-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathDockerfile
164 lines (124 loc) · 4.18 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
# disable SHELL cmd down below if switching to non-debug
ARG RUST_VERSION=1.80.1
ARG DENO_VERSION=1.46.3
ARG DISTROLESS_TAG=debug-nonroot
#
# must match distroless debian version
FROM rust:${RUST_VERSION}-slim-bullseye AS base
WORKDIR /app
RUN cargo install cargo-chef --locked --debug
FROM base AS plan
COPY . .
RUN cargo chef prepare --recipe-path recipe.json
#
FROM denoland/deno:${DENO_VERSION} AS deno-bin
#
FROM base AS builder
ENV DENO_DIR=/deno-dir/
ENV DENO_INSTALL=/root/.deno
ENV PATH="${DENO_INSTALL}/bin:${PATH}"
COPY --from=deno-bin /usr/bin/deno /bin/deno
RUN set -eux; \
export DEBIAN_FRONTEND=noninteractive; \
apt update; \
apt install --yes --no-install-recommends \
# typegate build \
make \
## libffi-sys\
automake \
# wasm-opt deps \
clang \
## openssl deps \
pkg-config \
libssl-dev \
# base ghjk deps \
git \
curl \
# asdf deps \
zstd \
xz-utils \
unzip \
; \
apt clean autoclean; apt autoremove --yes; rm -rf /var/lib/{apt,dpkg,cache,log}/;
ARG GHJK_VERSION=v0.2.1
RUN GHJK_INSTALL_EXE_DIR=/usr/bin \
deno run -A https://raw.github.com/metatypedev/ghjk/$GHJK_VERSION/install.ts
COPY tools/ tools/
COPY ghjk.ts .
ENV GHJK_ENV=oci
ENV GHJK_ACTIVATE=.ghjk/envs/$GHJK_ENV/activate.sh
RUN ghjk envs cook
SHELL ["/bin/sh", "-c", ". .ghjk/envs/oci/activate.sh && sh -c \"$*\"", "sh"]
COPY --from=plan /app/recipe.json recipe.json
ARG CARGO_PROFILE=release
RUN cargo chef cook --recipe-path recipe.json --profile $CARGO_PROFILE --package typegate \
&& rm recipe.json
COPY . .
RUN cargo build --profile $CARGO_PROFILE --package typegate --locked \
&& ( \
[ $CARGO_PROFILE = 'release' ] \
&& cp target/release/typegate typegate-bin \
|| cp target/debug/typegate typegate-bin \
)
RUN deno run -A tools/update.ts --cache-only --src-only \
&& mkdir -p .metatype
#
FROM builder AS dev
RUN mv target /tmp/target \
&& rm -rf * \
&& mv /tmp/target .
#
FROM builder AS runtime-bin
ARG TINI_VERSION=v0.19.0
ARG TARGETARCH
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-${TARGETARCH} /tini
RUN chmod +x /tini \
&& mkdir -p /lib/sym \
&& ln -s /lib/aarch64-linux-gnu /lib/sym/arm64 \
&& ln -s /lib/x86_64-linux-gnu /lib/sym/amd64
#
FROM gcr.io/distroless/cc-debian11:${DISTROLESS_TAG} AS prd
SHELL ["/busybox/sh", "-c"]
ARG TARGETARCH
ENV NO_COLOR=true
ENV DENO_DIR=/deno-dir/
WORKDIR /app
COPY --from=runtime-bin /tini /tini
COPY --from=runtime-bin /lib/sym /lib/sym
COPY --from=builder /lib/*-linux-gnu/libz.so* /lib/sym/${TARGETARCH}
COPY --from=builder /app/typegate-bin /bin/typegate
# the typegate ecma sources
COPY --from=builder /app/deno.jsonc /app/import_map.json ./
COPY --from=builder /app/src/typegate/engine/*.js /app/src/typegate/engine/*.ts ./src/typegate/engine/
COPY --from=builder /app/src/typegate/src ./src/typegate/src/
COPY --from=builder /app/src/typegate/deno.jsonc ./src/typegate/
COPY --from=builder /app/src/typegraph/deno/deno.json ./src/typegraph/deno/
COPY --from=builder /app/src/typegraph/specs/codegen/deno.jsonc ./src/typegraph/specs/codegen/
COPY --from=builder /app/tests/deno.jsonc ./tests/
COPY --from=builder /app/examples/deno.jsonc ./examples/
COPY tools/LICENSE-MPL-2.0.md LICENSE.md
# writeable
COPY --from=builder --chown=nonroot:nonroot /deno-dir /deno-dir
COPY --from=builder --chown=nonroot:nonroot /app/deno.lock ./typegate/
COPY --from=builder --chown=nonroot:nonroot /app/.metatype ./.metatype
#
# run the checks in a separate target to avoid bloating
# the final image with the deno bin
# https://forums.docker.com/t/why-run-command-which-deletes-files-inflates-image-size/33670
FROM prd AS check
# distroless-nonroot is by default the nonroot user
# which prevents us from removing the /deno bin down below
USER root
# we temporarliy copy the deno bin and run the type checker
# to make sure all required ts files are found in the image
COPY --from=deno-bin --chown=nonroot:nonroot /usr/bin/deno /bin/deno
RUN /bin/deno check \
--config /app/src/typegate/deno.jsonc \
/app/src/typegate/src/**/*.ts \
&& rm /bin/deno
#
FROM prd AS epoint
USER nonroot
EXPOSE 7890
ENTRYPOINT ["/tini", "--"]
CMD ["/bin/typegate"]