Create Dockerfile
Also adds a Github workflow to publish a Docker image
This commit is contained in:
Conrad Kramer
parent
631bbc8fb3
commit
a2e93278c1
3 changed files with 125 additions and 0 deletions
5
.dockerignore
Normal file
5
.dockerignore
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# Xcode
|
||||
Apple/
|
||||
|
||||
# Rust
|
||||
target/
|
||||
45
.github/workflows/build-docker.yml
vendored
Normal file
45
.github/workflows/build-docker.yml
vendored
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
name: Build Docker
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
pull_request:
|
||||
branches:
|
||||
- "*"
|
||||
jobs:
|
||||
build:
|
||||
name: Build Docker Image
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
packages: write
|
||||
contents: read
|
||||
steps:
|
||||
- name: Setup QEMU
|
||||
uses: docker/setup-qemu-action@v2
|
||||
with:
|
||||
platforms: arm64
|
||||
- name: Setup BuildKit
|
||||
uses: docker/setup-buildx-action@v2
|
||||
- name: Authenticate
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Extract Metadata
|
||||
id: meta
|
||||
uses: docker/metadata-action@v4
|
||||
with:
|
||||
images: ghcr.io/${{ github.repository }}
|
||||
tags: |
|
||||
type=sha
|
||||
type=raw,value=latest,enable={{is_default_branch}}
|
||||
- name: Build and Push
|
||||
uses: docker/build-push-action@v4
|
||||
with:
|
||||
platforms: ${{ github.event_name != 'pull_request' && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
75
Dockerfile
Normal file
75
Dockerfile
Normal file
|
|
@ -0,0 +1,75 @@
|
|||
FROM docker.io/library/rust:1.70.0-slim-bookworm AS builder
|
||||
|
||||
ARG TARGETPLATFORM
|
||||
ARG LLVM_VERSION=16
|
||||
|
||||
ENV KEYRINGS /etc/apt/keyrings
|
||||
|
||||
RUN set -eux && \
|
||||
mkdir -p $KEYRINGS && \
|
||||
apt-get update && \
|
||||
apt-get install --no-install-recommends -y gpg curl musl-dev && \
|
||||
curl --proto '=https' --tlsv1.2 -sSf https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --dearmor --output $KEYRINGS/llvm.gpg && \
|
||||
echo "deb [signed-by=$KEYRINGS/llvm.gpg] http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list && \
|
||||
apt-get update && \
|
||||
apt-get install --no-install-recommends -y clang-$LLVM_VERSION llvm-$LLVM_VERSION lld-$LLVM_VERSION && \
|
||||
ln -s clang-$LLVM_VERSION /usr/bin/clang && \
|
||||
ln -s clang /usr/bin/clang++ && \
|
||||
ln -s lld-$LLVM_VERSION /usr/bin/ld.lld && \
|
||||
ln -s clang-$LLVM_VERSION /usr/bin/clang-cl && \
|
||||
ln -s llvm-ar-$LLVM_VERSION /usr/bin/llvm-lib && \
|
||||
ln -s lld-link-$LLVM_VERSION /usr/bin/lld-link && \
|
||||
update-alternatives --install /usr/bin/cc cc /usr/bin/clang 100 && \
|
||||
update-alternatives --install /usr/bin/c++ c++ /usr/bin/clang++ 100 && \
|
||||
apt-get remove -y --auto-remove && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
RUN case $TARGETPLATFORM in \
|
||||
"linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl ;; \
|
||||
"linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl ;; \
|
||||
*) exit 1 ;; \
|
||||
esac && \
|
||||
rustup target add $LLVM_TARGET
|
||||
|
||||
ENV CC_x86_64_unknown_linux_musl=clang-$LLVM_VERSION \
|
||||
AR_x86_64_unknown_linux_musl=llvm-ar-$LLVM_VERSION \
|
||||
CC_aarch64_unknown_linux_musl=clang-$LLVM_VERSION \
|
||||
AR_aarch64_unknown_linux_musl=llvm-ar-$LLVM_VERSION \
|
||||
CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="-L/usr/lib/x86_64-linux-musl -L/lib/x86_64-linux-musl -C linker=rust-lld" \
|
||||
CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="-L/usr/lib/aarch64-linux-musl -L/lib/aarch64-linux-musl -C linker=rust-lld" \
|
||||
CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
|
||||
|
||||
COPY . .
|
||||
|
||||
RUN case $TARGETPLATFORM in \
|
||||
"linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl ;; \
|
||||
"linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl ;; \
|
||||
*) exit 1 ;; \
|
||||
esac && \
|
||||
cargo install --path burrow --target $LLVM_TARGET
|
||||
|
||||
WORKDIR /tmp/rootfs
|
||||
|
||||
RUN set -eux && \
|
||||
mkdir -p ./bin ./etc ./tmp ./data && \
|
||||
mv /usr/local/cargo/bin/burrow ./bin/burrow && \
|
||||
echo 'burrow:x:10001:10001::/tmp:/sbin/nologin' > ./etc/passwd && \
|
||||
echo 'burrow:x:10001:' > ./etc/group && \
|
||||
chown -R 10001:10001 ./tmp ./data && \
|
||||
chmod 0777 ./tmp
|
||||
|
||||
FROM scratch as runtime
|
||||
LABEL \
|
||||
# https://github.com/opencontainers/image-spec/blob/master/annotations.md
|
||||
org.opencontainers.image.title="burrow" \
|
||||
org.opencontainers.image.description="Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club." \
|
||||
org.opencontainers.image.url="https://github.com/hackclub/burrow" \
|
||||
org.opencontainers.image.source="https://github.com/hackclub/burrow" \
|
||||
org.opencontainers.image.vendor="hackclub" \
|
||||
org.opencontainers.image.licenses="GPL-3.0"
|
||||
|
||||
USER 10001:10001
|
||||
COPY --from=builder /tmp/rootfs /
|
||||
WORKDIR /data
|
||||
|
||||
ENTRYPOINT ["/bin/burrow"]
|
||||
Loading…
Add table
Add a link
Reference in a new issue