Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Base Docker image on debian:buster-slim #234

Closed
wants to merge 1 commit into from
Closed

Base Docker image on debian:buster-slim #234

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,25 @@
FROM rust:1.34.0-slim
FROM debian:buster-slim

RUN apt-get update
RUN apt-get install -y clang cmake
RUN apt-get install -y libsnappy-dev
RUN apt-get install -y curl

RUN adduser --disabled-login --system --shell /bin/false --uid 1000 user

ARG RUST_VERSION=1.34.0
ENV RUSTUP_HOME /usr/local/rustup
ENV CARGO_HOME /usr/local/cargo
ENV PATH $CARGO_HOME/bin:$PATH

RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- \
-y \
--verbose \
--profile minimal \
--default-toolchain $RUST_VERSION
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant to install it using apt-get to get signature validation for free. If you prefer rustup, then I'd suggest doing what the official Docker image does and check the hashes.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point regarding apt over rustup.

However regarding rustup, it doesn't seem possible to get a secure Rust environment via rustup which was why I intentionally didn't bother with hashes.

For example the official Docker image only checks the hash of rustup-init.sh. This is pointless because:

  1. rustup-init.sh then downloads rustup but doesn't check hashes/sigs.
  2. rustup doesn't check signatures when installing Rust versions.

Se verifying rustup-init.sh doesn't guarantee anything about rustup, and even if you get an honest rustup, that doesn't even guarantee you get an honest rustc/cargo!

But you're right about preferring apt, that would definitely be better.


RUN chmod -R a+w $RUSTUP_HOME $CARGO_HOME
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks strange, is it a standard thing to do in docker?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it's not a particularly standard thing to do in Docker, normally you would compile a binary then copy it to usr/local/bin or similar.

Not very familiar with Cargo but it seems to want it's own build dir with other data that you then add to your path.

Without changing the permissions the user account doesn't have permission to write to $CARGO_HOME during installation.

The official Rust images do it like this too: https://github.com/rust-lang/docker-rust/blob/8bab191937fcf23569d3a3c31103c1c6f7f2947e/1.42.0/buster/slim/Dockerfile#L30

I guess we could just build as root in /root/.cargo/bin and then copy the electrs binary to /usr/local/bin which should allow user to execute it.


USER user
WORKDIR /home/user
COPY ./ /home/user
Expand Down