diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 541e4081..1b62d142 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,7 +7,7 @@ on: branches: - main - docker - - 'releases/**' + - 'release/**' tags: - '**' @@ -20,10 +20,16 @@ jobs: strategy: matrix: platform: - - arch: linux/amd64 + # - arch: linux/amd64 + # profile: production + # suffix: ubuntu-x86_64-${{ github.ref_name }} + # image-suffix: '' + # dockerfile-suffix: '' + - arch: linux/arm64 profile: production - suffix: ubuntu-x86_64-${{ github.ref_name }} - image-suffix: '' + suffix: ubuntu-aarch64-${{ github.ref_name }} + image-suffix: '-aarch64' + dockerfile-suffix: '.aarch64' steps: - name: Set up QEMU @@ -44,7 +50,7 @@ jobs: uses: docker/metadata-action@v3 with: images: | - ghcr.io/subcoin-project/subcoin-node + ghcr.io/subcoin-project/subcoin tags: | type=ref,event=tag type=ref,event=branch @@ -53,11 +59,11 @@ jobs: latest=false suffix=${{ matrix.platform.image-suffix }} - - name: Build and push ${{ matrix.image }} image + - name: Build and push image id: build uses: docker/build-push-action@v6 with: - file: Dockerfile + file: Dockerfile${{ matrix.platform.dockerfile-suffix }} platforms: ${{ matrix.platform.arch }} push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} @@ -65,3 +71,6 @@ jobs: build-args: | SUBSTRATE_CLI_GIT_COMMIT_HASH=${{ github.sha }} PROFILE=${{ matrix.platform.profile }} + + - name: Image digest + run: echo ${{ steps.build.outputs.digest }} diff --git a/Dockerfile b/Dockerfile index 192634fd..a92ba4a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,53 +7,48 @@ ARG SUBSTRATE_CLI_GIT_COMMIT_HASH # Incremental compilation here isn't helpful ENV CARGO_INCREMENTAL=0 -WORKDIR /subcoin +WORKDIR /src RUN \ apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ ca-certificates \ - protobuf-compiler \ + clang \ + cmake \ curl \ git \ llvm \ - clang \ - cmake \ + protobuf-compiler \ make && \ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y # Copy the source code COPY . . -RUN /root/.cargo/bin/cargo build --locked --profile=$PROFILE +# Compile the binary and move it to /subcoin. +RUN /root/.cargo/bin/cargo build \ + --locked \ + --bin subcoin \ + --profile=$PROFILE \ + --target $(uname -p)-unknown-linux-gnu && \ + mv target/*/*/subcoin /subcoin && \ + rm -rf target # This is the 2nd stage: a very small image where we copy the binary. -FROM docker.io/library/ubuntu:22.04 -LABEL description="Multistage Docker image for Subcoin Node" \ - image.type="builder" \ - image.authors="xuliuchengxlc@email.com" \ - image.vendor="Subcoin Contributors" \ - image.description="Multistage Docker image for Subnode Node" \ - image.source="https://github.com/subcoin-project/subcoin" \ - image.documentation="https://subcoin-project.github.io/subcoin" +FROM ubuntu:22.04 -ARG PROFILE=production +LABEL org.opencontainers.image.source="https://github.com/subcoin-project/subcoin" +LABEL org.opencontainers.image.description="Multistage Docker image for Subcoin Node" \ # Copy the node binary. -COPY --from=builder /subcoin/target/$PROFILE/subcoin /usr/local/bin +COPY --from=builder /subcoin /subcoin + +RUN mkdir /node-data && chown nobody:nogroup /node-data -RUN useradd -m -u 1000 -U -s /bin/sh -d /node-dev node-dev && \ - mkdir -p /chain-data /node-dev/.local/share && \ - chown -R node-dev:node-dev /chain-data && \ - ln -s /chain-data /node-dev/.local/share/subcoin && \ - # unclutter and minimize the attack surface - rm -rf /usr/bin /usr/sbin && \ - # check if executable works in this container - /usr/local/bin/subcoin --help +VOLUME ["/node-data"] -USER node-dev +USER nobody:nogroup EXPOSE 30333 9933 9944 9615 -VOLUME ["/chain-data"] -ENTRYPOINT ["/usr/local/bin/subcoin"] +ENTRYPOINT ["/subcoin"] diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 new file mode 100644 index 00000000..ec7489ad --- /dev/null +++ b/Dockerfile.aarch64 @@ -0,0 +1,80 @@ +# This is a base image to build Subcoin node +FROM ubuntu:22.04 AS builder + +ARG PROFILE=production +ARG SUBSTRATE_CLI_GIT_COMMIT_HASH + +# Incremental compilation here isn't helpful +ENV CARGO_INCREMENTAL=0 + +WORKDIR /src + +RUN \ + apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + ca-certificates \ + clang \ + cmake \ + curl \ + git \ + llvm \ + protobuf-compiler \ + make && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + +# Create a cache stage for dependencies +FROM builder AS cache + +COPY Cargo.toml Cargo.lock ./ +RUN mkdir src && echo "fn main() {}" > src/main.rs +RUN /root/.cargo/bin/cargo build --release + +# Use the cache stage to build the actual binary +FROM builder AS build + +# Copy the source code +COPY . . + +# Copy the cached dependencies +COPY --from=cache /src/target /src/target +COPY --from=cache /root/.cargo /root/.cargo + +ENV RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc" +ENV PKG_CONFIG_ALLOW_CROSS=true + +# Dependencies necessary for successful cross-compilation +RUN \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + g++-aarch64-linux-gnu \ + gcc-aarch64-linux-gnu \ + libc6-dev-arm64-cross + +RUN /root/.cargo/bin/rustup target add aarch64-unknown-linux-gnu + +# Compile the binary and move it to /subcoin. +RUN /root/.cargo/bin/cargo build \ + --locked \ + --bin subcoin \ + --profile=$PROFILE \ + --target aarch64-unknown-linux-gnu && \ + mv target/*/*/subcoin /subcoin && \ + rm -rf target + +# This is the 2nd stage: a very small image where we copy the binary. +FROM arm64v8/ubuntu:22.04 + +LABEL org.opencontainers.image.source="https://github.com/subcoin-project/subcoin" +LABEL org.opencontainers.image.description="Multistage Docker image for Subcoin Node" + +# Copy the node binary. +COPY --from=builder /subcoin /subcoin + +RUN mkdir /node-data && chown nobody:nogroup /node-data + +VOLUME ["/node-data"] + +USER nobody:nogroup + +EXPOSE 30333 9933 9944 9615 + +ENTRYPOINT ["/subcoin"]