Create Dockerfile #133
Create Dockerfile #133
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| echo "zallet_version=$(echo ${{ github.ref_name }} | sed 's/v//g')" >> $GITHUB_OUTPUT | ||
|
|
||
| build_push: | ||
| uses: zcash/.github/.github/workflows/build-and-push-docker-hub.yaml@main |
There was a problem hiding this comment.
What is this doing? It looks recursive to me which makes no sense. Is this actually pulling from the zcash/zcash repo?
There was a problem hiding this comment.
Yes, this is the template we're using in Zcash and across several of our other repositories. - Just realized I missed updating a path — just fixed it now.
Dockerfile
Outdated
|
|
||
| COPY . . | ||
|
|
||
| RUN cargo build --release && strip target/release/zallet |
There was a problem hiding this comment.
Using strip makes debugging harder. If the stripped zallet binary crashes inside the distroless container, the stack traces will be much less informative because the symbol information is not available. This is a good example: https://stackoverflow.com/a/73628573
Adding the --locked flag is recommended for reproducibility, as it forces Cargo to use only the versions of dependencies specified in the Cargo.lock file. This is also aligned with the use of cargo vet --locked in the /.github/workflows/audits.yml workflow
Optional: Adding --package zallet --bin zallet for visibility and explicitness. Also, if in the future another package is added to the [workspace.members] cargo build without --package might try to build all members or a different default. Similar with --bin
There was a problem hiding this comment.
Optional: This can be a reusable workflow. For example:
This commit introduces some optimizations to the Docker build process:
1. **Build Caching**:
* Leverages Docker BuildKit cache mounts for `cargo` dependencies (`/app/.cargo`) and compiled artifacts (`/app/target/`). This speeds up subsequent builds by reusing downloaded and compiled dependencies.
* Uses bind mounts for `zallet` source, `Cargo.toml`, and `Cargo.lock` to ensure the build step has access to the necessary files during the cached `RUN` instruction.
* The `--link` flag is now used with `COPY` for potentially faster copies when supported.
2. **Optimized Build Command**:
* The `cargo build` command is now more explicit, specifying `--locked --package zallet --bin zallet`.
* The `strip` command has been removed to allow runtime debugging information.
3. **Explicit Naming and Structure**:
* The runtime stage is now explicitly named `AS runtime`.
* The `ENTRYPOINT` now uses the simple binary name `zallet`, relying on it being in the `PATH`.
4. **`.dockerignore` File**:
* A `.dockerignore` file has been added to control the build context sent to the Docker daemon.
* It follows an "exclude all, then include specific" pattern (`*` followed by `!pattern`) to ensure only necessary files (`.cargo`, `*.toml`, `*.lock`, and the `zallet` source directory) are included in the build context. This reduces the context size and can prevent unnecessary cache invalidations.
|
I opened #150 targeting this PR, with minimal design changes, but adding some of the optimizations mentioned in the comments |
Explicit version of RUST
feat(docker): Optimize build with cache mounts and `.dockerignore`
This PR adds a multi-stage Docker build for the
zalletbinary, resulting in a minimal and secure container image.Build Stage (
builder)rust:1-slim(amd64).clang,libclang-dev,pkg-config,git).--releasemode.stripto reduce binary size.Runtime Stage (
distroless)gcr.io/distroless/ccfor a minimal and secure runtime environment.zalletbinary.Additional Changes
This setup ensures small image size, strong security practices, and a clear separation between build and runtime environments.