commit 8c1117fcbf0e500e7ecf9df93bdeb6700fc57db5
parent 5af1799991e6d389853129fe2bc79b84815c454d
Author: Daniel GarcĂa <dani-garcia@users.noreply.github.com>
Date: Sun, 12 Feb 2023 18:42:00 +0100
Merge pull request #3170 from jjlin/cap_net_bind_service
Allow listening on privileged ports (below 1024) as non-root
Diffstat:
29 files changed, 1142 insertions(+), 1183 deletions(-)
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -48,7 +48,10 @@ jobs:
ports:
- 5000:5000
env:
- DOCKER_BUILDKIT: 1 # Disabled for now, but we should look at this because it will speedup building!
+ # Use BuildKit (https://docs.docker.com/build/buildkit/) for better
+ # build performance and the ability to copy extended file attributes
+ # (e.g., for executable capabilities) across build phases.
+ DOCKER_BUILDKIT: 1
# DOCKER_REPO/secrets.DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
DOCKER_REPO: ${{ secrets.DOCKERHUB_REPO }}
SOURCE_COMMIT: ${{ github.sha }}
diff --git a/.hadolint.yaml b/.hadolint.yaml
@@ -3,5 +3,7 @@ ignored:
- DL3008
# disable explicit version for apk install
- DL3018
+ # disable check for consecutive `RUN` instructions
+ - DL3059
trustedRegistries:
- docker.io
diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2
@@ -50,7 +50,7 @@
{% else %}
{% set package_arch_target_param = "" %}
{% endif %}
-{% if "buildx" in target_file %}
+{% if "buildkit" in target_file %}
{% set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %}
{% else %}
{% set mount_rust_cache = "" %}
@@ -83,8 +83,6 @@ FROM vaultwarden/web-vault@{{ vault_image_digest }} as vault
########################## BUILD IMAGE ##########################
FROM {{ build_stage_base_image }} as build
-
-
# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \
@@ -93,7 +91,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \
USER="root"
-
# Create CARGO_HOME folder and don't download rust docs
RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal
@@ -104,21 +101,20 @@ RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \
ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/{{ package_arch_target }}/lib/libatomic.a'
{% endif %}
{% elif "arm" in target_file %}
-#
-# Install required build libs for {{ package_arch_name }} architecture.
-# hadolint ignore=DL3059
+# Install build dependencies for the {{ package_arch_name }} architecture
RUN dpkg --add-architecture {{ package_arch_name }} \
&& apt-get update \
&& apt-get install -y \
--no-install-recommends \
- libssl-dev{{ package_arch_prefix }} \
+ gcc-{{ package_cross_compiler }} \
libc6-dev{{ package_arch_prefix }} \
- libpq5{{ package_arch_prefix }} \
- libpq-dev{{ package_arch_prefix }} \
- libmariadb3{{ package_arch_prefix }} \
+ libcap2-bin \
libmariadb-dev{{ package_arch_prefix }} \
libmariadb-dev-compat{{ package_arch_prefix }} \
- gcc-{{ package_cross_compiler }} \
+ libmariadb3{{ package_arch_prefix }} \
+ libpq-dev{{ package_arch_prefix }} \
+ libpq5{{ package_arch_prefix }} \
+ libssl-dev{{ package_arch_prefix }} \
#
# Make sure cargo has the right target config
&& echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \
@@ -130,16 +126,14 @@ ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_
CROSS_COMPILE="1" \
OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \
OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}"
-
{% elif "amd64" in target_file %}
-# Install DB packages
+# Install build dependencies
RUN apt-get update \
&& apt-get install -y \
--no-install-recommends \
- libmariadb-dev{{ package_arch_prefix }} \
- libpq-dev{{ package_arch_prefix }} \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
+ libcap2-bin \
+ libmariadb-dev \
+ libpq-dev
{% endif %}
# Creates a dummy project used to grab dependencies
@@ -178,9 +172,20 @@ RUN touch src/main.rs
# Builds again, this time it'll just be
# your actual source files being built
-# hadolint ignore=DL3059
RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }}
+{% if "buildkit" in target_file %}
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+{% if package_arch_target is defined %}
+RUN setcap cap_net_bind_service=+ep target/{{ package_arch_target }}/release/vaultwarden
+{% else %}
+RUN setcap cap_net_bind_service=+ep target/release/vaultwarden
+{% endif %}
+{% endif %}
+
######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image
# because we already have a binary built
@@ -195,7 +200,6 @@ ENV ROCKET_PROFILE="release" \
{% if "amd64" not in target_file %}
-# hadolint ignore=DL3059
RUN [ "cross-build-start" ]
{% endif %}
@@ -203,18 +207,18 @@ RUN [ "cross-build-start" ]
