dynamically link glibc to avoid numerous issues, provide statically linked muslc dockerfile

Signed-off-by: Lance-Drane <[email protected]>

Author: Lance-Drane

.dockerignore

@@ -1,6 +1,8 @@
 *
 !proxy-http-client
+proxy-http-client/**/*.ya?ml
 !proxy-http-server
+proxy-http-server/**/*.ya?ml
 !shared-deps
 !Cargo.lock
 !Cargo.toml

Cargo.lock

@@ -15,32 +15,18 @@ RUN cargo chef prepare --bin ${BIN_NAME} --recipe-path recipe.json
 
 FROM chef AS builder
 ARG BIN_NAME
-RUN apt-get update -qq && apt install -y --no-install-recommends \
-  pkg-config \
-  libssl-dev \
-  && apt-get clean && rm -rf /var/lib/apt/lists /var/cache/apt/archives
-# Create the user and group files to run the binary as an unprivileged user.
-RUN mkdir /user && \
-    echo 'nobody:x:65534:65534:nobody:/:' > /user/passwd && \
-    echo 'nobody:x:65534:' > /user/group
 COPY --from=planner /app/recipe.json recipe.json
-# strictly use static linking, but use glibc
-# NOTE: when using these flags, you must explicitly specify a build target
-# TODO - realistically we should use MUSL instead of GLIBC to create a static binary, however the MUSL allocator is slow and should be replaced (i.e. https://www.tweag.io/blog/2023-08-10-rust-static-link-with-mimalloc/)
-ENV RUSTFLAGS='-C target-feature=+crt-static'
 # Build dependencies - this is the caching Docker layer!
 RUN cargo chef cook --release --bin ${BIN_NAME} --recipe-path recipe.json --target x86_64-unknown-linux-gnu
 # Build application
 COPY . .
 RUN cargo build --release --bin ${BIN_NAME} --target x86_64-unknown-linux-gnu
 
 # final image, as small as possible
-FROM scratch AS runtime
+# Rust runtime depends on libgcc
+FROM gcr.io/distroless/cc:nonroot AS runtime
 ARG BIN_NAME
 WORKDIR /app
-# Import user and group files from the build stage.
-COPY --from=builder /user/group /user/passwd /etc/
 COPY --from=builder /app/target/x86_64-unknown-linux-gnu/release/${BIN_NAME} /app/bin
 ENV PROXYAPP_PRODUCTION="true"
-USER nobody:nobody
 ENTRYPOINT ["/app/bin"]

Dockerfile

@@ -0,0 +1,44 @@
+# special image which will generate an image with a statically-linked binary and a non-root user
+
+# https://github.com/LukeMathWalker/cargo-chef
+# https://www.lpalmieri.com/posts/fast-rust-docker-builds/#cargo-chef for an in-depth explanation
+FROM lukemathwalker/cargo-chef:latest-rust-1-alpine AS chef
+WORKDIR /app
+# Force rustup to sync the toolchain in the base layer, so it doesn't happen more than once.
+COPY rust-toolchain.toml .
+RUN cargo --version
+
+# the checksum of recipe.json will only change if the dependency tree changes
+FROM chef AS planner
+ARG BIN_NAME
+# does not invalidate cache in builder stage, only planner stage
+COPY . .
+RUN cargo chef prepare --bin ${BIN_NAME} --recipe-path recipe.json
+
+FROM chef AS builder
+ARG BIN_NAME
+# make is needed for bundling the jemalloc allocator
+RUN apk update && \
+    apk add --no-cache \
+    make
+# Create the user and group files to run the binary as an unprivileged user.
+RUN mkdir /user && \
+    echo 'nobody:x:65534:65534:nobody:/:' > /user/passwd && \
+    echo 'nobody:x:65534:' > /user/group
+COPY --from=planner /app/recipe.json recipe.json
+# Build dependencies - this is the caching Docker layer!
+RUN cargo chef cook --release --bin ${BIN_NAME} --recipe-path recipe.json --target x86_64-unknown-linux-musl
+# Build application
+COPY . .
+RUN cargo build --release --bin ${BIN_NAME} --target x86_64-unknown-linux-musl
+
+# final image, as small as possible
+FROM scratch AS runtime
+ARG BIN_NAME
+WORKDIR /app
+# Import user and group files from the build stage.
+COPY --from=builder /user/group /user/passwd /etc/
+COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/${BIN_NAME} /app/bin
+ENV PROXYAPP_PRODUCTION="true"
+USER nobody:nobody
+ENTRYPOINT ["/app/bin"]

Dockerfile.muslc

@@ -26,6 +26,17 @@ tokio-stream = { workspace = true }
 tracing = { workspace = true }
 uuid = { workspace = true }
 intersect-ingress-proxy-common = { path = "../shared-deps", version = "0.1.0" }
-# rustls is only necessary if you don't want to dynamically link to openssl, this specific feature also provides certificates so you don't need ca-certificates
-reqwest = { version = "0.12", features = ["rustls-tls"] }
 reqwest-eventsource = "0.6"
+
+# when not targeting muslc, we can just dynamically link to the system openssl
+[target.'cfg(not(target_env = "musl"))'.dependencies.reqwest]
+version = "0.12"
+
+# on musl, use rustls in place of the system openssl and ca-certificates, as we compile a static binary.
+[target.'cfg(all(target_env = "musl"))'.dependencies.reqwest]
+version = "0.12"
+default-features = false
+features = ["rustls-tls", "charset", "http2", "system-proxy"]
+
+[target.'cfg(all(target_env = "musl", target_pointer_width = "64"))'.dependencies.jemallocator]
+version = "0.5"

proxy-http-client/Cargo.toml

@@ -14,6 +14,11 @@ use proxy_http_client::{configuration::Settings, event_source::event_source_loop
 
 const APPLICATION_NAME: &str = "proxy-http-client";
 
+// Muslc has a slow allocator, but we can only use jemalloc on 64-bit systems since jemalloc doesn't support i686.
+#[cfg(all(target_env = "musl", target_pointer_width = "64"))]
+#[global_allocator]
+static ALLOC: jemallocator::Jemalloc = jemallocator::Jemalloc;
+
 #[tokio::main]
 pub async fn main() -> anyhow::Result<()> {
     let configuration = get_configuration::<Settings>().expect("Failed to read configuration");

proxy-http-client/src/main.rs

@@ -31,3 +31,6 @@ axum = { version = "0.8", features = ["macros"] }
 axum-extra = { version = "0.10", features = ["typed-header"] }
 tower = "0.5"
 tower-http = { version = "0.6", features = ["request-id", "tracing", "trace", "util"] }
+
+[target.'cfg(all(target_env = "musl", target_pointer_width = "64"))'.dependencies.jemallocator]
+version = "0.5"

proxy-http-server/Cargo.toml

@@ -15,6 +15,11 @@ use proxy_http_server::{
 
 const APPLICATION_NAME: &str = "proxy-http-server";
 
+// Muslc has a slow allocator, but we can only use jemalloc on 64-bit systems since jemalloc doesn't support i686.
+#[cfg(all(target_env = "musl", target_pointer_width = "64"))]
+#[global_allocator]
+static ALLOC: jemallocator::Jemalloc = jemallocator::Jemalloc;
+
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
     let configuration = get_configuration::<Settings>().expect("Failed to read configuration");