From b2ad142cf0209c24d6362161e0883af7d86d8f5b Mon Sep 17 00:00:00 2001 From: KevFan Date: Fri, 3 Nov 2023 12:17:25 +0000 Subject: [PATCH] refactor: use ubi9 for Dockerfile & run stage in Dockerfile.aarch64 --- Dockerfile | 12 ++++++------ Dockerfile.aarch64 | 22 +++++++++++++++++++--- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 30a5ab82..7bbb489d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,19 +2,19 @@ # Build Stage # ------------------------------------------------------------------------------ -FROM registry.access.redhat.com/ubi8/ubi:8.7 as limitador-build +FROM registry.access.redhat.com/ubi9/ubi:9.2 as limitador-build ENV CARGO_NET_GIT_FETCH_WITH_CLI=true ARG RUSTC_VERSION=1.72.0 # the powertools repo is required for protobuf-c and protobuf-devel RUN dnf -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs install \ - http://mirror.centos.org/centos/8-stream/BaseOS/`arch`/os/Packages/centos-gpg-keys-8-6.el8.noarch.rpm \ - http://mirror.centos.org/centos/8-stream/BaseOS/`arch`/os/Packages/centos-stream-repos-8-6.el8.noarch.rpm \ + https://mirror.stream.centos.org/9-stream/BaseOS/`arch`/os/Packages/centos-gpg-keys-9.0-23.el9.noarch.rpm \ + https://mirror.stream.centos.org/9-stream/BaseOS/`arch`/os/Packages/centos-stream-repos-9.0-23.el9.noarch.rpm \ && dnf -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs install epel-release \ - && dnf config-manager --set-enabled powertools + && dnf config-manager --set-enabled crb -RUN PKGS="gcc-c++ gcc-toolset-12-binutils-gold openssl-devel protobuf-c protobuf-devel git clang kernel-headers perl-IPC-Cmd" \ +RUN PKGS="protobuf-devel git clang perl" \ && dnf install --nodocs --assumeyes $PKGS \ && rpm --verify --nogroup --nouser $PKGS \ && yum -y clean all @@ -36,7 +36,7 @@ RUN source $HOME/.cargo/env \ # Run Stage # ------------------------------------------------------------------------------ -FROM registry.access.redhat.com/ubi8/ubi-minimal:8.7 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 # shadow-utils is required for `useradd` RUN PKGS="libgcc libstdc++ shadow-utils" \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 3ae7fe6b..56d1b023 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -2,7 +2,9 @@ # Build Stage cross compiling # ------------------------------------------------------------------------------ -FROM --platform=${BUILDPLATFORM} rust:1.72 as limitador-build +# Use bullseye as build image instead of Bookworm as ubi9 does not not have GLIBCXX_3.4.30 +# https://access.redhat.com/solutions/6969351 +FROM --platform=${BUILDPLATFORM} rust:1.72-bullseye as limitador-build RUN apt update && apt upgrade -y \ && apt install -y protobuf-compiler clang g++-aarch64-linux-gnu libc6-dev-arm64-cross @@ -17,7 +19,9 @@ ENV GITHUB_SHA=${GITHUB_SHA:-unknown} ENV RUSTFLAGS="-C target-feature=-crt-static" \ CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc \ CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc \ - CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++ + CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++ \ + # https://github.com/rust-lang/rust-bindgen/issues/1229 + BINDGEN_EXTRA_CLANG_ARGS="--sysroot=/usr/aarch64-linux-gnu" COPY . . @@ -27,7 +31,14 @@ RUN cargo build --release --target aarch64-unknown-linux-gnu # Run Stage # ------------------------------------------------------------------------------ -FROM --platform=$TARGETPLATFORM gcr.io/distroless/cc-debian12 +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 + +# shadow-utils is required for `useradd` +RUN PKGS="libgcc libstdc++ shadow-utils" \ + && microdnf --assumeyes install --nodocs $PKGS \ + && rpm --verify --nogroup --nouser $PKGS \ + && microdnf -y clean all +RUN useradd -u 1000 -s /bin/sh -m -d /home/limitador limitador WORKDIR /home/limitador/bin/ ENV PATH="/home/limitador/bin:${PATH}" @@ -35,4 +46,9 @@ ENV PATH="/home/limitador/bin:${PATH}" COPY --from=limitador-build /usr/src/limitador/limitador-server/examples/limits.yaml ../ COPY --from=limitador-build /usr/src/limitador/target/aarch64-unknown-linux-gnu/release/limitador-server ./limitador-server +RUN chown -R limitador:root /home/limitador \ + && chmod -R 750 /home/limitador + +USER limitador + CMD ["limitador-server"] \ No newline at end of file