Skip to content

Create Dockerfile #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Create Dockerfile #133

wants to merge 9 commits into from

Conversation

y4ssi
Copy link

@y4ssi y4ssi commented May 6, 2025
edited
Loading

This PR adds a multi-stage Docker build for the zallet binary, resulting in a minimal and secure container image.

Build Stage (builder)

  • Based on rust:1-slim (amd64).
  • Installs only the necessary packages for building (clang, libclang-dev, pkg-config, git).
  • Compiles the project in --release mode.
  • Uses strip to reduce binary size.

Runtime Stage (distroless)

  • Uses gcr.io/distroless/cc for a minimal and secure runtime environment.
  • Copies only the final zallet binary.
  • Runs as a non-root user by default.
  • No shell and no package manager, which minimizes the attack surface.

Additional Changes

  • Adds a GitHub Action to build the image and verify that the binary runs with at least one argument (more tests can be added in the future).
  • Adds a GitHub Action to release the Docker image to Docker Hub.

This setup ensures small image size, strong security practices, and a clear separation between build and runtime environments.

str4d
str4d requested changes May 12, 2025
View reviewed changes
Copy link
Collaborator

@str4d str4d left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed b44296a. In addition to my comments, the zizmor failures need to be fixed.

.github/workflows/build-and-push-docker-hub.yaml
echo "zallet_version=$(echo ${{ github.ref_name }} | sed 's/v//g')" >> $GITHUB_OUTPUT

build_push:
uses: zcash/.github/.github/workflows/build-and-push-docker-hub.yaml@main
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this doing? It looks recursive to me which makes no sense. Is this actually pulling from the zcash/zcash repo?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is the template we're using in Zcash and across several of our other repositories. - Just realized I missed updating a path — just fixed it now.

.github/workflows/test-docker-container.yml

- name: Run command inside Docker container
run: |
docker run --rm zallet -h
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI the problem you last commit was fixing is that you tried to use -help as the flag, which is incorrect for Zallet. --help is what you should use (or -h), as the help text itself should show.

In general, zcashd's support for single-hypen word flags to CLI is not something we are going to support in Zallet.

@y4ssi y4ssi requested a review from str4d May 13, 2025 18:41
@str4d str4d added the A-packaging Area: Packaging label May 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@str4d str4d Awaiting requested review from str4d

Assignees
No one assigned
Labels
A-packaging Area: Packaging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@y4ssi @str4d