7ef2b59b23
Some checks failed
CI / Rustfmt (push) Successful in 24s
CI / Cargo Audit & Deny (push) Successful in 36s
CI / Security Blocking Checks (push) Successful in 9s
CI / Web Blocking Checks (push) Successful in 48s
CI / Web Advisory Checks (push) Successful in 37s
Publish Images / Resolve Publish Metadata (push) Successful in 2s
CI / Clippy (push) Failing after 1m53s
Publish Images / Publish Docker Dist Bundle (push) Failing after 8s
Publish Images / Publish web (amd64) (push) Successful in 56s
CI / Security Advisory Checks (push) Successful in 38s
Publish Images / Publish web (arm64) (push) Successful in 3m29s
CI / Tests (push) Successful in 9m21s
Publish Images / Build Rust Bundles (amd64) (push) Failing after 12m28s
Publish Images / Build Rust Bundles (arm64) (push) Successful in 12m20s
Publish Images / Publish agent (amd64) (push) Has been skipped
Publish Images / Publish api (amd64) (push) Has been skipped
Publish Images / Publish agent (arm64) (push) Has been skipped
Publish Images / Publish api (arm64) (push) Has been skipped
Publish Images / Publish executor (amd64) (push) Has been skipped
Publish Images / Publish notifier (amd64) (push) Has been skipped
Publish Images / Publish executor (arm64) (push) Has been skipped
Publish Images / Publish notifier (arm64) (push) Has been skipped
Publish Images / Publish manifest attune/agent (push) Has been skipped
Publish Images / Publish manifest attune/api (push) Has been skipped
Publish Images / Publish manifest attune/notifier (push) Has been skipped
Publish Images / Publish manifest attune/executor (push) Has been skipped
Publish Images / Publish manifest attune/web (push) Has been skipped
197 lines
9.4 KiB
Docker
197 lines
9.4 KiB
Docker
# Multi-stage Dockerfile for the Attune injected agent binaries
|
|
#
|
|
# Builds statically-linked `attune-agent` and `attune-sensor-agent` binaries
|
|
# using musl, suitable for injection into arbitrary runtime containers.
|
|
#
|
|
# Stages:
|
|
# builder - Cross-compile with cargo-zigbuild + musl for a fully static binary
|
|
# agent-binary - Minimal scratch image containing just the binary
|
|
# agent-init - BusyBox-based image for use as a Kubernetes init container
|
|
# or Docker Compose volume-populating service (has `cp`)
|
|
#
|
|
# Architecture handling:
|
|
# Uses cargo-zigbuild for cross-compilation, which bundles all necessary
|
|
# cross-compilation toolchains internally. This allows building for any
|
|
# target architecture from any host — e.g., building aarch64 musl binaries
|
|
# on an x86_64 host, or vice versa. This matches the CI/CD pipeline approach.
|
|
#
|
|
# The RUST_TARGET build arg controls the output architecture:
|
|
# x86_64-unknown-linux-musl -> amd64 static binary (default)
|
|
# aarch64-unknown-linux-musl -> arm64 static binary
|
|
#
|
|
# Usage:
|
|
# # Build for the default architecture (x86_64):
|
|
# DOCKER_BUILDKIT=1 docker buildx build --target agent-init -f docker/Dockerfile.agent -t attune-agent:latest .
|
|
#
|
|
# # Build for arm64:
|
|
# DOCKER_BUILDKIT=1 docker buildx build --build-arg RUST_TARGET=aarch64-unknown-linux-musl --target agent-init -f docker/Dockerfile.agent -t attune-agent:latest .
