Skip to content

Commit 042aa21

Browse files
cgwalterscgwalters
authored
build-sys: Run most parts with --network=none (#1725)
build-sys: Run most parts with `--network=none` Why? It just shows that we have put some thought into our build system and care about reproducibility, hermetic builds etc. And yes of course, `--network=bridge` should probably have been required as an opt-in in Dockerfile, but oh well. It's not too bad to sprinkle `--network=none` in some places. The biggest one is wrapping `make`. Signed-off-by: Colin Walters <[email protected]>
1 parent d4df364 commit 042aa21

File tree

1 file changed

+7
-4
lines changed

1 file changed

+7
-4
lines changed

Dockerfile

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,10 @@ COPY --from=src /src /src
6969
WORKDIR /src
7070
# See https://www.reddit.com/r/rust/comments/126xeyx/exploring_the_problem_of_faster_cargo_docker/
7171
# We aren't using the full recommendations there, just the simple bits.
72-
RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome <<EORUN
72+
# First we download all of our Rust dependencies
73+
RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome cargo fetch
74+
# Then on general principle all the stuff from the Makefile runs with no network
75+
RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none <<EORUN
7376
set -xeuo pipefail
7477
make
7578
make install-all DESTDIR=/out
@@ -83,11 +86,11 @@ FROM build as units
8386
# A place that we're more likely to be able to set xattrs
8487
VOLUME /var/tmp
8588
ENV TMPDIR=/var/tmp
86-
RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome make install-unit-tests
89+
RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none make install-unit-tests
8790

8891
# This just does syntax checking
8992
FROM build as validate
90-
RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome make validate
93+
RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none make validate
9194

9295
# The final image that derives from the original base and adds the release binaries
9396
FROM base
@@ -110,7 +113,7 @@ EORUN
110113
# Create a layer that is our new binaries
111114
COPY --from=build /out/ /
112115
# We have code in the initramfs so we always need to regenerate it
113-
RUN <<EORUN
116+
RUN --network=none <<EORUN
114117
set -xeuo pipefail
115118
if test -x /usr/lib/bootc/initramfs-setup; then
116119
kver=$(cd /usr/lib/modules && echo *);

0 commit comments

Comments
 (0)