-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
118 lines (93 loc) · 3.56 KB
/
Dockerfile
File metadata and controls
118 lines (93 loc) · 3.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# =============================================================================
# recrypt-server Dockerfile
# Multi-stage build: Debian with OpenFHE + liboqs + Rust
# =============================================================================
# -----------------------------------------------------------------------------
# Stage 1: Build OpenFHE from source
# -----------------------------------------------------------------------------
FROM debian:bookworm-slim AS openfhe-builder
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \
cmake \
git \
libomp-dev \
ca-certificates \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /build
# Copy only OpenFHE source (cached unless submodule changes)
COPY vendor/openfhe-development ./openfhe-development
# Remove .git file (submodule link) - cmake tries git ops otherwise
RUN rm -f openfhe-development/.git && \
mkdir -p openfhe-development/build openfhe-install && \
cd openfhe-development/build && \
cmake .. \
-DCMAKE_INSTALL_PREFIX=/build/openfhe-install \
-DCMAKE_BUILD_TYPE=Release \
-DBUILD_STATIC=ON \
-DBUILD_UNITTESTS=OFF \
-DBUILD_EXAMPLES=OFF \
-DBUILD_BENCHMARKS=OFF \
-DWITH_OPENMP=ON && \
make -j$(nproc) && \
make install
# -----------------------------------------------------------------------------
# Stage 2: Build Rust application
# -----------------------------------------------------------------------------
# Requires Rust 1.85+ for edition 2024
FROM rust:1-bookworm AS rust-builder
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \
cmake \
libomp-dev \
libssl-dev \
pkg-config \
libclang-dev \
protobuf-compiler \
ninja-build \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Copy OpenFHE from previous stage
COPY --from=openfhe-builder /build/openfhe-install ./vendor/openfhe-install
# Copy Cargo manifests first for better layer caching
COPY Cargo.toml Cargo.lock ./
# Copy all source (cxx_build needs actual lib.rs, not stubs)
COPY crates ./crates
COPY recrypt-server ./recrypt-server
COPY recrypt-cli ./recrypt-cli
# Fetch dependencies (cached if Cargo.lock unchanged)
RUN cargo fetch --locked
# Build release binaries
RUN cargo build --release --bin recrypt-server --bin recrypt
# Strip binaries for smaller image
RUN strip target/release/recrypt-server target/release/recrypt
# -----------------------------------------------------------------------------
# Stage 3: Minimal runtime image
# -----------------------------------------------------------------------------
FROM debian:bookworm-slim AS runtime
RUN apt-get update && apt-get install -y --no-install-recommends \
libgomp1 \
libssl3 \
ca-certificates \
tini \
wget \
&& rm -rf /var/lib/apt/lists/*
# Create non-root user
RUN groupadd -r recrypt && useradd -r -g recrypt recrypt
WORKDIR /app
# Copy binaries from builder
COPY --from=rust-builder /app/target/release/recrypt-server ./
COPY --from=rust-builder /app/target/release/recrypt ./
# Create data directory for local file storage
RUN mkdir -p /data && chown recrypt:recrypt /data
USER recrypt
# Config via env vars (RECRYPT_ prefix)
ENV RECRYPT_HOST=0.0.0.0
ENV RECRYPT_PORT=7222
ENV RECRYPT_STORAGE__BACKEND=memory
EXPOSE 7222
# Use tini as init for proper signal handling
ENTRYPOINT ["/usr/bin/tini", "--"]
CMD ["./recrypt-server"]
# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD wget --no-verbose --tries=1 --spider http://localhost:7222/health || exit 1