RUN mkdir /data \
{% if "alpine" in runtime_stage_base_image %}
&& apk add --no-cache \
- openssl \
- tzdata \
+ ca-certificates \
curl \
- ca-certificates
+ openssl \
+ tzdata
{% else %}
&& apt-get update && apt-get install -y \
--no-install-recommends \
- openssl \
ca-certificates \
curl \
libmariadb-dev-compat \
libpq5 \
+ openssl \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
{% endif %}
@@ -222,13 +226,11 @@ RUN mkdir /data \
{% if "armv6" in target_file and "alpine" not in target_file %}
# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
# This symlink was there in the buster images, and for some reason this is needed.
-# hadolint ignore=DL3059
RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
{% endif -%}
{% if "amd64" not in target_file %}
-# hadolint ignore=DL3059
RUN [ "cross-build-end" ]
{% endif %}
diff --git a/docker/Makefile b/docker/Makefile
@@ -8,8 +8,8 @@ all: $(OBJECTS)
%/Dockerfile.alpine: Dockerfile.j2 render_template
./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
-%/Dockerfile.buildx: Dockerfile.j2 render_template
+%/Dockerfile.buildkit: Dockerfile.j2 render_template
./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
-%/Dockerfile.buildx.alpine: Dockerfile.j2 render_template
+%/Dockerfile.buildkit.alpine: Dockerfile.j2 render_template
./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
diff --git a/docker/amd64/Dockerfile b/docker/amd64/Dockerfile
@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build
-
-
# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \
@@ -39,19 +37,17 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \
USER="root"
-
# Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal
-# Install DB packages
+# Install build dependencies
RUN apt-get update \
&& apt-get install -y \
--no-install-recommends \
+ libcap2-bin \
libmariadb-dev \
- libpq-dev \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
+ libpq-dev
# Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app
@@ -81,9 +77,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be
# your actual source files being built
-# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release
+
######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image
# because we already have a binary built
@@ -98,11 +94,11 @@ ENV ROCKET_PROFILE="release" \
RUN mkdir /data \
&& apt-get update && apt-get install -y \
--no-install-recommends \
- openssl \
ca-certificates \
curl \
libmariadb-dev-compat \
libpq5 \
+ openssl \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
diff --git a/docker/amd64/Dockerfile.alpine b/docker/amd64/Dockerfile.alpine
@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build
-
-
# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \
@@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \
USER="root"
-
# Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal
@@ -75,9 +72,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be
# your actual source files being built
-# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
+
######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image
# because we already have a binary built
@@ -93,10 +90,10 @@ ENV ROCKET_PROFILE="release" \
# Create data folder and Install needed libraries
RUN mkdir /data \
&& apk add --no-cache \
- openssl \
- tzdata \
+ ca-certificates \
curl \
- ca-certificates
+ openssl \
+ tzdata
VOLUME /data
diff --git a/docker/amd64/Dockerfile.buildkit b/docker/amd64/Dockerfile.buildkit
@@ -0,0 +1,126 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+# https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull vaultwarden/web-vault:v2023.1.1
+# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
+# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
+# [vaultwarden/web-vault:v2023.1.1]
+#
+FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
+
+########################## BUILD IMAGE ##########################
+FROM rust:1.66-bullseye as build
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+ LANG=C.UTF-8 \
+ TZ=UTC \
+ TERM=xterm-256color \
+ CARGO_HOME="/root/.cargo" \
+ USER="root"
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
+# Install build dependencies
+RUN apt-get update \
+ && apt-get install -y \
+ --no-install-recommends \
+ libcap2-bin \
+ libmariadb-dev \
+ libpq-dev
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release \
+ && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release
+
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/release/vaultwarden
+
+######################## RUNTIME IMAGE ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM debian:bullseye-slim
+
+ENV ROCKET_PROFILE="release" \
+ ROCKET_ADDRESS=0.0.0.0 \
+ ROCKET_PORT=80
+
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+ && apt-get update && apt-get install -y \
+ --no-install-recommends \
+ ca-certificates \
+ curl \
+ libmariadb-dev-compat \
+ libpq5 \
+ openssl \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]
diff --git a/docker/amd64/Dockerfile.buildkit.alpine b/docker/amd64/Dockerfile.buildkit.alpine
@@ -0,0 +1,119 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+# https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull vaultwarden/web-vault:v2023.1.1
+# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
+# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
+# [vaultwarden/web-vault:v2023.1.1]
+#
+FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
+
+########################## BUILD IMAGE ##########################
+FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+ LANG=C.UTF-8 \
+ TZ=UTC \
+ TERM=xterm-256color \
+ CARGO_HOME="/root/.cargo" \
+ USER="root"
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add x86_64-unknown-linux-musl
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \
+ && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
+
