feat(Docker): multi-stage Dockerfile with OS-less container

12 months ago · b36473ced9
6 changed files with 93 additions and 61 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1 @@
+.gitignore
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@ -1,20 +1,25 @@
-#
 name: Create and publish a Docker image

-# Configures this workflow to run every time a change is pushed to the branch called `release`.
 on:
  push:
    tags: [ 'v*.*.*' ]
+  release:
+    types: [ released ]
+  workflow_dispatch:

 # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
 env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
+  DEFAULT_OS: scratch

 # There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
 jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ 'scratch', 'ubuntu', 'alpine' ]
    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
    permissions:
      contents: read
@ -34,38 +39,33 @@ jobs:
      
      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
      - name: Log in to the Container registry
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
-      - name: Extract metadata (tags, labels) for Docker
+      - name: Extract metadata (tags, labels) for Docker Image
        id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        uses: docker/metadata-action@v5
        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          # We publish the images with an OS-suffix.
+          # The image based on a default OS is also published without a suffix.
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-${{ matrix.os }}
+            ${{ env.DEFAULT_OS == matrix.os && format('{0}/{1}', env.REGISTRY, env.IMAGE_NAME) || '' }}
      
      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
-      - name: Build gnu and push Docker image
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+      - name: Build and push Docker image (U)
+        uses: docker/build-push-action@v6
        with:
          platforms: linux/amd64,linux/arm64
          context: .
-          file: Dockerfile.ubuntu
+          file: Dockerfile
+          target: {{ env.IMAGE_NAME }}-${{ matrix.os }}
          push: true
-          tags: ${{ steps.meta.outputs.tags }}-ubuntu
-          labels: ${{ steps.meta.outputs.labels }}
-      
-      - name: Build musl and push Docker image
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
-        with:
-          platforms: linux/amd64
-          context: .
-          file: Dockerfile.alpine
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}-alpine
+          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
--- a/60
+++ b/60
@ -0,0 +1,60 @@
+####################################################################################################
+# This is a multi-stage Dockerfile.
+# Build with `docker buildx build -t <image-tag> --target <stage> .`
+# For example, to build the Alpine-based image while naming it tun2proxy, run:
+# `docker buildx build -t tun2proxy --target tun2proxy-alpine .`
+####################################################################################################
+
+####################################################################################################
+## glibc builder
+####################################################################################################
+FROM rust:latest AS glibc-builder
+
+    WORKDIR /worker
+    COPY ./ .
+    RUN cargo build --release
+
+####################################################################################################
+## musl builder
+####################################################################################################
+FROM rust:latest AS musl-builder
+
+    WORKDIR /worker
+    COPY ./ .
+    RUN rustup target add x86_64-unknown-linux-musl 
+    RUN cargo build --release --target x86_64-unknown-linux-musl
+
+    RUN mkdir /.etc \
+        && touch /.etc/resolv.conf \
+        && mkdir /.tmp \
+        && chmod 777 /.tmp \
+        && chmod +t /.tmp
+
+####################################################################################################
+## Alpine image
+####################################################################################################
+FROM alpine:latest AS tun2proxy-alpine
+
+    COPY --from=musl-builder /worker/target/x86_64-unknown-linux-musl/release/tun2proxy-bin /usr/bin/tun2proxy-bin
+
+    ENTRYPOINT ["/usr/bin/tun2proxy-bin", "--setup"]
+
+####################################################################################################
+## Ubuntu image
+####################################################################################################
+FROM ubuntu:latest AS tun2proxy-ubuntu
+
+    COPY --from=glibc-builder /worker/target/release/tun2proxy-bin /usr/bin/tun2proxy-bin
+
+    ENTRYPOINT ["/usr/bin/tun2proxy-bin", "--setup"]
+
+####################################################################################################
+## OS-less image (default)
+####################################################################################################
+FROM scratch AS tun2proxy-scratch
+
+    COPY --from=musl-builder ./tmp /tmp
+    COPY --from=musl-builder ./etc /etc
+    COPY --from=musl-builder /worker/target/x86_64-unknown-linux-musl/release/tun2proxy-bin /usr/bin/tun2proxy-bin
+
+    ENTRYPOINT ["/usr/bin/tun2proxy-bin", "--setup"]
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@ -1,18 +0,0 @@
-####################################################################################################
-## Builder
-####################################################################################################
-FROM rust:latest AS builder
-WORKDIR /worker
-COPY ./ .
-RUN rustup target add x86_64-unknown-linux-musl 
-RUN cargo build --release --target x86_64-unknown-linux-musl
-
-####################################################################################################
-## Final image
-####################################################################################################
-FROM alpine:latest
-RUN apk add --no-cache iproute2
-
-COPY --from=builder /worker/target/x86_64-unknown-linux-musl/release/tun2proxy-bin /usr/bin/tun2proxy-bin
-
-ENTRYPOINT ["/usr/bin/tun2proxy-bin", "--setup"]
--- a/Dockerfile.ubuntu
+++ b/Dockerfile.ubuntu
@ -1,20 +0,0 @@
-####################################################################################################
-## Builder
-####################################################################################################
-FROM rust:latest AS builder
-
-WORKDIR /worker
-COPY ./ .
-RUN cargo build --release
-
-
-####################################################################################################
-## Final image
-####################################################################################################
-FROM ubuntu:latest
-
-RUN apt update && apt install -y iproute2 && apt clean all
-
-COPY --from=builder /worker/target/release/tun2proxy-bin /usr/bin/tun2proxy-bin
-
-ENTRYPOINT ["/usr/bin/tun2proxy-bin", "--setup"]
--- a/README.md
+++ b/README.md
@ -177,7 +177,16 @@ supplied as `--proxy http://john.doe:[email protected]:3128`. This works analogousl
 Tun2proxy can serve as a proxy for other Docker containers. To make use of that feature, first build the image:

 ```bash
-docker build -t tun2proxy .
+docker buildx build -t tun2proxy .
+```
+
+This will build an image containing a statically linked `tun2proxy` binary (based on `musl`) without OS.
+
+Alternatively, you can build images based on Ubuntu or Alpine as follows:
+
+```bash
+docker buildx build -t tun2proxy --target tun2proxy-ubuntu .
+docker buildx build -t tun2proxy --target tun2proxy-alpine .
 ```

 Next, start a container from the tun2proxy image:
@ -188,7 +197,7 @@ docker run -d \
 	--sysctl net.ipv6.conf.default.disable_ipv6=0 \
 	--cap-add NET_ADMIN \
 	--name tun2proxy \
-	tun2proxy-bin --proxy proto://[username[:password]@]host:port
+	tun2proxy --proxy proto://[username[:password]@]host:port
 ```

 You can then provide the running container's network to another worker container by sharing the network namespace (like kubernetes sidecar):
@ -200,7 +209,7 @@ docker run -it \
 ```
 ### Docker Compose

-Write a `docker-compose.yaml` file with the following content:
+Create a `docker-compose.yaml` file with the following content:

 ```yaml
 services: