1  # Multi-stage Alpine-based Containerfile optimized for Podman
 2  # Produces a minimal container image for FerrisProof (~15-20MB)
 3  
 4  # Build stage
 5  FROM docker.io/library/rust:1.75-alpine3.19 AS builder
 6  
 7  # Install build dependencies with version pinning for reproducibility
 8  RUN apk add --no-cache \
 9      musl-dev=1.2.4_git20230717-r4 \
10      pkgconfig=2.0.3-r0 \
11      openssl-dev=3.1.4-r5 \
12      openssl-libs-static=3.1.4-r5 \
13      git=2.42.1-r0 \
14      ca-certificates=20240226-r0
15  
16  # Set environment for static linking and reproducible builds
17  ENV RUSTFLAGS="-C target-feature=-crt-static -C link-arg=-s" \
18      PKG_CONFIG_ALL_STATIC=1 \
19      PKG_CONFIG_ALL_DYNAMIC=0 \
20      CARGO_NET_RETRY=3 \
21      CARGO_NET_TIMEOUT=30
22  
23  # Create app directory
24  WORKDIR /app
25  
26  # Copy manifests first for better layer caching
27  COPY Cargo.toml Cargo.lock ./
28  COPY ferris-proof-cli/Cargo.toml ./ferris-proof-cli/
29  COPY ferris-proof-core/Cargo.toml ./ferris-proof-core/
30  COPY ferris-proof-config/Cargo.toml ./ferris-proof-config/
31  COPY ferris-proof-plugins/Cargo.toml ./ferris-proof-plugins/
32  
33  # Create dummy source files to cache dependencies
34  RUN mkdir -p ferris-proof-cli/src ferris-proof-core/src ferris-proof-config/src ferris-proof-plugins/src && \
35      echo "fn main() {}" > ferris-proof-cli/src/main.rs && \
36      echo "// dummy" > ferris-proof-cli/src/lib.rs && \
37      echo "// dummy" > ferris-proof-core/src/lib.rs && \
38      echo "// dummy" > ferris-proof-config/src/lib.rs && \
39      echo "// dummy" > ferris-proof-plugins/src/lib.rs
40  
41  # Build dependencies (this layer will be cached)
42  RUN cargo build --release && \
43      rm -rf src target/release/deps/ferris_proof*
44  
45  # Copy actual source code
46  COPY . .
47  
48  # Build the application
49  RUN cargo build --release --bin ferris-proof && \
50      strip target/release/ferris-proof
51  
52  # Runtime stage - minimal Alpine image with security hardening
53  FROM docker.io/library/alpine:3.19
54  
55  # Install minimal runtime dependencies and security updates
56  RUN apk add --no-cache \
57      ca-certificates=20240226-r0 \
58      tzdata=2024a-r0 \
59      && apk upgrade --no-cache \
60      && rm -rf /var/cache/apk/* \
61      # Create non-root user with specific UID/GID for Podman compatibility
62      && addgroup -g 1001 ferrisproof \
63      && adduser -D -s /bin/sh -u 1001 -G ferrisproof ferrisproof
64  
65  # Copy binary from builder stage
66  COPY --from=builder /app/target/release/ferris-proof /usr/local/bin/ferris-proof
67  
68  # Create workspace directory with proper ownership and permissions
69  RUN mkdir -p /workspace && \
70      chown ferrisproof:ferrisproof /workspace && \
71      chmod 755 /workspace && \
72      chmod +x /usr/local/bin/ferris-proof
73  
74  # Switch to non-root user
75  USER ferrisproof
76  
77  # Set working directory
78  WORKDIR /workspace
79  
80  # Health check for container monitoring
81  HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
82      CMD ferris-proof --version || exit 1
83  
84  # Enhanced OCI labels for better container management
85  LABEL org.opencontainers.image.title="FerrisProof" \
86        org.opencontainers.image.description="Multi-layer correctness pipeline for Rust applications" \
87        org.opencontainers.image.vendor="FerrisProof Contributors" \
88        org.opencontainers.image.licenses="CC0-1.0" \
89        org.opencontainers.image.source="https://github.com/ferris-proof/ferris-proof" \
90        org.opencontainers.image.documentation="https://github.com/ferris-proof/ferris-proof/blob/main/README.md" \
91        org.opencontainers.image.base.name="docker.io/library/alpine:3.19" \
92        org.opencontainers.image.authors="FerrisProof Contributors"
93  
94  # Default command
95  ENTRYPOINT ["ferris-proof"]
96  CMD ["--help"]