fhevm/coprocessor/fhevm-engine/Dockerfile.workspace at fcff47393248eeaf4f267637f7ca721d7ad5d464 · zama-ai/fhevm · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
# =============================================================================
# UNIFIED COPROCESSOR DOCKERFILE (LOCAL BUILDS)
# =============================================================================
# This Dockerfile builds ALL coprocessor workspace binaries in a single builder
# stage, ensuring dependencies (especially tfhe-rs) are compiled exactly ONCE.
# Individual runtime images are produced via multi-stage targets.
#
# LOCAL vs CI BUILDS:
#   - LOCAL: Uses this Dockerfile.workspace via docker-compose for faster builds
#            (shared builder stage, single tfhe-rs compilation)
#   - CI:    Uses individual Dockerfiles (coprocessor/*/Dockerfile) for granular
#            caching and independent service builds
#
# Usage (standalone):
#   docker build --target tfhe-worker -t tfhe-worker:latest .
#   docker build --target host-listener -t host-listener:latest .
#   docker build --target gw-listener -t gw-listener:latest .
#   docker build --target sns-worker -t sns-worker:latest .
#   docker build --target transaction-sender -t transaction-sender:latest .
#   docker build --target zkproof-worker -t zkproof-worker:latest .
#   docker build --target db-migration -t db-migration:latest .
#
# Usage (via docker-compose, recommended for local dev):
#   cd test-suite/fhevm
#   ./fhevm-cli deploy --build --local
#
# =============================================================================

# =============================================================================
# Stage 0: Build Solidity contracts (required for host-listener, gw-listener)
# =============================================================================
FROM ghcr.io/zama-ai/fhevm/gci/nodejs:22.14.0-alpine3.21 AS contract_builder

USER root
WORKDIR /app

# Copy root lockfile for workspace resolution
COPY package.json package-lock.json ./

# Copy host-contracts for host-listener
COPY host-contracts ./host-contracts

# Compile host-contracts
RUN cp host-contracts/.env.example host-contracts/.env && \
    npm ci --workspace=host-contracts --include-workspace-root=false && \
    cd host-contracts && \
    HARDHAT_NETWORK=hardhat npm run deploy:emptyProxies && \
    npx hardhat compile

# Copy gateway-contracts for gw-listener
WORKDIR /app
COPY gateway-contracts ./gateway-contracts

# Compile gateway-contracts
WORKDIR /app/gateway-contracts
RUN npm ci && \
    DOTENV_CONFIG_PATH=.env.example npx hardhat task:deployAllGatewayContracts

# =============================================================================
# Stage 1: Build ALL Rust workspace binaries
# =============================================================================
FROM ghcr.io/zama-ai/fhevm/gci/rust-glibc:1.91.0 AS builder

ARG CARGO_PROFILE=release
ARG BUILD_ID=unknown

USER root
WORKDIR /app

# Copy contract artifacts from contract_builder stage
COPY --from=contract_builder /app/host-contracts/artifacts/contracts /app/host-contracts/artifacts/contracts
COPY --from=contract_builder /app/gateway-contracts/artifacts/contracts /app/gateway-contracts/artifacts/contracts

# Copy Rust sources and dependencies
COPY coprocessor/fhevm-engine ./coprocessor/fhevm-engine
COPY coprocessor/proto ./coprocessor/proto
COPY gateway-contracts/rust_bindings ./gateway-contracts/rust_bindings
COPY gateway-contracts/contracts ./gateway-contracts/contracts
COPY host-contracts/contracts ./host-contracts/contracts

WORKDIR /app/coprocessor/fhevm-engine

# Build entire workspace - tfhe compiles ONCE here
# NOTE: We use cache mounts for incremental compilation. Because cache mounts
# are NOT committed to the image layer, we must copy binaries to /out during
# the same RUN instruction for COPY --from to work in later stages.
RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
    --mount=type=cache,target=/app/coprocessor/fhevm-engine/target,sharing=locked \
    cargo fetch && \
    SQLX_OFFLINE=true BUILD_ID=${BUILD_ID} cargo build --profile=${CARGO_PROFILE} --workspace && \
    mkdir -p /out && \
    cp target/${CARGO_PROFILE}/tfhe_worker /out/ && \
    cp target/${CARGO_PROFILE}/host_listener /out/ && \
    cp target/${CARGO_PROFILE}/host_listener_poller /out/ && \
    cp target/${CARGO_PROFILE}/gw_listener /out/ && \
    cp target/${CARGO_PROFILE}/sns_worker /out/ && \
    cp target/${CARGO_PROFILE}/transaction_sender /out/ && \
    cp target/${CARGO_PROFILE}/zkproof_worker /out/

