diff --git a/Dockerfile.reproducible b/Dockerfile.reproducible index a0d4a17b5bb..89345d86a12 100644 --- a/Dockerfile.reproducible +++ b/Dockerfile.reproducible @@ -1,20 +1,34 @@ -# Use the Rust 1.88 image based on Debian Bookworm +# STEP 1: Build stage using Rust 1.88 on Debian Bookworm FROM rust:1.88-bookworm AS builder -# Install specific version of libclang-dev -RUN apt-get update && apt-get install -y libclang-dev=1:14.0-55.7~deb12u1 +# Install libclang-dev without pinning to a volatile sub-version to prevent build failures. +# Using --no-install-recommends and cleaning apt lists to keep the builder layer lean. +RUN apt-get update && apt-get install -y --no-install-recommends \ + libclang-dev \ + && rm -rf /var/lib/apt/lists/* -# Copy the project to the container -COPY ./ /app +# Set the working directory for the build process WORKDIR /app -# Build the project with the reproducible settings +# Copy all project files. Ensure a .dockerignore file exists to exclude sensitive data like .env or large target folders. +COPY . . + +# Execute the reproducible build script RUN make build-reproducible -RUN mv /app/target/x86_64-unknown-linux-gnu/release/reth /reth +# Move the compiled binary to a predictable path for the final stage +RUN mv /app/target/x86_64-unknown-linux-gnu/release/reth /usr/local/bin/reth + +# STEP 2: Final execution stage using Google's Distroless image +# Distroless is used to minimize the attack surface by removing shells, package managers, and other utilities. +FROM gcr.io/distroless/cc-debian12:nonroot -# Create a minimal final image with just the binary -FROM gcr.io/distroless/cc-debian12:nonroot-6755e21ccd99ddead6edc8106ba03888cbeed41a -COPY --from=builder /reth /reth +# Copy only the necessary binary from the builder stage to the root +COPY --from=builder /usr/local/bin/reth /reth + +# Expose required ports for P2P (30303), Engine API (9001), and JSON-RPC (8545/8546) EXPOSE 30303 30303/udp 9001 8545 8546 + +# Set the binary as the entrypoint. +# Note: Ensure that persistent storage volumes are correctly mapped to allow the 'nonroot' user to write chain data. ENTRYPOINT [ "/reth" ]