Merge pull request #3170 from jjlin/cap_net_bind_service

Allow listening on privileged ports (below 1024) as non-root
This commit is contained in:
Daniel García 2023-02-12 18:42:00 +01:00 committed by GitHub
commit 8c1117fcbf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 175 additions and 216 deletions

View file

@ -48,7 +48,10 @@ jobs:
ports: ports:
- 5000:5000 - 5000:5000
env: env:
DOCKER_BUILDKIT: 1 # Disabled for now, but we should look at this because it will speedup building! # Use BuildKit (https://docs.docker.com/build/buildkit/) for better
# build performance and the ability to copy extended file attributes
# (e.g., for executable capabilities) across build phases.
DOCKER_BUILDKIT: 1
# DOCKER_REPO/secrets.DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>' # DOCKER_REPO/secrets.DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
DOCKER_REPO: ${{ secrets.DOCKERHUB_REPO }} DOCKER_REPO: ${{ secrets.DOCKERHUB_REPO }}
SOURCE_COMMIT: ${{ github.sha }} SOURCE_COMMIT: ${{ github.sha }}

View file

@ -3,5 +3,7 @@ ignored:
- DL3008 - DL3008
# disable explicit version for apk install # disable explicit version for apk install
- DL3018 - DL3018
# disable check for consecutive `RUN` instructions
- DL3059
trustedRegistries: trustedRegistries:
- docker.io - docker.io

View file

@ -50,7 +50,7 @@
{% else %} {% else %}
{% set package_arch_target_param = "" %} {% set package_arch_target_param = "" %}
{% endif %} {% endif %}
{% if "buildx" in target_file %} {% if "buildkit" in target_file %}
{% set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %} {% set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %}
{% else %} {% else %}
{% set mount_rust_cache = "" %} {% set mount_rust_cache = "" %}
@ -83,8 +83,6 @@ FROM vaultwarden/web-vault@{{ vault_image_digest }} as vault
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM {{ build_stage_base_image }} as build FROM {{ build_stage_base_image }} as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -93,7 +91,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \ RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
@ -104,21 +101,20 @@ RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \
ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/{{ package_arch_target }}/lib/libatomic.a' ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/{{ package_arch_target }}/lib/libatomic.a'
{% endif %} {% endif %}
{% elif "arm" in target_file %} {% elif "arm" in target_file %}
# # Install build dependencies for the {{ package_arch_name }} architecture
# Install required build libs for {{ package_arch_name }} architecture.
# hadolint ignore=DL3059
RUN dpkg --add-architecture {{ package_arch_name }} \ RUN dpkg --add-architecture {{ package_arch_name }} \
&& apt-get update \ && apt-get update \
&& apt-get install -y \ && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
libssl-dev{{ package_arch_prefix }} \ gcc-{{ package_cross_compiler }} \
libc6-dev{{ package_arch_prefix }} \ libc6-dev{{ package_arch_prefix }} \
libpq5{{ package_arch_prefix }} \ libcap2-bin \
libpq-dev{{ package_arch_prefix }} \
libmariadb3{{ package_arch_prefix }} \
libmariadb-dev{{ package_arch_prefix }} \ libmariadb-dev{{ package_arch_prefix }} \
libmariadb-dev-compat{{ package_arch_prefix }} \ libmariadb-dev-compat{{ package_arch_prefix }} \
gcc-{{ package_cross_compiler }} \ libmariadb3{{ package_arch_prefix }} \
libpq-dev{{ package_arch_prefix }} \
libpq5{{ package_arch_prefix }} \
libssl-dev{{ package_arch_prefix }} \
# #
# Make sure cargo has the right target config # Make sure cargo has the right target config
&& echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \ && echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \
@ -130,16 +126,14 @@ ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_
CROSS_COMPILE="1" \ CROSS_COMPILE="1" \
OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \ OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \
OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}" OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}"
{% elif "amd64" in target_file %} {% elif "amd64" in target_file %}
# Install DB packages # Install build dependencies
RUN apt-get update \ RUN apt-get update \
&& apt-get install -y \ && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
libmariadb-dev{{ package_arch_prefix }} \ libcap2-bin \
libpq-dev{{ package_arch_prefix }} \ libmariadb-dev \
&& apt-get clean \ libpq-dev
&& rm -rf /var/lib/apt/lists/*
{% endif %} {% endif %}
# Creates a dummy project used to grab dependencies # Creates a dummy project used to grab dependencies
@ -178,9 +172,20 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }}
{% if "buildkit" in target_file %}
# Add the `cap_net_bind_service` capability to allow listening on
# privileged (< 1024) ports even when running as a non-root user.
# This is only done if building with BuildKit; with the legacy
# builder, the `COPY` instruction doesn't carry over capabilities.
{% if package_arch_target is defined %}
RUN setcap cap_net_bind_service=+ep target/{{ package_arch_target }}/release/vaultwarden
{% else %}
RUN setcap cap_net_bind_service=+ep target/release/vaultwarden
{% endif %}
{% endif %}
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -195,7 +200,6 @@ ENV ROCKET_PROFILE="release" \
{% if "amd64" not in target_file %} {% if "amd64" not in target_file %}
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
{% endif %} {% endif %}
@ -203,18 +207,18 @@ RUN [ "cross-build-start" ]
RUN mkdir /data \ RUN mkdir /data \
{% if "alpine" in runtime_stage_base_image %} {% if "alpine" in runtime_stage_base_image %}
&& apk add --no-cache \ && apk add --no-cache \
openssl \ ca-certificates \
tzdata \
curl \ curl \
ca-certificates openssl \
tzdata
{% else %} {% else %}
&& apt-get update && apt-get install -y \ && apt-get update && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
openssl \
ca-certificates \ ca-certificates \
curl \ curl \
libmariadb-dev-compat \ libmariadb-dev-compat \
libpq5 \ libpq5 \
openssl \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
{% endif %} {% endif %}
@ -222,13 +226,11 @@ RUN mkdir /data \
{% if "armv6" in target_file and "alpine" not in target_file %} {% if "armv6" in target_file and "alpine" not in target_file %}
# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink. # In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
# This symlink was there in the buster images, and for some reason this is needed. # This symlink was there in the buster images, and for some reason this is needed.
# hadolint ignore=DL3059
RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3 RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
{% endif -%} {% endif -%}
{% if "amd64" not in target_file %} {% if "amd64" not in target_file %}
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
{% endif %} {% endif %}

View file

@ -8,8 +8,8 @@ all: $(OBJECTS)
%/Dockerfile.alpine: Dockerfile.j2 render_template %/Dockerfile.alpine: Dockerfile.j2 render_template
./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
%/Dockerfile.buildx: Dockerfile.j2 render_template %/Dockerfile.buildkit: Dockerfile.j2 render_template
./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
%/Dockerfile.buildx.alpine: Dockerfile.j2 render_template %/Dockerfile.buildkit.alpine: Dockerfile.j2 render_template
./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" ./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build FROM rust:1.66-bullseye as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,19 +37,17 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \ RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
# Install DB packages # Install build dependencies
RUN apt-get update \ RUN apt-get update \
&& apt-get install -y \ && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
libcap2-bin \
libmariadb-dev \ libmariadb-dev \
libpq-dev \ libpq-dev
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# Creates a dummy project used to grab dependencies # Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app RUN USER=root cargo new --bin /app
@ -81,9 +77,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release RUN cargo build --features ${DB} --release
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -98,11 +94,11 @@ ENV ROCKET_PROFILE="release" \
RUN mkdir /data \ RUN mkdir /data \
&& apt-get update && apt-get install -y \ && apt-get update && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
openssl \
ca-certificates \ ca-certificates \
curl \ curl \
libmariadb-dev-compat \ libmariadb-dev-compat \
libpq5 \ libpq5 \
openssl \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \ RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
@ -75,9 +72,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -93,10 +90,10 @@ ENV ROCKET_PROFILE="release" \
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apk add --no-cache \ && apk add --no-cache \
openssl \ ca-certificates \
tzdata \
curl \ curl \
ca-certificates openssl \
tzdata
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build FROM rust:1.66-bullseye as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,19 +37,17 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
# Install DB packages # Install build dependencies
RUN apt-get update \ RUN apt-get update \
&& apt-get install -y \ && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
libcap2-bin \
libmariadb-dev \ libmariadb-dev \
libpq-dev \ libpq-dev
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# Creates a dummy project used to grab dependencies # Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app RUN USER=root cargo new --bin /app
