From 96a6b6a351955a84b39b916b43f1666ed5c4ce97 Mon Sep 17 00:00:00 2001 From: minhtrannhat Date: Fri, 10 May 2024 22:03:23 -0400 Subject: [PATCH] fix(docker): optimize image - updated `h2` dependency to address security alert --- Cargo.lock | 7 +++--- Cargo.toml | 1 + Dockerfile.production | 51 +++++++++++++++++++++++++++++++------------ 3 files changed, 42 insertions(+), 17 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b1c4978..ebbaa40 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -39,7 +39,7 @@ dependencies = [ "encoding_rs", "flate2", "futures-core", - "h2 0.3.25", + "h2 0.3.26", "http 0.2.12", "httparse", "httpdate", @@ -613,6 +613,7 @@ dependencies = [ "actix-web", "chrono", "config", + "h2 0.3.26", "once_cell", "reqwest", "secrecy", @@ -843,9 +844,9 @@ checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253" [[package]] name = "h2" -version = "0.3.25" +version = "0.3.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4fbd2820c5e49886948654ab546d0688ff24530286bdcf8fca3cefb16d4618eb" +checksum = "81fe527a889e1532da5c525686d96d4c2e74cdd345badf8dfef9f6b39dd5f5e8" dependencies = [ "bytes", "fnv", diff --git a/Cargo.toml b/Cargo.toml index 381ff1d..4eb9b7c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,6 +29,7 @@ tracing-log = "0.2.0" once_cell = "1.19.0" secrecy = { version = "0.8.0", features = ["serde"] } tracing-actix-web = "0.7.10" +h2 = "0.3.26" [dependencies.sqlx] version = "0.7" diff --git a/Dockerfile.production b/Dockerfile.production index 1484b84..cebb578 100644 --- a/Dockerfile.production +++ b/Dockerfile.production @@ -1,20 +1,43 @@ -# We use the latest Rust stable release as base image -FROM rust:1.78.0 -# Let's switch our working directory to `app` (equivalent to `cd app`) -# The `app` folder will be created for us by Docker in case it does not -# exist already. -WORKDIR /app -# Install the required system dependencies for our linking configuration -RUN apt update && apt install lld clang -y +# Using the `rust-musl-builder` as base image, instead of +# the official Rust toolchain +FROM clux/muslrust:stable AS chef +USER root + +RUN cargo install cargo-chef + +WORKDIR /app + +FROM chef AS planner -# Copy all files from our working environment to our Docker image COPY . . -# Let's build our binary! -# We'll use the release profile to make it faaaast + +RUN cargo chef prepare --recipe-path recipe.json + +FROM chef AS builder +COPY --from=planner /app/recipe.json recipe.json + +# Notice that we are specifying the --target flag! + +RUN cargo chef cook --release --target x86_64-unknown-linux-musl --recipe-path recipe.json + +COPY . . + ENV SQLX_OFFLINE true -RUN cargo build --release + +RUN cargo build --release --target x86_64-unknown-linux-musl --bin email_newsletter_api + +FROM alpine AS runtime + +WORKDIR /app + +RUN addgroup -S myuser && adduser -S myuser -G myuser + +COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/email_newsletter_api email_newsletter_api + +COPY configuration configuration + +USER myuser ENV APP_ENVIRONMENT production -# When `docker run` is executed, launch the binary! -ENTRYPOINT ["./target/release/email_newsletter_api"] +ENTRYPOINT ["./email_newsletter_api"]