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/x86_64-unknown-linux-musl/release/vaultwarden
+
+######################## RUNTIME IMAGE ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.17
+
+ENV ROCKET_PROFILE="release" \
+ ROCKET_ADDRESS=0.0.0.0 \
+ ROCKET_PORT=80 \
+ SSL_CERT_DIR=/etc/ssl/certs
+
+
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+ && apk add --no-cache \
+ ca-certificates \
+ curl \
+ openssl \
+ tzdata
+
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]
diff --git a/docker/amd64/Dockerfile.buildx b/docker/amd64/Dockerfile.buildx
@@ -1,125 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull vaultwarden/web-vault:v2023.1.1
-# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
-# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
-# [vaultwarden/web-vault:v2023.1.1]
-#
-FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
-
-########################## BUILD IMAGE ##########################
-FROM rust:1.66-bullseye as build
-
-
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- USER="root"
-
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# Install DB packages
-RUN apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- libmariadb-dev \
- libpq-dev \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-# hadolint ignore=DL3059
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM debian:bullseye-slim
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- openssl \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/amd64/Dockerfile.buildx.alpine b/docker/amd64/Dockerfile.buildx.alpine
@@ -1,117 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull vaultwarden/web-vault:v2023.1.1
-# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
-# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
-# [vaultwarden/web-vault:v2023.1.1]
-#
-FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
-
-########################## BUILD IMAGE ##########################
-FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build
-
-
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- USER="root"
-
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add x86_64-unknown-linux-musl
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-# hadolint ignore=DL3059
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- openssl \
- tzdata \
- curl \
- ca-certificates
-
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/arm64/Dockerfile b/docker/arm64/Dockerfile
@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build
-
-
# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \
@@ -39,26 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \
USER="root"
-
# Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal
-#
-# Install required build libs for arm64 architecture.
-# hadolint ignore=DL3059
+# Install build dependencies for the arm64 architecture
RUN dpkg --add-architecture arm64 \
&& apt-get update \
&& apt-get install -y \
--no-install-recommends \
- libssl-dev:arm64 \
+ gcc-aarch64-linux-gnu \
libc6-dev:arm64 \
- libpq5:arm64 \
- libpq-dev:arm64 \
- libmariadb3:arm64 \
+ libcap2-bin \
libmariadb-dev:arm64 \
libmariadb-dev-compat:arm64 \
- gcc-aarch64-linux-gnu \
+ libmariadb3:arm64 \
+ libpq-dev:arm64 \
+ libpq5:arm64 \
+ libssl-dev:arm64 \
#
# Make sure cargo has the right target config
&& echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
@@ -71,7 +67,6 @@ ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
-
# Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app
WORKDIR /app
@@ -101,9 +96,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be
# your actual source files being built
-# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+
######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image
# because we already have a binary built
@@ -113,22 +108,20 @@ ENV ROCKET_PROFILE="release" \
ROCKET_ADDRESS=0.0.0.0 \
ROCKET_PORT=80
-# hadolint ignore=DL3059
RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries
RUN mkdir /data \
&& apt-get update && apt-get install -y \
--no-install-recommends \
- openssl \
ca-certificates \
curl \
libmariadb-dev-compat \
libpq5 \
+ openssl \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
-# hadolint ignore=DL3059
RUN [ "cross-build-end" ]
VOLUME /data
diff --git a/docker/arm64/Dockerfile.alpine b/docker/arm64/Dockerfile.alpine
@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build
-
-
# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \
@@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \
USER="root"
-
# Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal
@@ -75,9 +72,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be
# your actual source files being built
-# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
+
######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image
# because we already have a binary built
@@ -89,18 +86,16 @@ ENV ROCKET_PROFILE="release" \
SSL_CERT_DIR=/etc/ssl/certs
-# hadolint ignore=DL3059
RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries
RUN mkdir /data \
&& apk add --no-cache \
- openssl \
- tzdata \
+ ca-certificates \
curl \
- ca-certificates
+ openssl \
+ tzdata
-# hadolint ignore=DL3059
RUN [ "cross-build-end" ]
VOLUME /data
diff --git a/docker/arm64/Dockerfile.buildkit b/docker/arm64/Dockerfile.buildkit
@@ -0,0 +1,147 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+# https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull vaultwarden/web-vault:v2023.1.1
+# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
+# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
+# [vaultwarden/web-vault:v2023.1.1]
+#
+FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
+
+########################## BUILD IMAGE ##########################
+FROM rust:1.66-bullseye as build
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+ LANG=C.UTF-8 \
+ TZ=UTC \
+ TERM=xterm-256color \
+ CARGO_HOME="/root/.cargo" \
