# Builder stage — pinned to match the workspace `rust-version` in
# /Cargo.toml. Bumping the toolchain is an intentional change, not a
# silent `:latest` drift.
FROM rust:1.88-bookworm AS builder
RUN apt-get update && apt-get install -y protobuf-compiler libclang-dev \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /workspace
COPY . .
# `-p wingfoil` is essential. Without it, cargo unifies features across
# the whole workspace, and `wingfoil-python` pulls in `etcd, kafka, zmq,
# fluvio, kdb` — dragging in system deps (protoc, cmake, libsasl2,
# libzmq) and ~hundreds of crates we don't ship in this image.
RUN cargo build --release \
-p wingfoil \
--example latency_e2e_ws_server \
--features "web-tls,iceoryx2,prometheus,otlp"
# Runtime stage — bookworm-slim matches the builder's glibc (2.36); pairing
# it with ubuntu:22.04 (glibc 2.35) risks a runtime ABI break.
FROM debian:bookworm-slim
RUN apt-get -o Acquire::Retries=3 update \
&& apt-get -o Acquire::Retries=3 install -y --no-install-recommends \
libssl3 \
ca-certificates \
libcap2-bin \
&& rm -rf /var/lib/apt/lists/* \
&& groupadd --system --gid 10001 wingfoil \
&& useradd --system --uid 10001 --gid wingfoil --no-create-home --home /app wingfoil
WORKDIR /app
COPY --from=builder --chown=wingfoil:wingfoil /workspace/target/release/examples/latency_e2e_ws_server /app/ws_server
COPY --chown=wingfoil:wingfoil wingfoil/examples/latency_e2e/static /app/static
# File caps so the non-root user (UID 10001) can bind privileged ports
# like :443 in deployments that pass `--addr 0.0.0.0:443` (ec2-spot).
# `cap_add: NET_BIND_SERVICE` in compose is also required — it puts the
# cap in the container's bounding set; this `setcap` is what actually
# grants it to the non-root process at exec time.
RUN setcap cap_net_bind_service=+ep /app/ws_server
ENV WINGFOIL_STATIC_DIR=/app/static
USER wingfoil:wingfoil
EXPOSE 8080 9091
ENTRYPOINT ["/app/ws_server"]
CMD ["--addr", "0.0.0.0:8080"]