# =============================================================================
# Stage 1b: Build sqlx-cli for db-migration
# =============================================================================
FROM ghcr.io/zama-ai/fhevm/gci/rust-glibc:1.91.0 AS sqlx_builder

USER root
WORKDIR /app

# Install sqlx-cli
RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
    cargo install sqlx-cli --version 0.7.2 \
    --no-default-features --features postgres --locked

# =============================================================================
# Stage 2a: tfhe-worker runtime
# =============================================================================
FROM cgr.dev/zama.ai/glibc-dynamic:15.2.0 AS tfhe-worker

COPY --from=builder /etc/group /etc/group
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder --chown=fhevm:fhevm /out/tfhe_worker /usr/local/bin/tfhe_worker

USER fhevm:fhevm

CMD ["/usr/local/bin/tfhe_worker"]

# =============================================================================
# Stage 2b: host-listener runtime (includes both host_listener and host_listener_poller)
# =============================================================================
FROM cgr.dev/zama.ai/glibc-dynamic:15.2.0 AS host-listener

COPY --from=builder /etc/group /etc/group
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder --chown=fhevm:fhevm /out/host_listener /usr/local/bin/host_listener
COPY --from=builder --chown=fhevm:fhevm /out/host_listener_poller /usr/local/bin/host_listener_poller

USER fhevm:fhevm

# No CMD - compose specifies the command (host_listener or host_listener_poller)

# =============================================================================
# Stage 2c: gw-listener runtime
# =============================================================================
FROM cgr.dev/zama.ai/glibc-dynamic:15.2.0 AS gw-listener

COPY --from=builder /etc/group /etc/group
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder --chown=fhevm:fhevm /out/gw_listener /usr/local/bin/gw_listener

USER fhevm:fhevm

CMD ["/usr/local/bin/gw_listener"]

# =============================================================================
# Stage 2d: sns-worker runtime
# =============================================================================
FROM cgr.dev/zama.ai/glibc-dynamic:15.2.0 AS sns-worker

COPY --from=builder /etc/group /etc/group
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder --chown=fhevm:fhevm /out/sns_worker /usr/local/bin/sns_worker

USER fhevm:fhevm

CMD ["/usr/local/bin/sns_worker"]

# =============================================================================
# Stage 2e: transaction-sender runtime
# =============================================================================
FROM cgr.dev/zama.ai/glibc-dynamic:15.2.0 AS transaction-sender

COPY --from=builder /etc/group /etc/group
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder --chown=fhevm:fhevm /out/transaction_sender /usr/local/bin/transaction_sender

USER fhevm:fhevm

CMD ["/usr/local/bin/transaction_sender"]

# =============================================================================
# Stage 2f: zkproof-worker runtime
# =============================================================================
FROM cgr.dev/zama.ai/glibc-dynamic:15.2.0 AS zkproof-worker

COPY --from=builder /etc/group /etc/group
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder --chown=fhevm:fhevm /out/zkproof_worker /usr/local/bin/zkproof_worker

USER fhevm:fhevm

CMD ["/usr/local/bin/zkproof_worker"]

# =============================================================================
# Stage 2g: db-migration runtime (special: Postgres-based image)
# =============================================================================
FROM cgr.dev/zama.ai/postgres:17 AS db-migration

# Copy sqlx-cli from sqlx_builder
COPY --from=sqlx_builder /usr/local/cargo/bin/sqlx /usr/local/bin/sqlx

# Copy migrations and initialization script from source
COPY coprocessor/fhevm-engine/db-migration/initialize_db.sh /initialize_db.sh
COPY coprocessor/fhevm-engine/db-migration/migrations /migrations

# Copy user/group from builder for consistency
COPY --from=builder /etc/group /etc/group
COPY --from=builder /etc/passwd /etc/passwd

# Set ownership
RUN chown -R fhevm:fhevm /initialize_db.sh /migrations

USER fhevm:fhevm

HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
    CMD psql --version || exit 1

ENTRYPOINT ["/bin/bash", "-c"]