ci: single multi-target Dockerfile — slim base-nossl release image, byte-identical binary#64
Merged
Merged
Conversation
…SSL/C++) The release image used distroless/cc, which bundles OpenSSL (libssl3, ~8MB) and the C++ runtime (libstdc++/libgomp). scim-server needs neither: - it serves plain HTTP (TcpListener + axum::serve); TLS termination is expected at a reverse proxy (hence the X-Forwarded-* host resolution). No server TLS. - the only TLS is the PostgreSQL client via sqlx + rustls (pure Rust, no OpenSSL). - no C++ dependencies (SQLite is C, compiled into the binary). Switch Dockerfile.release to distroless/base-nossl-debian13 — ~12MB smaller and still has glibc + ca-certificates. Verified: the published v0.4.1 binary serves ServiceProviderConfig and User CRUD on base-nossl. The self-contained Dockerfile (dev/compose/CI) stays on distroless/cc: plain cargo binaries dynamically link libgcc_s.so.1, which base-nossl omits. The release binaries don't need it because cargo-zigbuild links libgcc statically. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
wadahiro
changed the title
…ase) Replace the two Dockerfiles with one multi-stage Dockerfile so the runtime settings (user/workdir/entrypoint/cmd/expose) live in a single place and can't drift: - `source` target (default) — compiles from source on rust:1.96-bookworm and runs on distroless/cc (plain cargo binaries dynamically link libgcc_s, which only cc ships). Used by `docker build .`, docker-compose, and the CI check. - `prebuilt` target — COPYs the prebuilt release binary onto base-nossl (the cargo-zigbuild binaries link libgcc statically, so the smaller base works). release.yml builds it with `--target prebuilt --build-arg RUNTIME=...base-nossl...`. buildkit only builds the requested target's stages, so `docker build .` skips the prebuilt stage's `COPY bin/` and the release build skips the Rust compile. No fragile hand-copying of system libraries; both paths use official distroless images with matched libs. Verified: source target builds/runs; prebuilt target builds from the v0.4.1 binary and runs on base-nossl (51.5MB). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
wadahiro
force-pushed
the
ci/distroless-base-nossl
branch
from
7259196 to
5426d57
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consolidates the container image story into one Dockerfile and slims the published image.
One multi-target Dockerfile (no more Dockerfile.release)
Runtime settings (user/workdir/entrypoint/cmd/expose) live in a single
runtimestage so they can't drift between two files. Two final targets:source(default) — compiles from source (rust:1.96-bookworm) and runs on distroless/cc (plain cargo binaries dynamically linklibgcc_s, which onlyccships). Used bydocker build ., docker-compose, and the CI build check — local builds still compile from source, no extra steps.prebuilt— COPYs the exact prebuilt release binary onto distroless/base-nossl (the cargo-zigbuild release binaries link libgcc statically, so the smaller, OpenSSL-free base works). The published image is byte-identical to the released binary.release.ymlbuilds it with--target prebuilt --build-arg RUNTIME=…base-nossl….buildkit only builds the requested target's stages, so
docker build .skips the prebuiltCOPY bin/, and the release build skips the Rust compile. No fragile hand-copying of system libraries — both paths use official distroless images with matched libs.Why base-nossl for the release image
scim-server serves plain HTTP (TLS is terminated at a proxy) and uses rustls for its only TLS (the PostgreSQL client), with no C++ deps. So OpenSSL + libstdc++ from
ccare unnecessary → base-nossl is ~8–12MB smaller. Verified: the published v0.4.1 binary serves CRUD on base-nossl (51.5MB image).Verified locally
sourcetarget builds and runs (scim-server 0.4.1).prebuilttarget builds from the v0.4.1 release binary and runs on base-nossl.Note
ci:/build:change → does not trigger a release on its own. Ships on the next release (Release-As: 0.4.2).🤖 Generated with Claude Code