@ -81,9 +77,14 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release
# Add the `cap_net_bind_service` capability to allow listening on
# privileged (< 1024) ports even when running as a non-root user.
# This is only done if building with BuildKit; with the legacy
# builder, the `COPY` instruction doesn't carry over capabilities.
RUN setcap cap_net_bind_service=+ep target/release/vaultwarden
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -98,11 +99,11 @@ ENV ROCKET_PROFILE="release" \
RUN mkdir /data \ RUN mkdir /data \
&& apt-get update && apt-get install -y \ && apt-get update && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
openssl \
ca-certificates \ ca-certificates \
curl \ curl \
libmariadb-dev-compat \ libmariadb-dev-compat \
libpq5 \ libpq5 \
openssl \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
@ -75,9 +72,14 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
# Add the `cap_net_bind_service` capability to allow listening on
# privileged (< 1024) ports even when running as a non-root user.
# This is only done if building with BuildKit; with the legacy
# builder, the `COPY` instruction doesn't carry over capabilities.
RUN setcap cap_net_bind_service=+ep target/x86_64-unknown-linux-musl/release/vaultwarden
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -93,10 +95,10 @@ ENV ROCKET_PROFILE="release" \
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apk add --no-cache \ && apk add --no-cache \
openssl \ ca-certificates \
tzdata \
curl \ curl \
ca-certificates openssl \
tzdata
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build FROM rust:1.66-bullseye as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,26 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \ RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
# # Install build dependencies for the arm64 architecture
# Install required build libs for arm64 architecture.
# hadolint ignore=DL3059
RUN dpkg --add-architecture arm64 \ RUN dpkg --add-architecture arm64 \
&& apt-get update \ && apt-get update \
&& apt-get install -y \ && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
libssl-dev:arm64 \ gcc-aarch64-linux-gnu \
libc6-dev:arm64 \ libc6-dev:arm64 \
libpq5:arm64 \ libcap2-bin \
libpq-dev:arm64 \
libmariadb3:arm64 \
libmariadb-dev:arm64 \ libmariadb-dev:arm64 \
libmariadb-dev-compat:arm64 \ libmariadb-dev-compat:arm64 \
gcc-aarch64-linux-gnu \ libmariadb3:arm64 \
libpq-dev:arm64 \
libpq5:arm64 \
libssl-dev:arm64 \
# #
# Make sure cargo has the right target config # Make sure cargo has the right target config
&& echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \ && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
@ -71,7 +67,6 @@ ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \ OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
# Creates a dummy project used to grab dependencies # Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app RUN USER=root cargo new --bin /app
WORKDIR /app WORKDIR /app
@ -101,9 +96,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -113,22 +108,20 @@ ENV ROCKET_PROFILE="release" \
ROCKET_ADDRESS=0.0.0.0 \ ROCKET_ADDRESS=0.0.0.0 \
ROCKET_PORT=80 ROCKET_PORT=80
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apt-get update && apt-get install -y \ && apt-get update && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
openssl \
ca-certificates \ ca-certificates \
curl \ curl \
libmariadb-dev-compat \ libmariadb-dev-compat \
libpq5 \ libpq5 \
openssl \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \ RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
@ -75,9 +72,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -89,18 +86,16 @@ ENV ROCKET_PROFILE="release" \
SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_DIR=/etc/ssl/certs
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apk add --no-cache \ && apk add --no-cache \
openssl \ ca-certificates \
tzdata \
curl \ curl \
ca-certificates openssl \
tzdata
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build FROM rust:1.66-bullseye as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,26 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
