-
Notifications
You must be signed in to change notification settings - Fork 17
/
Dockerfile
99 lines (84 loc) · 4.2 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
FROM docker.io/library/rust:1.79-slim-bookworm AS builder
ARG TARGETPLATFORM
ARG LLVM_VERSION=16
ENV KEYRINGS /etc/apt/keyrings
RUN set -eux && \
mkdir -p $KEYRINGS && \
apt-get update && \
apt-get install --no-install-recommends -y gpg curl busybox make musl-dev && \
curl --proto '=https' --tlsv1.2 -sSf https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --dearmor --output $KEYRINGS/llvm.gpg && \
echo "deb [signed-by=$KEYRINGS/llvm.gpg] http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list && \
apt-get update && \
apt-get install --no-install-recommends -y clang-$LLVM_VERSION llvm-$LLVM_VERSION lld-$LLVM_VERSION build-essential sqlite3 libsqlite3-dev musl musl-tools musl-dev protobuf-compiler libprotobuf-dev && \
ln -s clang-$LLVM_VERSION /usr/bin/clang && \
ln -s clang /usr/bin/clang++ && \
ln -s lld-$LLVM_VERSION /usr/bin/ld.lld && \
ln -s clang-$LLVM_VERSION /usr/bin/clang-cl && \
ln -s llvm-ar-$LLVM_VERSION /usr/bin/llvm-lib && \
ln -s lld-link-$LLVM_VERSION /usr/bin/lld-link && \
update-alternatives --install /usr/bin/cc cc /usr/bin/clang 100 && \
update-alternatives --install /usr/bin/c++ c++ /usr/bin/clang++ 100 && \
apt-get remove -y --auto-remove && \
rm -rf /var/lib/apt/lists/*
RUN case $TARGETPLATFORM in \
"linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl ;; \
"linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl ;; \
*) exit 1 ;; \
esac && \
rustup target add $LLVM_TARGET
ARG SQLITE_VERSION=3460000
RUN case $TARGETPLATFORM in \
"linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl MUSL_TARGET=aarch64-linux-musl ;; \
"linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl MUSL_TARGET=x86_64-linux-musl ;; \
*) exit 1 ;; \
esac && \
curl --proto '=https' --tlsv1.2 -sSfO https://www.sqlite.org/2024/sqlite-autoconf-$SQLITE_VERSION.tar.gz && \
tar xf sqlite-autoconf-$SQLITE_VERSION.tar.gz && \
cd sqlite-autoconf-$SQLITE_VERSION && \
./configure --disable-shared --disable-dependency-tracking \
CC="clang-$LLVM_VERSION -target $LLVM_TARGET" \
CFLAGS="-I/usr/local/include -I/usr/include/$MUSL_TARGET" \
LDFLAGS="-L/usr/local/lib -L/usr/lib/$MUSL_TARGET -L/lib/$MUSL_TARGET" && \
make && \
make install && \
cd .. && \
rm -rf sqlite-autoconf-$SQLITE_VERSION sqlite-autoconf-$SQLITE_VERSION.tar.gz
ENV CC_x86_64_unknown_linux_musl=clang-$LLVM_VERSION \
AR_x86_64_unknown_linux_musl=llvm-ar-$LLVM_VERSION \
CC_aarch64_unknown_linux_musl=clang-$LLVM_VERSION \
AR_aarch64_unknown_linux_musl=llvm-ar-$LLVM_VERSION \
CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="-L/usr/lib/x86_64-linux-musl -L/lib/x86_64-linux-musl -C linker=rust-lld" \
CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="-L/usr/lib/aarch64-linux-musl -L/lib/aarch64-linux-musl -C linker=rust-lld" \
SQLITE3_STATIC=1 \
SQLITE3_INCLUDE_DIR=/usr/local/include \
SQLITE3_LIB_DIR=/usr/local/lib
COPY . .
RUN case $TARGETPLATFORM in \
"linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl ;; \
"linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl ;; \
*) exit 1 ;; \
esac && \
cargo install --path burrow --target $LLVM_TARGET
WORKDIR /tmp/rootfs
RUN set -eux && \
mkdir -p ./bin ./etc ./tmp ./data && \
mv /usr/local/cargo/bin/burrow ./bin/burrow && \
cp /bin/busybox ./bin/busybox && \
echo 'burrow:x:10001:10001::/tmp:/bin/busybox' > ./etc/passwd && \
echo 'burrow:x:10001:' > ./etc/group && \
chown -R 10001:10001 ./tmp ./data && \
chmod 0777 ./tmp
FROM scratch as runtime
LABEL \
# https://github.com/opencontainers/image-spec/blob/master/annotations.md
org.opencontainers.image.title="burrow" \
org.opencontainers.image.description="Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club." \
org.opencontainers.image.url="https://github.com/hackclub/burrow" \
org.opencontainers.image.source="https://github.com/hackclub/burrow" \
org.opencontainers.image.vendor="hackclub" \
org.opencontainers.image.licenses="GPL-3.0"
USER 10001:10001
COPY --from=builder /tmp/rootfs /
WORKDIR /data
EXPOSE 8080
CMD ["/bin/burrow", "auth-server"]