|
|
#
|
|
# # Build the minimal binary-only image:
|
|
# DOCKER_BUILDKIT=1 docker buildx build --target agent-binary -f docker/Dockerfile.agent -t attune-agent:binary .
|
|
#
|
|
# # Use in docker-compose.yaml to populate a shared volume:
|
|
# # agent-init:
|
|
# # image: attune-agent:latest
|
|
# # command: ["cp", "/usr/local/bin/attune-agent", "/shared/attune-agent"]
|
|
# # volumes:
|
|
# # - agent_binary:/shared
|
|
#
|
|
# Note: `attune-agent` lives in the worker crate and `attune-sensor-agent`
|
|
# lives in the sensor crate.
|
|
|
|
ARG RUST_VERSION=1.92
|
|
ARG DEBIAN_VERSION=bookworm
|
|
ARG RUST_TARGET=x86_64-unknown-linux-musl
|
|
|
|
# ============================================================================
|
|
# Stage 1: Builder - Cross-compile a statically-linked binary with musl
|
|
# ============================================================================
|
|
FROM rust:${RUST_VERSION}-${DEBIAN_VERSION} AS builder
|
|
|
|
ARG RUST_TARGET
|
|
|
|
# Install build dependencies.
|
|
# - musl-tools: provides the musl libc headers needed for musl target builds
|
|
# - python3 + pip: needed to install ziglang (zig is the cross-compilation backend)
|
|
# - pkg-config, libssl-dev: needed for native dependency detection during build
|
|
# - file, binutils: for verifying the resulting binaries (file, strip)
|
|
RUN apt-get update && apt-get install -y \
|
|
musl-tools \
|
|
pkg-config \
|
|
libssl-dev \
|
|
ca-certificates \
|
|
file \
|
|
binutils \
|
|
python3 \
|
|
python3-pip \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Install zig (provides cross-compilation toolchains for all architectures)
|
|
# and cargo-zigbuild (cargo subcommand that uses zig as the linker/compiler).
|
|
# This replaces native musl-gcc and avoids the -m64 flag mismatch that occurs
|
|
# when the host arch doesn't match the target arch (e.g., building x86_64 musl
|
|
# binaries on an arm64 host).
|
|
RUN pip3 install --break-system-packages --no-cache-dir ziglang && \
|
|
cargo install --locked cargo-zigbuild
|
|
|
|
# Add the requested musl target for fully static binaries
|
|
RUN rustup target add ${RUST_TARGET}
|
|
|
|
WORKDIR /build
|
|
|
|
# Increase rustc stack size to prevent SIGSEGV during release builds
|
|
ENV RUST_MIN_STACK=67108864
|
|
|
|
# Enable SQLx offline mode — compile-time query checking without a live database
|
|
ENV SQLX_OFFLINE=true
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Dependency caching layer
|
|
# Copy only Cargo metadata first so `cargo fetch` is cached when only source
|
|
# code changes. This follows the same selective-copy optimization pattern as
|
|
# the other active Dockerfiles in this directory.
|
|
# ---------------------------------------------------------------------------
|
|
COPY Cargo.toml Cargo.lock ./
|
|
COPY crates/common/Cargo.toml ./crates/common/Cargo.toml
|
|
COPY crates/api/Cargo.toml ./crates/api/Cargo.toml
|
|
COPY crates/executor/Cargo.toml ./crates/executor/Cargo.toml
|
|
COPY crates/sensor/Cargo.toml ./crates/sensor/Cargo.toml
|
|
COPY crates/core-timer-sensor/Cargo.toml ./crates/core-timer-sensor/Cargo.toml
|
|
COPY crates/worker/Cargo.toml ./crates/worker/Cargo.toml
|
|
COPY crates/notifier/Cargo.toml ./crates/notifier/Cargo.toml
|
|
COPY crates/cli/Cargo.toml ./crates/cli/Cargo.toml
|
|
|
|
# Create minimal stub sources so cargo can resolve the workspace and fetch deps.
|
|
# These are ONLY used for `cargo fetch` — never compiled.
|
|
# NOTE: The worker crate has TWO binary targets and the sensor crate now has
|
|
# two binary targets as well, so we create stubs for all of them.
|
|
RUN mkdir -p crates/common/src && echo "" > crates/common/src/lib.rs && \
|
|
mkdir -p crates/api/src && echo "fn main(){}" > crates/api/src/main.rs && \
|
|
mkdir -p crates/executor/src && echo "fn main(){}" > crates/executor/src/main.rs && \
|
|
mkdir -p crates/executor/benches && echo "fn main(){}" > crates/executor/benches/context_clone.rs && \
|
|
mkdir -p crates/sensor/src && echo "fn main(){}" > crates/sensor/src/main.rs && \
|
|
echo "fn main(){}" > crates/sensor/src/agent_main.rs && \
|
|
mkdir -p crates/core-timer-sensor/src && echo "fn main(){}" > crates/core-timer-sensor/src/main.rs && \
|
|
mkdir -p crates/worker/src && echo "fn main(){}" > crates/worker/src/main.rs && \
|
|
echo "fn main(){}" > crates/worker/src/agent_main.rs && \
|
|
mkdir -p crates/notifier/src && echo "fn main(){}" > crates/notifier/src/main.rs && \
|
|
mkdir -p crates/cli/src && echo "fn main(){}" > crates/cli/src/main.rs
|
|
|
|
# Download all dependencies (cached unless Cargo.toml/Cargo.lock change)
|
|
# registry/git use sharing=shared — cargo handles concurrent reads safely
|
|
RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=shared \
|
|
--mount=type=cache,target=/usr/local/cargo/git,sharing=shared \
|
|
cargo fetch
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Build layer
|
|
# Copy real source code and compile only the agent binaries with musl
|
|
# ---------------------------------------------------------------------------
|
|
COPY migrations/ ./migrations/
|
|
COPY crates/ ./crates/
|
|
|
|
# Build the injected agent binaries, statically linked with musl.
|
|
# Uses cargo-zigbuild so that cross-compilation works regardless of host arch.
|
|
# Uses a dedicated cache ID (agent-target) so the musl target directory
|
|
# doesn't collide with the glibc target cache used by other Dockerfiles.
|
|
RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=shared \
|
|
--mount=type=cache,target=/usr/local/cargo/git,sharing=shared \
|
|
--mount=type=cache,id=agent-target,target=/build/target,sharing=locked \
|
|
cargo zigbuild --release --target ${RUST_TARGET} --bin attune-agent --bin attune-sensor-agent && \
|
|
cp /build/target/${RUST_TARGET}/release/attune-agent /build/attune-agent && \
|
|
cp /build/target/${RUST_TARGET}/release/attune-sensor-agent /build/attune-sensor-agent
|
|
|
|
# Strip the binaries to minimize size.
|
|
# When cross-compiling for a different architecture, the host strip may not
|
|
# understand the foreign binary format. In that case we skip stripping — the
|
|
# binary is still functional, just slightly larger.
|
|
RUN (strip /build/attune-agent 2>/dev/null && echo "stripped attune-agent" || echo "strip skipped for attune-agent (cross-arch binary)") && \
|
|
(strip /build/attune-sensor-agent 2>/dev/null && echo "stripped attune-sensor-agent" || echo "strip skipped for attune-sensor-agent (cross-arch binary)")
|
|
|
|
# Verify the binaries exist and show their details
|
|
RUN ls -lh /build/attune-agent /build/attune-sensor-agent && \
|
|
file /build/attune-agent && \
|
|
file /build/attune-sensor-agent && \
|
|
ldd /build/attune-agent 2>&1 || true && \
|
|
ldd /build/attune-sensor-agent 2>&1 || true
|
|
|
|
# ============================================================================
|
|
# Stage 2: agent-binary - Minimal image with just the static binary
|
|
# ============================================================================
|
|
# This is the smallest possible image — a single static binary on scratch.
|
|
# Useful when you only need to extract the binary (e.g., via COPY --from).
|
|
FROM scratch AS agent-binary
|
|
|
|
COPY --from=builder /build/attune-agent /usr/local/bin/attune-agent
|
|
COPY --from=builder /build/attune-sensor-agent /usr/local/bin/attune-sensor-agent
|
|
|
|
ENTRYPOINT ["/usr/local/bin/attune-agent"]
|
|
|
|
# ============================================================================
|
|
# Stage 3: agent-init - Init container for volume population
|
|
# ============================================================================
|
|
# Uses busybox so we have `cp`, `sh`, etc. for use as a Docker Compose or
|
|
# Kubernetes init container that copies the agent binary into a shared volume.
|
|
#
|
|
# Example docker-compose.yaml usage:
|
|
# agent-init:
|
|
# image: attune-agent:latest
|
|
# command: ["cp", "/usr/local/bin/attune-agent", "/shared/attune-agent"]
|
|
# volumes:
|
|
# - agent_binary:/shared
|
|
#
|
|
# my-worker-container:
|
|
# image: python:3.12
|
|
# command: ["/agent/attune-agent"]
|
|
# volumes:
|
|
# - agent_binary:/agent:ro
|
|
# depends_on:
|
|
# agent-init:
|
|
# condition: service_completed_successfully
|
|
FROM busybox:1.36 AS agent-init
|
|
|
|
COPY --from=builder /build/attune-agent /usr/local/bin/attune-agent
|
|
COPY --from=builder /build/attune-sensor-agent /usr/local/bin/attune-sensor-agent
|
|
|
|
ENTRYPOINT ["/usr/local/bin/attune-agent"]
|