FROM rust:1.57.0-alpine3.13 AS builder
# Create an unprivileged user
RUN adduser --disabled-password --no-create-home --uid 1000 notroot notroot
# Perform apk actions as root
RUN apk add --no-cache musl-dev=1.2.2-r1 openssl-dev=1.1.1l-r0 libsodium-dev=1.0.18-r0 make=4.3-r0
# Create build directory as root
WORKDIR /usr/src
RUN USER=root cargo new redact-client
# Perform an initial compilation to cache dependencies
WORKDIR /usr/src/redact-client
COPY Cargo.lock Cargo.toml ./
RUN echo "fn main() {println!(\"if you see this, the image build failed and kept the depency-caching entrypoint. check your dockerfile and image build logs.\")}" > src/main.rs
RUN cargo build --release --locked
# Load source code to create final binary
RUN rm -rf src
RUN rm -rf target/release/deps/redact_client*
RUN rm -rf target/release/redact-client*
COPY src src
RUN cargo build --release --locked
# Create tiny final image containing binary
FROM scratch
# Load unprivileged user from build container
COPY --from=builder /etc/group /etc/passwd /etc/
# Switch to unprivileged user
USER notroot:notroot
# Copy binary files
WORKDIR /usr/local/bin
COPY --from=builder /usr/src/redact-client/target/release/redact-client service
ENTRYPOINT ["service"]