.

subcoin-project · Jul 7, 2024 · fc0bb1f · fc0bb1f
1 parent 77450cb
commit fc0bb1f
Show file tree

Hide file tree

Showing 3 changed files with 108 additions and 35 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -7,7 +7,7 @@ on:
     branches:
       - main
       - docker
-      - 'releases/**'
+      - 'release/**'
     tags:
       - '**'
 
@@ -20,10 +20,16 @@ jobs:
     strategy:
       matrix:
         platform:
-          - arch: linux/amd64
+          # - arch: linux/amd64
+            # profile: production
+            # suffix: ubuntu-x86_64-${{ github.ref_name }}
+            # image-suffix: ''
+            # dockerfile-suffix: ''
+          - arch: linux/arm64
             profile: production
-            suffix: ubuntu-x86_64-${{ github.ref_name }}
-            image-suffix: ''
+            suffix: ubuntu-aarch64-${{ github.ref_name }}
+            image-suffix: '-aarch64'
+            dockerfile-suffix: '.aarch64'
 
     steps:
       - name: Set up QEMU
@@ -44,7 +50,7 @@ jobs:
         uses: docker/metadata-action@v3
         with:
           images: |
-            ghcr.io/subcoin-project/subcoin-node
+            ghcr.io/subcoin-project/subcoin
           tags: |
             type=ref,event=tag
             type=ref,event=branch
@@ -53,15 +59,18 @@ jobs:
             latest=false
             suffix=${{ matrix.platform.image-suffix }}
 
-      - name: Build and push ${{ matrix.image }} image
+      - name: Build and push image
         id: build
         uses: docker/build-push-action@v6
         with:
-          file: Dockerfile
+          file: Dockerfile${{ matrix.platform.dockerfile-suffix }}
           platforms: ${{ matrix.platform.arch }}
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             SUBSTRATE_CLI_GIT_COMMIT_HASH=${{ github.sha }}
             PROFILE=${{ matrix.platform.profile }}
+
+      - name: Image digest
+        run: echo ${{ steps.build.outputs.digest }}
diff --git a/Dockerfile b/Dockerfile
@@ -7,53 +7,47 @@ ARG SUBSTRATE_CLI_GIT_COMMIT_HASH
 # Incremental compilation here isn't helpful
 ENV CARGO_INCREMENTAL=0
 
-WORKDIR /subcoin
+WORKDIR /src
 
-RUN \
-    apt-get update && \
+RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         ca-certificates \
-        protobuf-compiler \
+        clang \
+        cmake \
         curl \
         git \
         llvm \
-        clang \
-        cmake \
+        protobuf-compiler \
         make && \
     curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 
 # Copy the source code
 COPY . .
 
-RUN /root/.cargo/bin/cargo build --locked --profile=$PROFILE
+# Compile the binary and move it to /subcoin.
+RUN /root/.cargo/bin/cargo build \
+    --locked \
+    --bin subcoin \
+    --profile=$PROFILE \
+    --target $(uname -p)-unknown-linux-gnu && \
+    mv target/*/*/subcoin /subcoin && \
+    rm -rf target
 
 # This is the 2nd stage: a very small image where we copy the binary.
-FROM docker.io/library/ubuntu:22.04
-LABEL description="Multistage Docker image for Subcoin Node" \
-  image.type="builder" \
-  image.authors="[email protected]" \
-  image.vendor="Subcoin Contributors" \
-  image.description="Multistage Docker image for Subnode Node" \
-  image.source="https://github.com/subcoin-project/subcoin" \
-  image.documentation="https://subcoin-project.github.io/subcoin"
+FROM ubuntu:22.04
 
-ARG PROFILE=production
+LABEL org.opencontainers.image.source="https://github.com/subcoin-project/subcoin"
+LABEL org.opencontainers.image.description="Multistage Docker image for Subcoin Node" \
 
 # Copy the node binary.
-COPY --from=builder /subcoin/target/$PROFILE/subcoin /usr/local/bin
+COPY --from=builder /subcoin /subcoin
+
+RUN mkdir /node-data && chown nobody:nogroup /node-data
 
-RUN useradd -m -u 1000 -U -s /bin/sh -d /node-dev node-dev && \
-  mkdir -p /chain-data /node-dev/.local/share && \
-  chown -R node-dev:node-dev /chain-data && \
-  ln -s /chain-data /node-dev/.local/share/subcoin && \
-  # unclutter and minimize the attack surface
-  rm -rf /usr/bin /usr/sbin && \
-  # check if executable works in this container
-  /usr/local/bin/subcoin --help
+VOLUME ["/node-data"]
 
-USER node-dev
+USER nobody:nogroup
 
 EXPOSE 30333 9933 9944 9615
-VOLUME ["/chain-data"]
 
-ENTRYPOINT ["/usr/local/bin/subcoin"]
+ENTRYPOINT ["/subcoin"]
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
@@ -0,0 +1,70 @@
+# This is a base image to build Subcoin node
+FROM ubuntu:22.04 AS builder
+
+# By default, we use the stable Rust. However, we encountered some network issues
+# during the docker build processing in CI. Now we compile the binary using nightly
+# so that the network issue in CI can be mitigated via the unstable flag `-Zgitoxide -Zgit`.
+ARG RUSTC_VERSION=nightly-2024-06-29
+
+ARG PROFILE=production
+ARG SUBSTRATE_CLI_GIT_COMMIT_HASH
+ARG TARGET=aarch64-unknown-linux-gnu
+
+# Incremental compilation here isn't helpful
+ENV CARGO_INCREMENTAL=0
+
+ENV RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc"
+ENV PKG_CONFIG_ALLOW_CROSS=true
+
+WORKDIR /src
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        ca-certificates \
+        clang \
+        cmake \
+        curl \
+        git \
+        llvm \
+        protobuf-compiler \
+        make && \
+    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUSTC_VERSION
+
+# Dependencies necessary for cross-compilation.
+RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        g++-aarch64-linux-gnu \
+        gcc-aarch64-linux-gnu \
+        libc6-dev-arm64-cross && \
+    /root/.cargo/bin/rustup target add $TARGET && \
+    /root/.cargo/bin/rustup target add wasm32-unknown-unknown --toolchain $RUSTC_VERSION-$TARGET
+
+# Copy the source code
+COPY . .
+
+# Compile the binary and move it to /subcoin.
+RUN /root/.cargo/bin/cargo +$RUSTC_VERSION -Zgitoxide -Zgit build \
+    --locked \
+    --bin subcoin \
+    --profile=$PROFILE \
+    --target aarch64-unknown-linux-gnu && \
+    mv target/*/*/subcoin /subcoin && \
+    rm -rf target
+
+# This is the 2nd stage: a very small image where we copy the binary.
+FROM arm64v8/ubuntu:22.04
+
+LABEL org.opencontainers.image.source="https://github.com/subcoin-project/subcoin"
+LABEL org.opencontainers.image.description="Multistage Docker image for Subcoin Node"
+
+# Copy the node binary.
+COPY --from=builder /subcoin /subcoin
+
+RUN mkdir /node-data && chown nobody:nogroup /node-data
+
+VOLUME ["/node-data"]
+
+USER nobody:nogroup
+
+EXPOSE 30333 9933 9944 9615
+
+ENTRYPOINT ["/subcoin"]