From d589005d027b0a3c9e11ba17a2d5ea2c56c173df Mon Sep 17 00:00:00 2001 From: Jonathan Ringer Date: Wed, 19 Jul 2023 16:18:01 -0700 Subject: [PATCH] [Identity] Avoid secret generation and slim down size of identity server docker image Summary: Secrets should not be generated as part of the docker image build. Instead, they need to be mounted in to the container. Also reduces the image size from 1.81GB to 108MB. https://linear.app/comm/issue/ENG-4419 Test Plan: ``` docker build -f services/identity/Dockerfile . # or cd services docker compose build identity ``` Reviewers: varun, bartek Reviewed By: varun, bartek Subscribers: ashoat, tomek Differential Revision: https://phab.comm.dev/D8580 --- .dockerignore | 1 + services/identity/Dockerfile | 42 +++++++++++++++++------------------- 2 files changed, 21 insertions(+), 22 deletions(-) diff --git a/.dockerignore b/.dockerignore index bc061e7b0d..286b32a675 100644 --- a/.dockerignore +++ b/.dockerignore @@ -31,6 +31,7 @@ keyserver/*.env.* services/tunnelbroker/Dockerfile services/identity/target services/identity/Dockerfile +services/identity/secrets services/backup/Dockerfile services/blob/target services/blob/Dockerfile diff --git a/services/identity/Dockerfile b/services/identity/Dockerfile index 431ccf2a97..36db30d9b3 100644 --- a/services/identity/Dockerfile +++ b/services/identity/Dockerfile @@ -1,39 +1,37 @@ -FROM rust:1.67 +FROM rust:1.67 as builder RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \ build-essential cmake git libgtest-dev libssl-dev zlib1g-dev \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /var/lib/apt/lists/* \ + && mkdir -p /home/root/app/ + +WORKDIR /home/root/app # Install more recent version of protobuf, must be ran as root COPY scripts/install_protobuf.sh ../../scripts/install_protobuf.sh RUN ../../scripts/install_protobuf.sh -# Create a new user comm and use it to run subsequent commands -RUN useradd -m comm -USER comm - -# The build.rs script depends on rustfmt -RUN rustup component add rustfmt - RUN mkdir -p /home/comm/app/identity WORKDIR /home/comm/app/identity -RUN cargo init --bin -COPY services/identity/Cargo.toml services/identity/Cargo.lock ./ +COPY services/identity . +COPY shared/protos/identity_client.proto ../../shared/protos/ COPY shared/comm-opaque2 ../../shared/comm-opaque2 -# Cache build dependencies in a new layer -RUN cargo build --release -RUN rm src/*.rs +RUN cargo install --locked --path . -COPY services/identity . -COPY shared/protos/identity_client.proto ../../shared/protos/ +FROM debian:bullseye-slim + +RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \ + ca-certificates \ + && rm -rf /var/lib/apt/lists/* \ + && useradd -m comm -# Remove the previously-built binary so that only the application itself is -# rebuilt -RUN rm ./target/release/deps/identity* +WORKDIR /home/comm/app/identity + +COPY --from=builder /usr/local/cargo/bin/identity \ + /usr/local/bin/identity -RUN cargo build --release -RUN target/release/identity keygen +USER comm -CMD ["./target/release/identity", "server"] +CMD ["identity", "server"]