# # Install build dependencies for the arm64 architecture
# Install required build libs for arm64 architecture.
# hadolint ignore=DL3059
RUN dpkg --add-architecture arm64 \ RUN dpkg --add-architecture arm64 \
&& apt-get update \ && apt-get update \
&& apt-get install -y \ && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
libssl-dev:arm64 \ gcc-aarch64-linux-gnu \
libc6-dev:arm64 \ libc6-dev:arm64 \
libpq5:arm64 \ libcap2-bin \
libpq-dev:arm64 \
libmariadb3:arm64 \
libmariadb-dev:arm64 \ libmariadb-dev:arm64 \
libmariadb-dev-compat:arm64 \ libmariadb-dev-compat:arm64 \
gcc-aarch64-linux-gnu \ libmariadb3:arm64 \
libpq-dev:arm64 \
libpq5:arm64 \
libssl-dev:arm64 \
# #
# Make sure cargo has the right target config # Make sure cargo has the right target config
&& echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \ && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
@ -71,7 +67,6 @@ ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \ OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
# Creates a dummy project used to grab dependencies # Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app RUN USER=root cargo new --bin /app
WORKDIR /app WORKDIR /app
@ -101,9 +96,14 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
# Add the `cap_net_bind_service` capability to allow listening on
# privileged (< 1024) ports even when running as a non-root user.
# This is only done if building with BuildKit; with the legacy
# builder, the `COPY` instruction doesn't carry over capabilities.
RUN setcap cap_net_bind_service=+ep target/aarch64-unknown-linux-gnu/release/vaultwarden
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -113,22 +113,20 @@ ENV ROCKET_PROFILE="release" \
ROCKET_ADDRESS=0.0.0.0 \ ROCKET_ADDRESS=0.0.0.0 \
ROCKET_PORT=80 ROCKET_PORT=80
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apt-get update && apt-get install -y \ && apt-get update && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
openssl \
ca-certificates \ ca-certificates \
curl \ curl \
libmariadb-dev-compat \ libmariadb-dev-compat \
libpq5 \ libpq5 \
openssl \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
@ -75,9 +72,14 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
# Add the `cap_net_bind_service` capability to allow listening on
# privileged (< 1024) ports even when running as a non-root user.
# This is only done if building with BuildKit; with the legacy
# builder, the `COPY` instruction doesn't carry over capabilities.
RUN setcap cap_net_bind_service=+ep target/aarch64-unknown-linux-musl/release/vaultwarden
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -89,18 +91,16 @@ ENV ROCKET_PROFILE="release" \
SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_DIR=/etc/ssl/certs
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apk add --no-cache \ && apk add --no-cache \
openssl \ ca-certificates \
tzdata \
curl \ curl \
ca-certificates openssl \
tzdata
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build FROM rust:1.66-bullseye as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,26 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \ RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
