mirror of
https://github.com/harivansh-afk/sandbox-agent.git
synced 2026-04-17 05:00:20 +00:00
fix: use Alpine with native musl for arm64 Docker builds
This commit is contained in:
Nathan Flurry
parent
e887b48e26
commit
d7f32f3ee5
1 changed files with 66 additions and 48 deletions
|
|
@ -1,13 +1,14 @@
|
||||||
# syntax=docker/dockerfile:1.10.0
|
# syntax=docker/dockerfile:1.10.0
|
||||||
|
|
||||||
# Build stage - compile the binary
|
|
||||||
FROM rust:1.88.0 AS builder
|
|
||||||
|
|
||||||
ARG TARGETARCH
|
ARG TARGETARCH
|
||||||
|
|
||||||
|
# ============================================================================
|
||||||
|
# AMD64 Builder - Uses cross-tools musl toolchain
|
||||||
|
# ============================================================================
|
||||||
|
FROM rust:1.88.0 AS builder-amd64
|
||||||
|
|
||||||
ENV DEBIAN_FRONTEND=noninteractive
|
ENV DEBIAN_FRONTEND=noninteractive
|
||||||
|
|
||||||
# Install dependencies (g++-multilib not available on arm64)
|
|
||||||
RUN apt-get update && apt-get install -y \
|
RUN apt-get update && apt-get install -y \
|
||||||
musl-tools \
|
musl-tools \
|
||||||
musl-dev \
|
musl-dev \
|
||||||
|
|
@ -18,72 +19,89 @@ RUN apt-get update && apt-get install -y \
|
||||||
pkg-config \
|
pkg-config \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
g++ \
|
g++ \
|
||||||
|
g++-multilib \
|
||||||
git \
|
git \
|
||||||
curl \
|
curl \
|
||||||
wget && \
|
wget && \
|
||||||
rm -rf /var/lib/apt/lists/*
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Install musl cross toolchain for amd64 only
|
# Download cross-tools musl toolchain
|
||||||
# On arm64, we build natively using musl-gcc from musl-tools (already installed)
|
RUN wget -q https://github.com/cross-tools/musl-cross/releases/latest/download/x86_64-unknown-linux-musl.tar.xz && \
|
||||||
RUN if [ "$TARGETARCH" = "amd64" ]; then \
|
tar -xf x86_64-unknown-linux-musl.tar.xz -C /opt/ && \
|
||||||
wget -q https://github.com/cross-tools/musl-cross/releases/latest/download/x86_64-unknown-linux-musl.tar.xz && \
|
rm x86_64-unknown-linux-musl.tar.xz && \
|
||||||
tar -xf x86_64-unknown-linux-musl.tar.xz -C /opt/ && \
|
rustup target add x86_64-unknown-linux-musl
|
||||||
rm x86_64-unknown-linux-musl.tar.xz && \
|
|
||||||
rustup target add x86_64-unknown-linux-musl; \
|
|
||||||
elif [ "$TARGETARCH" = "arm64" ]; then \
|
|
||||||
rustup target add aarch64-unknown-linux-musl; \
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Set environment variables based on architecture
|
ENV PATH="/opt/x86_64-unknown-linux-musl/bin:$PATH" \
|
||||||
ENV LIBCLANG_PATH=/usr/lib/llvm-14/lib \
|
LIBCLANG_PATH=/usr/lib/llvm-14/lib \
|
||||||
CLANG_PATH=/usr/bin/clang-14 \
|
CLANG_PATH=/usr/bin/clang-14 \
|
||||||
|
CC_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-gcc \
|
||||||
|
CXX_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-g++ \
|
||||||
|
AR_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-ar \
|
||||||
|
CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=x86_64-unknown-linux-musl-gcc \
|
||||||
CARGO_INCREMENTAL=0 \
|
CARGO_INCREMENTAL=0 \
|
||||||
CARGO_NET_GIT_FETCH_WITH_CLI=true
|
CARGO_NET_GIT_FETCH_WITH_CLI=true
|
||||||
|
|
||||||
# Build OpenSSL for musl target (amd64 only - arm64 uses rustls)
|
# Build OpenSSL for musl
|
||||||
ENV SSL_VER=1.1.1w
|
ENV SSL_VER=1.1.1w
|
||||||
RUN if [ "$TARGETARCH" = "amd64" ]; then \
|
RUN wget https://www.openssl.org/source/openssl-$SSL_VER.tar.gz && \
|
||||||
export PATH="/opt/x86_64-unknown-linux-musl/bin:$PATH" && \
|
tar -xzf openssl-$SSL_VER.tar.gz && \
|
||||||
wget https://www.openssl.org/source/openssl-$SSL_VER.tar.gz && \
|
cd openssl-$SSL_VER && \
|
||||||
tar -xzf openssl-$SSL_VER.tar.gz && \
|
./Configure no-shared no-async --prefix=/musl --openssldir=/musl/ssl linux-x86_64 && \
|
||||||
cd openssl-$SSL_VER && \
|
make -j$(nproc) && \
|
||||||
./Configure no-shared no-async --prefix=/musl --openssldir=/musl/ssl linux-x86_64 && \
|
make install_sw && \
|
||||||
make -j$(nproc) && \
|
cd .. && \
|
||||||
make install_sw && \
|
