FROM rust:1.57.0-alpine3.13 AS builder # Create an unprivileged user RUN adduser --disabled-password --no-create-home --uid 1000 notroot notroot # Perform apk actions as root RUN apk add --no-cache musl-dev=1.2.2-r1 openssl-dev=1.1.1q-r0 libsodium-dev=1.0.18-r0 make=4.3-r0 # Create build directory as root WORKDIR /usr/src RUN USER=root cargo new redact-store # Perform an initial compilation to cache dependencies WORKDIR /usr/src/redact-store COPY Cargo.lock Cargo.toml ./ RUN echo "fn main() {println!(\"if you see this, the image build failed and kept the depency-caching entrypoint. check your dockerfile and image build logs.\")}" > src/main.rs RUN cargo build --release --locked # Load source code to create final binary RUN rm -rf src RUN rm -rf target/release/deps/redact_store* RUN rm -rf target/release/redact-store* COPY src src RUN cargo build --release --locked # Create alpine debug image # This should be scratch in prod FROM alpine:3.13 # IMPORTANT: The following COPY and USER instructions are commented out in # development images to allow the binary's runtime user to be # root. This greatly simplifies in-container debugging. # Load unprivileged user from build container # COPY --from=builder /etc/group /etc/passwd /etc/ # Switch to unprivileged user # USER notroot:notroot # Copy binary files WORKDIR /usr/local/bin COPY --from=builder /usr/src/redact-store/target/release/redact-store service ENTRYPOINT ["service"]