# Production Multi-Stage Dockerfile for OpenCrates
# Optimized for security, performance, and minimal attack surface
# Build stage
FROM rust:1.75-slim as builder
# Install system dependencies for building
RUN apt-get update && apt-get install -y \
pkg-config \
libssl-dev \
libpq-dev \
libsqlite3-dev \
cmake \
build-essential \
git \
ca-certificates \
&& rm -rf /var/lib/apt/lists/*
# Create app user for security
RUN groupadd -r opencrates && useradd -r -g opencrates opencrates
# Set working directory
WORKDIR /usr/src/opencrates
# Copy dependency manifests first for better caching
COPY Cargo.toml Cargo.lock ./
COPY .cargo/ ./.cargo/
# Create dummy main.rs to build dependencies
RUN mkdir src && echo "fn main() {}" > src/main.rs
# Build dependencies only (cached layer)
RUN cargo build --release --features "full" \
&& rm -f target/release/deps/opencrates*
# Copy source code
COPY src/ ./src/
COPY templates/ ./templates/
COPY migrations/ ./migrations/
COPY examples/ ./examples/
COPY benches/ ./benches/
COPY tests/ ./tests/
# Build the application with all optimizations
ENV RUSTFLAGS="-C target-cpu=native -C link-arg=-s"
RUN cargo build --release --features "full" \
&& strip target/release/opencrates \
&& strip target/release/opencrates-server
# Verify the binary works
RUN ./target/release/opencrates --version
# Runtime stage
FROM debian:bookworm-slim as runtime
# Install runtime dependencies only
RUN apt-get update && apt-get install -y \
ca-certificates \
libssl3 \
libpq5 \
libsqlite3-0 \
curl \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get clean
# Create non-root user for security
RUN groupadd -r opencrates && useradd -r -g opencrates -d /home/opencrates opencrates \
&& mkdir -p /home/opencrates /app/data /app/logs /app/config \
&& chown -R opencrates:opencrates /home/opencrates /app
# Copy binaries from builder
COPY --from=builder /usr/src/opencrates/target/release/opencrates /usr/local/bin/opencrates
COPY --from=builder /usr/src/opencrates/target/release/opencrates-server /usr/local/bin/opencrates-server
# Copy templates and configuration
COPY --from=builder /usr/src/opencrates/templates/ /app/templates/
COPY --from=builder /usr/src/opencrates/migrations/ /app/migrations/
COPY config.toml /app/config/
# Set ownership and permissions
RUN chown -R opencrates:opencrates /app \
&& chmod 755 /usr/local/bin/opencrates* \
&& chmod -R 755 /app/templates \
&& chmod -R 755 /app/migrations \
&& chmod 644 /app/config/config.toml
# Switch to non-root user
USER opencrates
WORKDIR /app
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8080/system/health || exit 1
# Set environment variables
ENV RUST_LOG=info
ENV OPENCRATES_ENV=production
ENV OPENCRATES_CONFIG_PATH=/app/config/config.toml
ENV OPENCRATES_DATA_PATH=/app/data
ENV OPENCRATES_LOG_PATH=/app/logs
# Expose port
EXPOSE 8080
# Run the server
CMD ["opencrates-server", "--config", "/app/config/config.toml"]
# Production optimized stage with minimal dependencies
FROM scratch as minimal
# Copy CA certificates for HTTPS
COPY --from=runtime /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
# Copy only the binary
COPY --from=builder /usr/src/opencrates/target/release/opencrates /opencrates
# Expose port
EXPOSE 8080
# Run the binary
ENTRYPOINT ["/opencrates"]
CMD ["server"]
# Security scanning stage
FROM runtime as security-scan
# Install security scanning tools
USER root
RUN apt-get update && apt-get install -y \
wget \
gnupg \
&& rm -rf /var/lib/apt/lists/*
# Install Trivy for vulnerability scanning
RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add - \
&& echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list \
&& apt-get update \
&& apt-get install -y trivy
# Scan the image for vulnerabilities
RUN trivy fs --exit-code 1 --no-progress --severity HIGH,CRITICAL /
# Development stage with debug tools
FROM runtime as development
USER root
# Install development tools
RUN apt-get update && apt-get install -y \
gdb \
valgrind \
strace \
htop \
vim \
git \
&& rm -rf /var/lib/apt/lists/*
# Install Rust for hot reloading
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
ENV PATH="/root/.cargo/bin:${PATH}"
# Install cargo-watch for hot reloading
RUN cargo install cargo-watch
USER opencrates
# Override for development
ENV RUST_LOG=debug
ENV OPENCRATES_ENV=development
# Development command
CMD ["cargo", "watch", "-x", "run -- server"]
# Multi-architecture build support
FROM --platform=$BUILDPLATFORM rust:1.75-slim as cross-builder
ARG TARGETPLATFORM
ARG BUILDPLATFORM
# Install cross compilation tools
RUN apt-get update && apt-get install -y \
gcc-aarch64-linux-gnu \
gcc-x86-64-linux-gnu \
pkg-config \
libssl-dev \
&& rm -rf /var/lib/apt/lists/*
# Set up cross compilation
RUN case "$TARGETPLATFORM" in \
"linux/amd64") echo "x86_64-unknown-linux-gnu" > /target.txt ;; \
"linux/arm64") echo "aarch64-unknown-linux-gnu" > /target.txt ;; \
*) echo "Unsupported platform: $TARGETPLATFORM" && exit 1 ;; \
esac
RUN rustup target add $(cat /target.txt)
WORKDIR /usr/src/opencrates
# Copy source
COPY . .
# Cross compile
RUN cargo build --release --target $(cat /target.txt) --features "full"
# Final multi-arch runtime
FROM debian:bookworm-slim as multi-arch
ARG TARGETPLATFORM
# Install runtime dependencies
RUN apt-get update && apt-get install -y \
ca-certificates \
libssl3 \
curl \
&& rm -rf /var/lib/apt/lists/*
# Create user
RUN groupadd -r opencrates && useradd -r -g opencrates opencrates
# Copy binary based on target platform
COPY --from=cross-builder /usr/src/opencrates/target/*/release/opencrates* /usr/local/bin/
# Set up app directory
RUN mkdir -p /app && chown opencrates:opencrates /app
USER opencrates
WORKDIR /app
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8080/system/health || exit 1
EXPOSE 8080
CMD ["opencrates-server"]