rm -rf openssl-$SSL_VER*
|
||||||
cd .. && \
|
|
||||||
rm -rf openssl-$SSL_VER*; \
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Set OpenSSL environment variables (only used on amd64)
|
|
||||||
ENV OPENSSL_DIR=/musl \
|
ENV OPENSSL_DIR=/musl \
|
||||||
OPENSSL_INCLUDE_DIR=/musl/include \
|
OPENSSL_INCLUDE_DIR=/musl/include \
|
||||||
OPENSSL_LIB_DIR=/musl/lib \
|
OPENSSL_LIB_DIR=/musl/lib \
|
||||||
PKG_CONFIG_ALLOW_CROSS=1
|
PKG_CONFIG_ALLOW_CROSS=1 \
|
||||||
|
RUSTFLAGS="-C target-feature=+crt-static -C link-arg=-static-libgcc"
|
||||||
|
|
||||||
WORKDIR /build
|
WORKDIR /build
|
||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
# Build static binary based on architecture
|
|
||||||
RUN --mount=type=cache,target=/usr/local/cargo/registry \
|
RUN --mount=type=cache,target=/usr/local/cargo/registry \
|
||||||
--mount=type=cache,target=/usr/local/cargo/git \
|
--mount=type=cache,target=/usr/local/cargo/git \
|
||||||
--mount=type=cache,target=/build/target \
|
--mount=type=cache,target=/build/target \
|
||||||
if [ "$TARGETARCH" = "amd64" ]; then \
|
SANDBOX_AGENT_SKIP_INSPECTOR=1 cargo build -p sandbox-agent --release --target x86_64-unknown-linux-musl && \
|
||||||
export PATH="/opt/x86_64-unknown-linux-musl/bin:$PATH" && \
|
cp target/x86_64-unknown-linux-musl/release/sandbox-agent /sandbox-agent
|
||||||
export CC_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-gcc && \
|
|
||||||
export CXX_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-g++ && \
|
# ============================================================================
|
||||||
export AR_x86_64_unknown_linux_musl=x86_64-unknown-linux-musl-ar && \
|
# ARM64 Builder - Uses Alpine with native musl
|
||||||
export CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=x86_64-unknown-linux-musl-gcc && \
|
# ============================================================================
|
||||||
export RUSTFLAGS="-C target-feature=+crt-static -C link-arg=-static-libgcc" && \
|
FROM rust:1.88-alpine AS builder-arm64
|
||||||
SANDBOX_AGENT_SKIP_INSPECTOR=1 cargo build -p sandbox-agent --release --target x86_64-unknown-linux-musl && \
|
|
||||||
cp target/x86_64-unknown-linux-musl/release/sandbox-agent /sandbox-agent; \
|
RUN apk add --no-cache \
|
||||||
elif [ "$TARGETARCH" = "arm64" ]; then \
|
musl-dev \
|
||||||
export CC_aarch64_unknown_linux_musl=musl-gcc && \
|
clang \
|
||||||
export AR_aarch64_unknown_linux_musl=ar && \
|
llvm-dev \
|
||||||
export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=musl-gcc && \
|
openssl-dev \
|
||||||
export RUSTFLAGS="-C target-feature=+crt-static" && \
|
openssl-libs-static \
|
||||||
SANDBOX_AGENT_SKIP_INSPECTOR=1 cargo build -p sandbox-agent --release --target aarch64-unknown-linux-musl && \
|
pkgconfig \
|
||||||
cp target/aarch64-unknown-linux-musl/release/sandbox-agent /sandbox-agent; \
|
git \
|
||||||
fi
|
curl \
|
||||||
|
build-base
|
||||||
|
|
||||||
|
RUN rustup target add aarch64-unknown-linux-musl
|
||||||
|
|
||||||
|
ENV CARGO_INCREMENTAL=0 \
|
||||||
|
CARGO_NET_GIT_FETCH_WITH_CLI=true \
|
||||||
|
RUSTFLAGS="-C target-feature=+crt-static"
|
||||||
|
|
||||||
|
WORKDIR /build
|
||||||
|
COPY . .
|
||||||
|
|
||||||
|
RUN --mount=type=cache,target=/usr/local/cargo/registry \
|
||||||
|
--mount=type=cache,target=/usr/local/cargo/git \
|
||||||
|
--mount=type=cache,target=/build/target \
|
||||||
|
SANDBOX_AGENT_SKIP_INSPECTOR=1 cargo build -p sandbox-agent --release --target aarch64-unknown-linux-musl && \
|
||||||
|
cp target/aarch64-unknown-linux-musl/release/sandbox-agent /sandbox-agent
|
||||||
|
|
||||||
|
# ============================================================================
|
||||||
|
# Select the appropriate builder based on target architecture
|
||||||
|
# ============================================================================
|
||||||
|
FROM builder-${TARGETARCH} AS builder
|
||||||
|
|
||||||
# Runtime stage - minimal image
|
# Runtime stage - minimal image
|
||||||
FROM debian:bookworm-slim
|
FROM debian:bookworm-slim
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue