gnosis/lighthouse
1
0
Fork 0
mirror of https://github.com/sigp/lighthouse.git synced 2026-04-21 06:48:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
1c635f57a08dab53a57f547bf2f3c74eb539aa7c
lighthouse/Dockerfile.reproducible
antondlr 1c635f57a0 Fix reproducible image: switch to distroless/cc-debian11, copy libssl from builder 
The previous final stage used distroless/cc-debian12 (Bookworm) which carries
no libssl and uses OpenSSL 3, making the Bullseye-built binary non-functional.

- Switch to distroless/cc-debian11:nonroot (pinned by index digest) — same
  Bullseye ABI as the builder, already includes libc and libgcc
- Copy libssl.so.1.1 and libcrypto.so.1.1 from the builder stage into /usr/lib/
  so no package manager is invoked in the final image (stays fully pinned)
- Normalise the arch-specific triplet lib path via a `find` into /libs/ so the
  COPY instructions work identically for both amd64 and arm64 builds

Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
2026-04-20 11:25:18 +02:00

38 lines
1.7 KiB
Docker
Raw Blame History

# Single version tag to maintain for reproducible builds.
# This multi-arch index digest resolves to the correct arch-specific image at build time.
# To update: run `docker manifest inspect rust:X.Y-bullseye --verbose` and replace the digest below.
# rust:1.88-bullseye
ARG RUST_IMAGE="rust:1.88-bullseye@sha256:60c95b78b164bc809090509235ab00797a07740fe8733b48593cd42de72b5ee1"
FROM ${RUST_IMAGE} AS builder
# Install specific version of the build dependencies
RUN apt-get update && apt-get install -y libclang-dev=1:11.0-51+nmu5 cmake=3.18.4-2+deb11u1 libjemalloc-dev=5.2.1-3
ARG RUST_TARGET="x86_64-unknown-linux-gnu"
# Copy the project to the container
COPY ./ /app
WORKDIR /app
# Build the project with the reproducible settings
RUN make build-reproducible
# Move the binary and runtime libs to fixed paths for arch-independent copying below.
RUN mv /app/target/${RUST_TARGET}/release/lighthouse /lighthouse
# libssl and libcrypto live under an arch-specific triplet dir; normalise to /libs/.
RUN mkdir /libs \
&& find /usr/lib -maxdepth 2 \( -name "libssl.so.1.1" -o -name "libcrypto.so.1.1" \) \
-exec cp {} /libs/ \;
# Final image: distroless/cc-debian11 (Bullseye) — matches builder OS for ABI compatibility.
# The cc variant already includes libc + libgcc; we copy libssl/libcrypto from the builder
# so the runtime layer is fully pinned with no package manager invocations.
# gcr.io/distroless/cc-debian11:nonroot
FROM gcr.io/distroless/cc-debian11:nonroot@sha256:f7fa4923556853754e9ff647df410d5711fc4d99a8dafa777ec617cf4a6700f6
COPY --from=builder /libs/libssl.so.1.1 /usr/lib/
COPY --from=builder /libs/libcrypto.so.1.1 /usr/lib/
COPY --from=builder /lighthouse /lighthouse
ENTRYPOINT [ "/lighthouse" ]
Reference in New Issue View Git Blame Copy Permalink