-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathDockerfile
42 lines (30 loc) · 1.25 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
FROM rust:alpine3.20 AS builder
# Install pre-requisites
RUN apk add build-base gcompat jemalloc-dev
# Create a new directory for our application
WORKDIR /tmp/quincy-build
# Copy the source code into the container
COPY src ./src
COPY Cargo.toml Cargo.lock ./
# Build the application
ARG FEATURES="crypto-standard,jemalloc"
RUN cargo build --release --no-default-features --features "${FEATURES}"
FROM alpine:3.20
# Create needed directories
RUN mkdir -p /etc/quincy
# Install glibc
RUN apk add gcompat jemalloc libcap-setcap
# Copy the binary from the builder stage
COPY --from=builder /tmp/quincy-build/target/release/quincy-client /tmp/quincy-build/target/release/quincy-server /tmp/quincy-build/target/release/quincy-users /usr/local/bin/
# Add a non-root user
RUN addgroup -S quincy && adduser -S quincy -G quincy
RUN chown -R quincy:quincy /usr/local/bin/quincy-client /usr/local/bin/quincy-server /usr/local/bin/quincy-users
# Add required capabilities to executables
RUN setcap \
'cap_net_admin,cap_net_bind_service=+ep' /usr/local/bin/quincy-client \
'cap_net_admin,cap_net_bind_service=+ep' /usr/local/bin/quincy-server \
'cap_net_admin=+ep' /bin/busybox
# Run under a non-root account
USER quincy
# Set the working directory
WORKDIR /usr/srv/quincy