+ USER="root"
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
+# Install build dependencies for the arm64 architecture
+RUN dpkg --add-architecture arm64 \
+ && apt-get update \
+ && apt-get install -y \
+ --no-install-recommends \
+ gcc-aarch64-linux-gnu \
+ libc6-dev:arm64 \
+ libcap2-bin \
+ libmariadb-dev:arm64 \
+ libmariadb-dev-compat:arm64 \
+ libmariadb3:arm64 \
+ libpq-dev:arm64 \
+ libpq5:arm64 \
+ libssl-dev:arm64 \
+ #
+ # Make sure cargo has the right target config
+ && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
+ && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \
+ && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config"
+
+# Set arm specific environment values
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
+ CROSS_COMPILE="1" \
+ OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
+ OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-gnu
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \
+ && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/aarch64-unknown-linux-gnu/release/vaultwarden
+
+######################## RUNTIME IMAGE ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-debian:bullseye
+
+ENV ROCKET_PROFILE="release" \
+ ROCKET_ADDRESS=0.0.0.0 \
+ ROCKET_PORT=80
+
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+ && apt-get update && apt-get install -y \
+ --no-install-recommends \
+ ca-certificates \
+ curl \
+ libmariadb-dev-compat \
+ libpq5 \
+ openssl \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]
diff --git a/docker/arm64/Dockerfile.buildkit.alpine b/docker/arm64/Dockerfile.buildkit.alpine
@@ -0,0 +1,121 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+# https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull vaultwarden/web-vault:v2023.1.1
+# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
+# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
+# [vaultwarden/web-vault:v2023.1.1]
+#
+FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
+
+########################## BUILD IMAGE ##########################
+FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+ LANG=C.UTF-8 \
+ TZ=UTC \
+ TERM=xterm-256color \
+ CARGO_HOME="/root/.cargo" \
+ USER="root"
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-musl
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \
+ && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
+
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/aarch64-unknown-linux-musl/release/vaultwarden
+
+######################## RUNTIME IMAGE ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-alpine:3.17
+
+ENV ROCKET_PROFILE="release" \
+ ROCKET_ADDRESS=0.0.0.0 \
+ ROCKET_PORT=80 \
+ SSL_CERT_DIR=/etc/ssl/certs
+
+
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+ && apk add --no-cache \
+ ca-certificates \
+ curl \
+ openssl \
+ tzdata
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]
diff --git a/docker/arm64/Dockerfile.buildx b/docker/arm64/Dockerfile.buildx
@@ -1,149 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull vaultwarden/web-vault:v2023.1.1
-# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
-# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
-# [vaultwarden/web-vault:v2023.1.1]
-#
-FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
-
-########################## BUILD IMAGE ##########################
-FROM rust:1.66-bullseye as build
-
-
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- USER="root"
-
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-#
-# Install required build libs for arm64 architecture.
-# hadolint ignore=DL3059
-RUN dpkg --add-architecture arm64 \
- && apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- libssl-dev:arm64 \
- libc6-dev:arm64 \
- libpq5:arm64 \
- libpq-dev:arm64 \
- libmariadb3:arm64 \
- libmariadb-dev:arm64 \
- libmariadb-dev-compat:arm64 \
- gcc-aarch64-linux-gnu \
- #
- # Make sure cargo has the right target config
- && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
- && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \
- && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
- CROSS_COMPILE="1" \
- OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
- OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
-
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-gnu
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-# hadolint ignore=DL3059
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/aarch64-debian:bullseye
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- openssl \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/arm64/Dockerfile.buildx.alpine b/docker/arm64/Dockerfile.buildx.alpine
@@ -1,121 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull vaultwarden/web-vault:v2023.1.1
-# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
-# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
-# [vaultwarden/web-vault:v2023.1.1]
-#
-FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
-
-########################## BUILD IMAGE ##########################
-FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build
-
-
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- USER="root"
-
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-musl
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-# hadolint ignore=DL3059
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/aarch64-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- openssl \
- tzdata \
- curl \
- ca-certificates
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv6/Dockerfile b/docker/armv6/Dockerfile
@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build
-
-
# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \
@@ -39,26 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \
USER="root"
-
# Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal
-#
-# Install required build libs for armel architecture.
