fix(docker): optimize image

- updated `h2` dependency to address security alert
2024-05-10 22:03:23 -04:00 · 2024-05-10 22:03:23 -04:00 · 96a6b6a351
commit 96a6b6a351
parent daf914bb8e
3 changed files with 42 additions and 17 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -39,7 +39,7 @@ dependencies = [
 "encoding_rs",
 "flate2",
 "futures-core",
- "h2 0.3.25",
+ "h2 0.3.26",
 "http 0.2.12",
 "httparse",
 "httpdate",
@ -613,6 +613,7 @@ dependencies = [
 "actix-web",
 "chrono",
 "config",
+ "h2 0.3.26",
 "once_cell",
 "reqwest",
 "secrecy",
@ -843,9 +844,9 @@ checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253"

 [[package]]
 name = "h2"
-version = "0.3.25"
+version = "0.3.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fbd2820c5e49886948654ab546d0688ff24530286bdcf8fca3cefb16d4618eb"
+checksum = "81fe527a889e1532da5c525686d96d4c2e74cdd345badf8dfef9f6b39dd5f5e8"
 dependencies = [
 "bytes",
 "fnv",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -29,6 +29,7 @@ tracing-log = "0.2.0"
 once_cell = "1.19.0"
 secrecy = { version = "0.8.0", features = ["serde"] }
 tracing-actix-web = "0.7.10"
+h2 = "0.3.26"

 [dependencies.sqlx]
 version = "0.7"
--- a/Dockerfile.production
+++ b/Dockerfile.production
@ -1,20 +1,43 @@
-# We use the latest Rust stable release as base image
-FROM rust:1.78.0
-# Let's switch our working directory to `app` (equivalent to `cd app`)
-# The `app` folder will be created for us by Docker in case it does not
-# exist already.
-WORKDIR /app
-# Install the required system dependencies for our linking configuration
-RUN apt update && apt install lld clang -y
+# Using the `rust-musl-builder` as base image, instead of 
+# the official Rust toolchain
+FROM clux/muslrust:stable AS chef
+USER root
+
+RUN cargo install cargo-chef
+
+WORKDIR /app
+
+FROM chef AS planner

-# Copy all files from our working environment to our Docker image
 COPY . .
-# Let's build our binary!
-# We'll use the release profile to make it faaaast
+
+RUN cargo chef prepare --recipe-path recipe.json
+
+FROM chef AS builder
+COPY --from=planner /app/recipe.json recipe.json
+
+# Notice that we are specifying the --target flag!
+
+RUN cargo chef cook --release --target x86_64-unknown-linux-musl --recipe-path recipe.json
+
+COPY . .
+
 ENV SQLX_OFFLINE true
-RUN cargo build --release
+
+RUN cargo build --release --target x86_64-unknown-linux-musl --bin email_newsletter_api
+
+FROM alpine AS runtime
+
+WORKDIR /app
+
+RUN addgroup -S myuser && adduser -S myuser -G myuser
+
+COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/email_newsletter_api email_newsletter_api
+
+COPY configuration configuration
+
+USER myuser

 ENV APP_ENVIRONMENT production

-# When `docker run` is executed, launch the binary!
-ENTRYPOINT ["./target/release/email_newsletter_api"]
+ENTRYPOINT ["./email_newsletter_api"]