe6d1fb7
Signed by: Jef Roosens
GPG Key ID: B580B976584B5F30
2 changed files with 32 additions and 9 deletions

View File

@ -9,3 +9,6 @@
# Entrypoint for devop container # Entrypoint for devop container
!docker/entrypoint_dev.sh !docker/entrypoint_dev.sh
# Config file
!Rocket.toml

View File

@ -6,11 +6,15 @@ FROM chewingbever/fej-builder:latest AS builder
# https://users.rust-lang.org/t/sigsegv-with-program-linked-against-openssl-in-an-alpine-container/52172 # https://users.rust-lang.org/t/sigsegv-with-program-linked-against-openssl-in-an-alpine-container/52172
# TODO add what these flags do & why they work # TODO add what these flags do & why they work
# NOTE: cargo install auto-appends bin to the path # NOTE: cargo install auto-appends bin to the path
RUN --mount=type=cache,target=/usr/src/app/target \
--mount=type=cache,target=/root/.cargo/registry \ # RUN --mount=type=cache,mode=0777,target=/app/target \
cargo install \ # --mount=type=cache,mode=0777,target=/app/.cargo/registry \
# Buildkit cache mounts really don't like it when you're not root,
# so I guess we're building release without a cache for now
RUN cargo install \
--path . \ --path . \
--root /usr/local \ --root /app/output \
--target x86_64-unknown-linux-musl --target x86_64-unknown-linux-musl
@ -18,10 +22,26 @@ RUN --mount=type=cache,target=/usr/src/app/target \
FROM alpine:latest FROM alpine:latest
# Install some dynamic libraries needed for everything to work # Install some dynamic libraries needed for everything to work
RUN apk update && apk add --no-cache openssl libgcc curl # Create -non-root user
RUN apk update && \
apk add --no-cache \
curl \
libgcc \
libpq \
openssl && \
addgroup -S fej && \
adduser -S fej -G fej -h /app
# Switch to non-root user
USER fej:fej
# Copy binary over to final image # Copy binary over to final image
COPY --from=builder /usr/local/bin/server /usr/local/bin/server COPY --from=builder --chown=fej:fej /app/output/bin /app/bin
# Embed config file inside container
# The workdir is changed so that the config file is read properly
WORKDIR /app
COPY --chown=fej:fej Rocket.toml /app/Rocket.toml
HEALTHCHECK \ HEALTHCHECK \
--interval=10s \ --interval=10s \
@ -30,4 +50,4 @@ HEALTHCHECK \
--retries=3 \ --retries=3 \
CMD curl -q localhost:8000 CMD curl -q localhost:8000
CMD ["/usr/local/bin/server"] CMD ["/app/bin/server"]