-# hadolint ignore=DL3059
+# Install build dependencies for the armel architecture
RUN dpkg --add-architecture armel \
&& apt-get update \
&& apt-get install -y \
--no-install-recommends \
- libssl-dev:armel \
+ gcc-arm-linux-gnueabi \
libc6-dev:armel \
- libpq5:armel \
- libpq-dev:armel \
- libmariadb3:armel \
+ libcap2-bin \
libmariadb-dev:armel \
libmariadb-dev-compat:armel \
- gcc-arm-linux-gnueabi \
+ libmariadb3:armel \
+ libpq-dev:armel \
+ libpq5:armel \
+ libssl-dev:armel \
#
# Make sure cargo has the right target config
&& echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
@@ -71,7 +67,6 @@ ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
-
# Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app
WORKDIR /app
@@ -101,9 +96,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be
# your actual source files being built
-# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+
######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image
# because we already have a binary built
@@ -113,27 +108,24 @@ ENV ROCKET_PROFILE="release" \
ROCKET_ADDRESS=0.0.0.0 \
ROCKET_PORT=80
-# hadolint ignore=DL3059
RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries
RUN mkdir /data \
&& apt-get update && apt-get install -y \
--no-install-recommends \
- openssl \
ca-certificates \
curl \
libmariadb-dev-compat \
libpq5 \
+ openssl \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
# This symlink was there in the buster images, and for some reason this is needed.
-# hadolint ignore=DL3059
RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
-# hadolint ignore=DL3059
RUN [ "cross-build-end" ]
VOLUME /data
diff --git a/docker/armv6/Dockerfile.alpine b/docker/armv6/Dockerfile.alpine
@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build
-
-
# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \
@@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \
USER="root"
-
# Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal
@@ -77,9 +74,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be
# your actual source files being built
-# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
+
######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image
# because we already have a binary built
@@ -91,18 +88,16 @@ ENV ROCKET_PROFILE="release" \
SSL_CERT_DIR=/etc/ssl/certs
-# hadolint ignore=DL3059
RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries
RUN mkdir /data \
&& apk add --no-cache \
- openssl \
- tzdata \
+ ca-certificates \
curl \
- ca-certificates
+ openssl \
+ tzdata
-# hadolint ignore=DL3059
RUN [ "cross-build-end" ]
VOLUME /data
diff --git a/docker/armv6/Dockerfile.buildkit b/docker/armv6/Dockerfile.buildkit
@@ -0,0 +1,151 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+# https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull vaultwarden/web-vault:v2023.1.1
+# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
+# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
+# [vaultwarden/web-vault:v2023.1.1]
+#
+FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
+
+########################## BUILD IMAGE ##########################
+FROM rust:1.66-bullseye as build
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+ LANG=C.UTF-8 \
+ TZ=UTC \
+ TERM=xterm-256color \
+ CARGO_HOME="/root/.cargo" \
+ USER="root"
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
+# Install build dependencies for the armel architecture
+RUN dpkg --add-architecture armel \
+ && apt-get update \
+ && apt-get install -y \
+ --no-install-recommends \
+ gcc-arm-linux-gnueabi \
+ libc6-dev:armel \
+ libcap2-bin \
+ libmariadb-dev:armel \
+ libmariadb-dev-compat:armel \
+ libmariadb3:armel \
+ libpq-dev:armel \
+ libpq5:armel \
+ libssl-dev:armel \
+ #
+ # Make sure cargo has the right target config
+ && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
+ && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \
+ && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config"
+
+# Set arm specific environment values
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
+ CROSS_COMPILE="1" \
+ OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
+ OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-gnueabi
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \
+ && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/arm-unknown-linux-gnueabi/release/vaultwarden
+
+######################## RUNTIME IMAGE ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-debian:bullseye
+
+ENV ROCKET_PROFILE="release" \
+ ROCKET_ADDRESS=0.0.0.0 \
+ ROCKET_PORT=80
+
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+ && apt-get update && apt-get install -y \
+ --no-install-recommends \
+ ca-certificates \
+ curl \
+ libmariadb-dev-compat \
+ libpq5 \
+ openssl \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
+# This symlink was there in the buster images, and for some reason this is needed.
+RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]
diff --git a/docker/armv6/Dockerfile.buildkit.alpine b/docker/armv6/Dockerfile.buildkit.alpine
@@ -0,0 +1,123 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+# https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull vaultwarden/web-vault:v2023.1.1
+# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
+# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
+# [vaultwarden/web-vault:v2023.1.1]
+#
+FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
+
+########################## BUILD IMAGE ##########################
+FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+ LANG=C.UTF-8 \
+ TZ=UTC \
+ TERM=xterm-256color \
+ CARGO_HOME="/root/.cargo" \
+ USER="root"
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
+# To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location
+ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/arm-unknown-linux-musleabi/lib/libatomic.a'
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-musleabi
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \
+ && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
+
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/arm-unknown-linux-musleabi/release/vaultwarden
+
+######################## RUNTIME IMAGE ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-alpine:3.17
+
+ENV ROCKET_PROFILE="release" \
+ ROCKET_ADDRESS=0.0.0.0 \
+ ROCKET_PORT=80 \
+ SSL_CERT_DIR=/etc/ssl/certs
+
+
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+ && apk add --no-cache \
+ ca-certificates \
+ curl \
+ openssl \
+ tzdata
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]
diff --git a/docker/armv6/Dockerfile.buildx b/docker/armv6/Dockerfile.buildx
@@ -1,154 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull vaultwarden/web-vault:v2023.1.1
-# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
-# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
-# [vaultwarden/web-vault:v2023.1.1]
-#
-FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
-
-########################## BUILD IMAGE ##########################
-FROM rust:1.66-bullseye as build
-
-
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- USER="root"
-
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-#
-# Install required build libs for armel architecture.
-# hadolint ignore=DL3059
-RUN dpkg --add-architecture armel \
- && apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- libssl-dev:armel \
- libc6-dev:armel \
- libpq5:armel \
- libpq-dev:armel \
- libmariadb3:armel \
- libmariadb-dev:armel \
- libmariadb-dev-compat:armel \
- gcc-arm-linux-gnueabi \
- #
- # Make sure cargo has the right target config
- && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
- && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \
- && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
- CROSS_COMPILE="1" \
- OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
- OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
-
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-gnueabi
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-# hadolint ignore=DL3059
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/rpi-debian:bullseye
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- openssl \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
-# This symlink was there in the buster images, and for some reason this is needed.
-# hadolint ignore=DL3059
-RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv6/Dockerfile.buildx.alpine b/docker/armv6/Dockerfile.buildx.alpine
@@ -1,123 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull vaultwarden/web-vault:v2023.1.1
-# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
-# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
-# [vaultwarden/web-vault:v2023.1.1]
-#
-FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
-
-########################## BUILD IMAGE ##########################
-FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build
-
-
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- USER="root"
-
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-# To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location
-ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/arm-unknown-linux-musleabi/lib/libatomic.a'
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-musleabi
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-# hadolint ignore=DL3059
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/rpi-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- openssl \
- tzdata \
- curl \
- ca-certificates
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv7/Dockerfile b/docker/armv7/Dockerfile
@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ##########################
FROM rust:1.66-bullseye as build
-
-
# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \
@@ -39,26 +37,24 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \
USER="root"
-
# Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal
-#
-# Install required build libs for armhf architecture.
-# hadolint ignore=DL3059
+# Install build dependencies for the armhf architecture
RUN dpkg --add-architecture armhf \
&& apt-get update \
&& apt-get install -y \
--no-install-recommends \
- libssl-dev:armhf \
+ gcc-arm-linux-gnueabihf \
libc6-dev:armhf \
- libpq5:armhf \
- libpq-dev:armhf \
- libmariadb3:armhf \
+ libcap2-bin \
libmariadb-dev:armhf \
libmariadb-dev-compat:armhf \
- gcc-arm-linux-gnueabihf \
+ libmariadb3:armhf \
+ libpq-dev:armhf \
+ libpq5:armhf \
+ libssl-dev:armhf \
#
# Make sure cargo has the right target config
&& echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
@@ -71,7 +67,6 @@ ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
-
# Creates a dummy project used to grab dependencies
RUN USER=root cargo new --bin /app
WORKDIR /app
@@ -101,9 +96,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be
# your actual source files being built
-# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+
######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image
# because we already have a binary built
@@ -113,22 +108,20 @@ ENV ROCKET_PROFILE="release" \
ROCKET_ADDRESS=0.0.0.0 \
ROCKET_PORT=80
-# hadolint ignore=DL3059
RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries
RUN mkdir /data \
&& apt-get update && apt-get install -y \
--no-install-recommends \
- openssl \
ca-certificates \
curl \
libmariadb-dev-compat \
libpq5 \
+ openssl \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
-# hadolint ignore=DL3059
RUN [ "cross-build-end" ]
VOLUME /data
diff --git a/docker/armv7/Dockerfile.alpine b/docker/armv7/Dockerfile.alpine
@@ -29,8 +29,6 @@ FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fb
########################## BUILD IMAGE ##########################
FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build
-
-
# Build time options to avoid dpkg warnings and help with reproducible builds.
ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \
@@ -39,7 +37,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
CARGO_HOME="/root/.cargo" \
USER="root"
-
# Create CARGO_HOME folder and don't download rust docs
RUN mkdir -pv "${CARGO_HOME}" \
&& rustup set profile minimal
@@ -75,9 +72,9 @@ RUN touch src/main.rs
# Builds again, this time it'll just be
# your actual source files being built
-# hadolint ignore=DL3059
RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
+
######################## RUNTIME IMAGE ########################
# Create a new stage with a minimal image
# because we already have a binary built
@@ -89,18 +86,16 @@ ENV ROCKET_PROFILE="release" \
SSL_CERT_DIR=/etc/ssl/certs
-# hadolint ignore=DL3059
RUN [ "cross-build-start" ]
# Create data folder and Install needed libraries
RUN mkdir /data \
&& apk add --no-cache \
- openssl \
- tzdata \
+ ca-certificates \
curl \
- ca-certificates
+ openssl \
+ tzdata
-# hadolint ignore=DL3059
RUN [ "cross-build-end" ]
VOLUME /data
diff --git a/docker/armv7/Dockerfile.buildkit b/docker/armv7/Dockerfile.buildkit
@@ -0,0 +1,147 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+# https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull vaultwarden/web-vault:v2023.1.1
+# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
+# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
+# [vaultwarden/web-vault:v2023.1.1]
+#
+FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
+
+########################## BUILD IMAGE ##########################
+FROM rust:1.66-bullseye as build
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+ LANG=C.UTF-8 \
+ TZ=UTC \
+ TERM=xterm-256color \
+ CARGO_HOME="/root/.cargo" \
+ USER="root"
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
+# Install build dependencies for the armhf architecture
+RUN dpkg --add-architecture armhf \
+ && apt-get update \
+ && apt-get install -y \
+ --no-install-recommends \
+ gcc-arm-linux-gnueabihf \
+ libc6-dev:armhf \
+ libcap2-bin \
+ libmariadb-dev:armhf \
+ libmariadb-dev-compat:armhf \
+ libmariadb3:armhf \
+ libpq-dev:armhf \
+ libpq5:armhf \
+ libssl-dev:armhf \
+ #
+ # Make sure cargo has the right target config
+ && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
+ && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \
+ && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config"
+
+# Set arm specific environment values
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
+ CROSS_COMPILE="1" \
+ OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
+ OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-gnueabihf
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \
+ && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/armv7-unknown-linux-gnueabihf/release/vaultwarden
+
+######################## RUNTIME IMAGE ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-debian:bullseye
+
+ENV ROCKET_PROFILE="release" \
+ ROCKET_ADDRESS=0.0.0.0 \
+ ROCKET_PORT=80
+
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+ && apt-get update && apt-get install -y \
+ --no-install-recommends \
+ ca-certificates \
+ curl \
+ libmariadb-dev-compat \
+ libpq5 \
+ openssl \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]
diff --git a/docker/armv7/Dockerfile.buildkit.alpine b/docker/armv7/Dockerfile.buildkit.alpine
@@ -0,0 +1,121 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# https://docs.docker.com/develop/develop-images/multistage-build/
+# https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+# click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+# $ docker pull vaultwarden/web-vault:v2023.1.1
+# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
+# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
+#
+# - Conversely, to get the tag name from the digest:
+# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
+# [vaultwarden/web-vault:v2023.1.1]
+#
+FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
+
+########################## BUILD IMAGE ##########################
+FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+ LANG=C.UTF-8 \
+ TZ=UTC \
+ TERM=xterm-256color \
+ CARGO_HOME="/root/.cargo" \
+ USER="root"
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+ && rustup set profile minimal
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-musleabihf
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \
+ && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
+
+# Add the `cap_net_bind_service` capability to allow listening on
+# privileged (< 1024) ports even when running as a non-root user.
+# This is only done if building with BuildKit; with the legacy
+# builder, the `COPY` instruction doesn't carry over capabilities.
+RUN setcap cap_net_bind_service=+ep target/armv7-unknown-linux-musleabihf/release/vaultwarden
+
+######################## RUNTIME IMAGE ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-alpine:3.17
+
+ENV ROCKET_PROFILE="release" \
+ ROCKET_ADDRESS=0.0.0.0 \
+ ROCKET_PORT=80 \
+ SSL_CERT_DIR=/etc/ssl/certs
+
+
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+ && apk add --no-cache \
+ ca-certificates \
+ curl \
+ openssl \
+ tzdata
+
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]
diff --git a/docker/armv7/Dockerfile.buildx b/docker/armv7/Dockerfile.buildx
@@ -1,149 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull vaultwarden/web-vault:v2023.1.1
-# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
-# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
-# [vaultwarden/web-vault:v2023.1.1]
-#
-FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
-
-########################## BUILD IMAGE ##########################
-FROM rust:1.66-bullseye as build
-
-
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- USER="root"
-
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-#
-# Install required build libs for armhf architecture.
-# hadolint ignore=DL3059
-RUN dpkg --add-architecture armhf \
- && apt-get update \
- && apt-get install -y \
- --no-install-recommends \
- libssl-dev:armhf \
- libc6-dev:armhf \
- libpq5:armhf \
- libpq-dev:armhf \
- libmariadb3:armhf \
- libmariadb-dev:armhf \
- libmariadb-dev-compat:armhf \
- gcc-arm-linux-gnueabihf \
- #
- # Make sure cargo has the right target config
- && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
- && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \
- && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
- CROSS_COMPILE="1" \
- OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
- OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
-
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-gnueabihf
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-# hadolint ignore=DL3059
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/armv7hf-debian:bullseye
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apt-get update && apt-get install -y \
- --no-install-recommends \
- openssl \
- ca-certificates \
- curl \
- libmariadb-dev-compat \
- libpq5 \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/docker/armv7/Dockerfile.buildx.alpine b/docker/armv7/Dockerfile.buildx.alpine
@@ -1,121 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-
-# Using multistage build:
-# https://docs.docker.com/develop/develop-images/multistage-build/
-# https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-# click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-# $ docker pull vaultwarden/web-vault:v2023.1.1
-# $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.1.1
-# [vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a]
-#
-# - Conversely, to get the tag name from the digest:
-# $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a
-# [vaultwarden/web-vault:v2023.1.1]
-#
-FROM vaultwarden/web-vault@sha256:d5f71fb05c4b87935bf51d84140db0f8716cabfe2974fbee6c0c5ee8cf7dab5a as vault
-
-########################## BUILD IMAGE ##########################
-FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build
-
-
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
- LANG=C.UTF-8 \
- TZ=UTC \
- TERM=xterm-256color \
- CARGO_HOME="/root/.cargo" \
- USER="root"
-
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
- && rustup set profile minimal
-
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-musleabihf
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \
- && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-# hadolint ignore=DL3059
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
-
-######################## RUNTIME IMAGE ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/armv7hf-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
- ROCKET_ADDRESS=0.0.0.0 \
- ROCKET_PORT=80 \
- SSL_CERT_DIR=/etc/ssl/certs
-
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
- && apk add --no-cache \
- openssl \
- tzdata \
- curl \
- ca-certificates
-
-# hadolint ignore=DL3059
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]
diff --git a/hooks/build b/hooks/build
@@ -34,9 +34,9 @@ for label in "${LABELS[@]}"; do
LABEL_ARGS+=(--label "${label}")
done
-# Check if DOCKER_BUILDKIT is set, if so, use the Dockerfile.buildx as template
+# Check if DOCKER_BUILDKIT is set, if so, use the Dockerfile.buildkit as template
if [[ -n "${DOCKER_BUILDKIT}" ]]; then
- buildx_suffix=.buildx
+ buildkit_suffix=.buildkit
fi
set -ex
@@ -45,6 +45,6 @@ for arch in "${arches[@]}"; do
docker build \
"${LABEL_ARGS[@]}" \
-t "${DOCKER_REPO}:${DOCKER_TAG}-${arch}" \
- -f docker/${arch}/Dockerfile${buildx_suffix}${distro_suffix} \
+ -f docker/${arch}/Dockerfile${buildkit_suffix}${distro_suffix} \
.
done
