Skip to content

Update Dockerfile.reproducible #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
LeanAira10 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Dockerfile.reproducible #12

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 24 additions & 10 deletions Dockerfile.reproducible
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,34 @@
# Use the Rust 1.88 image based on Debian Bookworm
# STEP 1: Build stage using Rust 1.88 on Debian Bookworm
FROM rust:1.88-bookworm AS builder

# Install specific version of libclang-dev
RUN apt-get update && apt-get install -y libclang-dev=1:14.0-55.7~deb12u1
# Install libclang-dev without pinning to a volatile sub-version to prevent build failures.
# Using --no-install-recommends and cleaning apt lists to keep the builder layer lean.
RUN apt-get update && apt-get install -y --no-install-recommends \
libclang-dev \
&& rm -rf /var/lib/apt/lists/*

# Copy the project to the container
COPY ./ /app
# Set the working directory for the build process
WORKDIR /app

# Build the project with the reproducible settings
# Copy all project files. Ensure a .dockerignore file exists to exclude sensitive data like .env or large target folders.
COPY . .

# Execute the reproducible build script
RUN make build-reproducible

RUN mv /app/target/x86_64-unknown-linux-gnu/release/reth /reth
# Move the compiled binary to a predictable path for the final stage
RUN mv /app/target/x86_64-unknown-linux-gnu/release/reth /usr/local/bin/reth

# STEP 2: Final execution stage using Google's Distroless image
# Distroless is used to minimize the attack surface by removing shells, package managers, and other utilities.
FROM gcr.io/distroless/cc-debian12:nonroot

# Create a minimal final image with just the binary
FROM gcr.io/distroless/cc-debian12:nonroot-6755e21ccd99ddead6edc8106ba03888cbeed41a
COPY --from=builder /reth /reth
# Copy only the necessary binary from the builder stage to the root
COPY --from=builder /usr/local/bin/reth /reth

# Expose required ports for P2P (30303), Engine API (9001), and JSON-RPC (8545/8546)
EXPOSE 30303 30303/udp 9001 8545 8546

# Set the binary as the entrypoint.
# Note: Ensure that persistent storage volumes are correctly mapped to allow the 'nonroot' user to write chain data.
ENTRYPOINT [ "/reth" ]