[Identity] Avoid secret generation and slim down size of identity ser…

…ver docker image Summary: Secrets should not be generated as part of the docker image build. Instead, they need to be mounted in to the container. Also reduces the image size from 1.81GB to 108MB. https://linear.app/comm/issue/ENG-4419 Test Plan: ``` docker build -f services/identity/Dockerfile . # or cd services docker compose build identity ``` Reviewers: varun, bartek Reviewed By: varun, bartek Subscribers: ashoat, tomek Differential Revision: https://phab.comm.dev/D8580
CommE2E · Jul 27, 2023 · d589005 · d589005
1 parent 7db2bf4
commit d589005
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 22 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -31,6 +31,7 @@ keyserver/*.env.*
 services/tunnelbroker/Dockerfile
 services/identity/target
 services/identity/Dockerfile
+services/identity/secrets
 services/backup/Dockerfile
 services/blob/target
 services/blob/Dockerfile

diff --git a/services/identity/Dockerfile b/services/identity/Dockerfile
@@ -1,39 +1,37 @@
-FROM rust:1.67
+FROM rust:1.67 as builder
 
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
   build-essential cmake git libgtest-dev libssl-dev zlib1g-dev \
-  && rm -rf /var/lib/apt/lists/*
+  && rm -rf /var/lib/apt/lists/* \
+  && mkdir -p /home/root/app/
+
+WORKDIR /home/root/app
 
 # Install more recent version of protobuf, must be ran as root
 COPY scripts/install_protobuf.sh ../../scripts/install_protobuf.sh
 RUN ../../scripts/install_protobuf.sh
 
-# Create a new user comm and use it to run subsequent commands
-RUN useradd -m comm
-USER comm
-
-# The build.rs script depends on rustfmt
-RUN rustup component add rustfmt
-
 RUN mkdir -p /home/comm/app/identity
 WORKDIR /home/comm/app/identity
-RUN cargo init --bin
 
-COPY services/identity/Cargo.toml services/identity/Cargo.lock ./
+COPY services/identity .
+COPY shared/protos/identity_client.proto ../../shared/protos/
 COPY shared/comm-opaque2 ../../shared/comm-opaque2
 
-# Cache build dependencies in a new layer
-RUN cargo build --release
-RUN rm src/*.rs
+RUN cargo install --locked --path .
 
-COPY services/identity .
-COPY shared/protos/identity_client.proto ../../shared/protos/
+FROM debian:bullseye-slim
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+  ca-certificates \
+  && rm -rf /var/lib/apt/lists/* \
+  && useradd -m comm
 
-# Remove the previously-built binary so that only the application itself is
-# rebuilt
-RUN rm ./target/release/deps/identity*
+WORKDIR /home/comm/app/identity
+
+COPY --from=builder /usr/local/cargo/bin/identity \
+  /usr/local/bin/identity
 
-RUN cargo build --release
-RUN target/release/identity keygen
+USER comm
 
-CMD ["./target/release/identity", "server"]
+CMD ["identity", "server"]