.

.github/workflows/docker.yml

@@ -7,7 +7,7 @@ on:
     branches:
       - main
       - docker
-      - 'releases/**'
+      - 'release/**'
     tags:
       - '**'
 
@@ -20,10 +20,16 @@ jobs:
     strategy:
       matrix:
         platform:
-          - arch: linux/amd64
+          # - arch: linux/amd64
+            # profile: production
+            # suffix: ubuntu-x86_64-${{ github.ref_name }}
+            # image-suffix: ''
+            # dockerfile-suffix: ''
+          - arch: linux/arm64
             profile: production
-            suffix: ubuntu-x86_64-${{ github.ref_name }}
-            image-suffix: ''
+            suffix: ubuntu-aarch64-${{ github.ref_name }}
+            image-suffix: '-aarch64'
+            dockerfile-suffix: '.aarch64'
 
     steps:
       - name: Set up QEMU
@@ -44,7 +50,7 @@ jobs:
         uses: docker/metadata-action@v3
         with:
           images: |
-            ghcr.io/subcoin-project/subcoin-node
+            ghcr.io/subcoin-project/subcoin
           tags: |
             type=ref,event=tag
             type=ref,event=branch
@@ -53,15 +59,18 @@ jobs:
             latest=false
             suffix=${{ matrix.platform.image-suffix }}
 
-      - name: Build and push ${{ matrix.image }} image
+      - name: Build and push image
         id: build
         uses: docker/build-push-action@v6
         with:
-          file: Dockerfile
+          file: Dockerfile${{ matrix.platform.dockerfile-suffix }}
           platforms: ${{ matrix.platform.arch }}
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             SUBSTRATE_CLI_GIT_COMMIT_HASH=${{ github.sha }}
             PROFILE=${{ matrix.platform.profile }}
+
+      - name: Image digest
+        run: echo ${{ steps.build.outputs.digest }}

Dockerfile

@@ -7,53 +7,48 @@ ARG SUBSTRATE_CLI_GIT_COMMIT_HASH
 # Incremental compilation here isn't helpful
 ENV CARGO_INCREMENTAL=0
 
-WORKDIR /subcoin
+WORKDIR /src
 
 RUN \
     apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         ca-certificates \
-        protobuf-compiler \
+        clang \
+        cmake \
         curl \
         git \
         llvm \
-        clang \
-        cmake \
+        protobuf-compiler \
         make && \
     curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 
 # Copy the source code
 COPY . .
 
-RUN /root/.cargo/bin/cargo build --locked --profile=$PROFILE
+# Compile the binary and move it to /subcoin.
+RUN /root/.cargo/bin/cargo build \
+    --locked \
+    --bin subcoin \
+    --profile=$PROFILE \
+    --target $(uname -p)-unknown-linux-gnu && \
+    mv target/*/*/subcoin /subcoin && \
+    rm -rf target
 
 # This is the 2nd stage: a very small image where we copy the binary.
-FROM docker.io/library/ubuntu:22.04
-LABEL description="Multistage Docker image for Subcoin Node" \
-  image.type="builder" \
-  image.authors="[email protected]" \
-  image.vendor="Subcoin Contributors" \
-  image.description="Multistage Docker image for Subnode Node" \
-  image.source="https://github.com/subcoin-project/subcoin" \
-  image.documentation="https://subcoin-project.github.io/subcoin"
+FROM ubuntu:22.04
 
-ARG PROFILE=production
+LABEL org.opencontainers.image.source="https://github.com/subcoin-project/subcoin"
+LABEL org.opencontainers.image.description="Multistage Docker image for Subcoin Node" \
 
 # Copy the node binary.
-COPY --from=builder /subcoin/target/$PROFILE/subcoin /usr/local/bin
+COPY --from=builder /subcoin /subcoin
+
+RUN mkdir /node-data && chown nobody:nogroup /node-data
 
-RUN useradd -m -u 1000 -U -s /bin/sh -d /node-dev node-dev && \
-  mkdir -p /chain-data /node-dev/.local/share && \
-  chown -R node-dev:node-dev /chain-data && \
-  ln -s /chain-data /node-dev/.local/share/subcoin && \
-  # unclutter and minimize the attack surface
-  rm -rf /usr/bin /usr/sbin && \
-  # check if executable works in this container
-  /usr/local/bin/subcoin --help
+VOLUME ["/node-data"]
 
-USER node-dev
+USER nobody:nogroup
 
 EXPOSE 30333 9933 9944 9615
-VOLUME ["/chain-data"]
 
-ENTRYPOINT ["/usr/local/bin/subcoin"]
+ENTRYPOINT ["/subcoin"]

Dockerfile.aarch64

@@ -0,0 +1,80 @@
+# This is a base image to build Subcoin node
+FROM ubuntu:22.04 AS builder
+
+ARG PROFILE=production
+ARG SUBSTRATE_CLI_GIT_COMMIT_HASH
+
+# Incremental compilation here isn't helpful
+ENV CARGO_INCREMENTAL=0
+
+WORKDIR /src
+
+RUN \
+    apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        ca-certificates \
+        clang \
+        cmake \
+        curl \
+        git \
+        llvm \
+        protobuf-compiler \
+        make && \
+    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+
+# Create a cache stage for dependencies
+FROM builder AS cache
+
+COPY Cargo.toml Cargo.lock ./
+RUN mkdir src && echo "fn main() {}" > src/main.rs
+RUN /root/.cargo/bin/cargo build --release
+
+# Use the cache stage to build the actual binary
+FROM builder AS build
+
+# Copy the source code
+COPY . .
+
+# Copy the cached dependencies
+COPY --from=cache /src/target /src/target
+COPY --from=cache /root/.cargo /root/.cargo
+
+ENV RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc"
+ENV PKG_CONFIG_ALLOW_CROSS=true
+
+# Dependencies necessary for successful cross-compilation
+RUN \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        g++-aarch64-linux-gnu \
+        gcc-aarch64-linux-gnu \
+        libc6-dev-arm64-cross
+
+RUN /root/.cargo/bin/rustup target add aarch64-unknown-linux-gnu
+
+# Compile the binary and move it to /subcoin.
+RUN /root/.cargo/bin/cargo build \
+    --locked \
+    --bin subcoin \
+    --profile=$PROFILE \
+    --target aarch64-unknown-linux-gnu && \
+    mv target/*/*/subcoin /subcoin && \
+    rm -rf target
+
+# This is the 2nd stage: a very small image where we copy the binary.
+FROM arm64v8/ubuntu:22.04
+
+LABEL org.opencontainers.image.source="https://github.com/subcoin-project/subcoin"
+LABEL org.opencontainers.image.description="Multistage Docker image for Subcoin Node"
+
+# Copy the node binary.
+COPY --from=builder /subcoin /subcoin
+
+RUN mkdir /node-data && chown nobody:nogroup /node-data
+
+VOLUME ["/node-data"]
+
+USER nobody:nogroup
+
+EXPOSE 30333 9933 9944 9615
+
+ENTRYPOINT ["/subcoin"]