-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathDockerfile.chainguard
More file actions
38 lines (27 loc) · 1.14 KB
/
Dockerfile.chainguard
File metadata and controls
38 lines (27 loc) · 1.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Multi-stage build for static binary with Chainguard
# This produces a minimal, secure image (~10-15 MB) with zero CVEs
# --- Stage 1: Build static binary with musl ---
FROM rust:alpine AS builder
WORKDIR /usr/src/app
# Install musl development tools for static linking
RUN apk add --no-cache musl-dev
# Copy source code
COPY . .
# Add musl target for Rust
RUN rustup target add x86_64-unknown-linux-musl
# Build static binary with all dependencies compiled in
# Using release profile for optimizations
RUN cargo build --release --target x86_64-unknown-linux-musl
# --- Stage 2: Ultra-minimal Chainguard static runtime ---
# This image contains only: filesystem structure, CA certs, timezone data
# Size: ~2-5 MB base
# CVEs: Typically 0
FROM cgr.dev/chainguard/static:latest
# Copy the static binary from builder
COPY --from=builder /usr/src/app/target/x86_64-unknown-linux-musl/release/rust_loadtest /usr/local/bin/rust_loadtest
# Expose Prometheus metrics port
EXPOSE 9090
# Chainguard images run as non-root user by default (UID 65532)
# No shell available in this image - maximum security
# Run the application
ENTRYPOINT ["/usr/local/bin/rust_loadtest"]