# # Install build dependencies for the armel architecture
# Install required build libs for armel architecture.
# hadolint ignore=DL3059
RUN dpkg --add-architecture armel \ RUN dpkg --add-architecture armel \
&& apt-get update \ && apt-get update \
&& apt-get install -y \ && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
libssl-dev:armel \ gcc-arm-linux-gnueabi \
libc6-dev:armel \ libc6-dev:armel \
libpq5:armel \ libcap2-bin \
libpq-dev:armel \
libmariadb3:armel \
libmariadb-dev:armel \ libmariadb-dev:armel \
libmariadb-dev-compat:armel \ libmariadb-dev-compat:armel \
gcc-arm-linux-gnueabi \ libmariadb3:armel \
libpq-dev:armel \
libpq5:armel \
libssl-dev:armel \
# #
# Make sure cargo has the right target config # Make sure cargo has the right target config
&& echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \ && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
@ -71,7 +67,6 @@ ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \ OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
# Creates a dummy project used to grab dependencies # Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app RUN USER=root cargo new --bin /app
WORKDIR /app WORKDIR /app
@ -101,9 +96,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -113,27 +108,24 @@ ENV ROCKET_PROFILE="release" \
ROCKET_ADDRESS=0.0.0.0 \ ROCKET_ADDRESS=0.0.0.0 \
ROCKET_PORT=80 ROCKET_PORT=80
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apt-get update && apt-get install -y \ && apt-get update && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
openssl \
ca-certificates \ ca-certificates \
curl \ curl \
libmariadb-dev-compat \ libmariadb-dev-compat \
libpq5 \ libpq5 \
openssl \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink. # In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
# This symlink was there in the buster images, and for some reason this is needed. # This symlink was there in the buster images, and for some reason this is needed.
# hadolint ignore=DL3059
RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3 RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \ RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
@ -77,9 +74,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -91,18 +88,16 @@ ENV ROCKET_PROFILE="release" \
SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_DIR=/etc/ssl/certs
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apk add --no-cache \ && apk add --no-cache \
openssl \ ca-certificates \
tzdata \
curl \ curl \
ca-certificates openssl \
tzdata
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build FROM rust:1.66-bullseye as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,26 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
# # Install build dependencies for the armel architecture
# Install required build libs for armel architecture.
# hadolint ignore=DL3059
RUN dpkg --add-architecture armel \ RUN dpkg --add-architecture armel \
&& apt-get update \ && apt-get update \
&& apt-get install -y \ && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
libssl-dev:armel \ gcc-arm-linux-gnueabi \
libc6-dev:armel \ libc6-dev:armel \
libpq5:armel \ libcap2-bin \
libpq-dev:armel \
libmariadb3:armel \
libmariadb-dev:armel \ libmariadb-dev:armel \
libmariadb-dev-compat:armel \ libmariadb-dev-compat:armel \
gcc-arm-linux-gnueabi \ libmariadb3:armel \
libpq-dev:armel \
libpq5:armel \
libssl-dev:armel \
# #
# Make sure cargo has the right target config # Make sure cargo has the right target config
&& echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \ && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
@ -71,7 +67,6 @@ ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \ OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
# Creates a dummy project used to grab dependencies # Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app RUN USER=root cargo new --bin /app
WORKDIR /app WORKDIR /app
@ -101,9 +96,14 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
# Add the `cap_net_bind_service` capability to allow listening on
# privileged (< 1024) ports even when running as a non-root user.
# This is only done if building with BuildKit; with the legacy
# builder, the `COPY` instruction doesn't carry over capabilities.
RUN setcap cap_net_bind_service=+ep target/arm-unknown-linux-gnueabi/release/vaultwarden
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -113,27 +113,24 @@ ENV ROCKET_PROFILE="release" \
ROCKET_ADDRESS=0.0.0.0 \ ROCKET_ADDRESS=0.0.0.0 \
ROCKET_PORT=80 ROCKET_PORT=80
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apt-get update && apt-get install -y \ && apt-get update && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
openssl \
ca-certificates \ ca-certificates \
curl \ curl \
libmariadb-dev-compat \ libmariadb-dev-compat \
libpq5 \ libpq5 \
openssl \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink. # In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
# This symlink was there in the buster images, and for some reason this is needed. # This symlink was there in the buster images, and for some reason this is needed.
# hadolint ignore=DL3059
RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3 RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
@ -77,9 +74,14 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
# Add the `cap_net_bind_service` capability to allow listening on
# privileged (< 1024) ports even when running as a non-root user.
# This is only done if building with BuildKit; with the legacy
# builder, the `COPY` instruction doesn't carry over capabilities.
RUN setcap cap_net_bind_service=+ep target/arm-unknown-linux-musleabi/release/vaultwarden
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -91,18 +93,16 @@ ENV ROCKET_PROFILE="release" \
SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_DIR=/etc/ssl/certs
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apk add --no-cache \ && apk add --no-cache \
openssl \ ca-certificates \
tzdata \
curl \ curl \
ca-certificates openssl \
tzdata
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build FROM rust:1.66-bullseye as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,26 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \ RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
# # Install build dependencies for the armhf architecture
# Install required build libs for armhf architecture.
# hadolint ignore=DL3059
RUN dpkg --add-architecture armhf \ RUN dpkg --add-architecture armhf \
&& apt-get update \ && apt-get update \
&& apt-get install -y \ && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
libssl-dev:armhf \ gcc-arm-linux-gnueabihf \
libc6-dev:armhf \ libc6-dev:armhf \
libpq5:armhf \ libcap2-bin \
libpq-dev:armhf \
libmariadb3:armhf \
libmariadb-dev:armhf \ libmariadb-dev:armhf \
libmariadb-dev-compat:armhf \ libmariadb-dev-compat:armhf \
gcc-arm-linux-gnueabihf \ libmariadb3:armhf \
libpq-dev:armhf \
libpq5:armhf \
libssl-dev:armhf \
# #
# Make sure cargo has the right target config # Make sure cargo has the right target config
&& echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \ && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
@ -71,7 +67,6 @@ ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \ OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
# Creates a dummy project used to grab dependencies # Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app RUN USER=root cargo new --bin /app
WORKDIR /app WORKDIR /app
@ -101,9 +96,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -113,22 +108,20 @@ ENV ROCKET_PROFILE="release" \
ROCKET_ADDRESS=0.0.0.0 \ ROCKET_ADDRESS=0.0.0.0 \
ROCKET_PORT=80 ROCKET_PORT=80
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apt-get update && apt-get install -y \ && apt-get update && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
openssl \
ca-certificates \ ca-certificates \
curl \ curl \
libmariadb-dev-compat \ libmariadb-dev-compat \
libpq5 \ libpq5 \
openssl \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \ RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
@ -75,9 +72,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -89,18 +86,16 @@ ENV ROCKET_PROFILE="release" \
SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_DIR=/etc/ssl/certs
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apk add --no-cache \ && apk add --no-cache \
openssl \ ca-certificates \
tzdata \
curl \ curl \
ca-certificates openssl \
tzdata
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build FROM rust:1.66-bullseye as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,26 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
# # Install build dependencies for the armhf architecture
# Install required build libs for armhf architecture.
# hadolint ignore=DL3059
RUN dpkg --add-architecture armhf \ RUN dpkg --add-architecture armhf \
&& apt-get update \ && apt-get update \
&& apt-get install -y \ && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
libssl-dev:armhf \ gcc-arm-linux-gnueabihf \
libc6-dev:armhf \ libc6-dev:armhf \
libpq5:armhf \ libcap2-bin \
libpq-dev:armhf \
libmariadb3:armhf \
libmariadb-dev:armhf \ libmariadb-dev:armhf \
libmariadb-dev-compat:armhf \ libmariadb-dev-compat:armhf \
gcc-arm-linux-gnueabihf \ libmariadb3:armhf \
libpq-dev:armhf \
libpq5:armhf \
libssl-dev:armhf \
# #
# Make sure cargo has the right target config # Make sure cargo has the right target config
&& echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \ && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
@ -71,7 +67,6 @@ ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \ OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
# Creates a dummy project used to grab dependencies # Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app RUN USER=root cargo new --bin /app
WORKDIR /app WORKDIR /app
@ -101,9 +96,14 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
# Add the `cap_net_bind_service` capability to allow listening on
# privileged (< 1024) ports even when running as a non-root user.
# This is only done if building with BuildKit; with the legacy
# builder, the `COPY` instruction doesn't carry over capabilities.
RUN setcap cap_net_bind_service=+ep target/armv7-unknown-linux-gnueabihf/release/vaultwarden
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -113,22 +113,20 @@ ENV ROCKET_PROFILE="release" \
ROCKET_ADDRESS=0.0.0.0 \ ROCKET_ADDRESS=0.0.0.0 \
ROCKET_PORT=80 ROCKET_PORT=80
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apt-get update && apt-get install -y \ && apt-get update && apt-get install -y \
--no-install-recommends \ --no-install-recommends \
openssl \
ca-certificates \ ca-certificates \
curl \ curl \
libmariadb-dev-compat \ libmariadb-dev-compat \
libpq5 \ libpq5 \
openssl \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ########################## ########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build
# Build time options to avoid dpkg warnings and help with reproducible builds. # Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \ ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \ LANG=C.UTF-8 \
@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \ CARGO_HOME="/root/.cargo" \
USER="root" USER="root"
# Create CARGO_HOME folder and don't download rust docs # Create CARGO_HOME folder and don't download rust docs
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal && rustup set profile minimal
@ -75,9 +72,14 @@ RUN touch src/main.rs
# Builds again, this time it'll just be # Builds again, this time it'll just be
# your actual source files being built # your actual source files being built
# hadolint ignore=DL3059
RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
# Add the `cap_net_bind_service` capability to allow listening on
# privileged (< 1024) ports even when running as a non-root user.
# This is only done if building with BuildKit; with the legacy
# builder, the `COPY` instruction doesn't carry over capabilities.
RUN setcap cap_net_bind_service=+ep target/armv7-unknown-linux-musleabihf/release/vaultwarden
######################## RUNTIME IMAGE ######################## ######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image # Create a new stage with a minimal image
# because we already have a binary built # because we already have a binary built
@ -89,18 +91,16 @@ ENV ROCKET_PROFILE="release" \
SSL_CERT_DIR=/etc/ssl/certs SSL_CERT_DIR=/etc/ssl/certs
# hadolint ignore=DL3059
RUN [ "cross-build-start" ] RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries # Create data folder and Install needed libraries
RUN mkdir /data \ RUN mkdir /data \
&& apk add --no-cache \ && apk add --no-cache \
openssl \ ca-certificates \
tzdata \
curl \ curl \
ca-certificates openssl \
tzdata
# hadolint ignore=DL3059
RUN [ "cross-build-end" ] RUN [ "cross-build-end" ]
VOLUME /data VOLUME /data

View file

@ -34,9 +34,9 @@ for label in "${LABELS[@]}"; do
LABEL_ARGS+=(--label "${label}") LABEL_ARGS+=(--label "${label}")
done done
# Check if DOCKER_BUILDKIT is set, if so, use the Dockerfile.buildx as template # Check if DOCKER_BUILDKIT is set, if so, use the Dockerfile.buildkit as template
if [[ -n "${DOCKER_BUILDKIT}" ]]; then if [[ -n "${DOCKER_BUILDKIT}" ]]; then
buildx_suffix=.buildx buildkit_suffix=.buildkit
fi fi
set -ex set -ex
@ -45,6 +45,6 @@ for arch in "${arches[@]}"; do
docker build \ docker build \
"${LABEL_ARGS[@]}" \ "${LABEL_ARGS[@]}" \
-t "${DOCKER_REPO}:${DOCKER_TAG}-${arch}" \ -t "${DOCKER_REPO}:${DOCKER_TAG}-${arch}" \
-f docker/${arch}/Dockerfile${buildx_suffix}${distro_suffix} \ -f docker/${arch}/Dockerfile${buildkit_suffix}${distro_suffix} \
. .
done done