gnosis/lighthouse
1
0
Fork 0
mirror of https://github.com/sigp/lighthouse.git synced 2026-04-21 23:08:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f0500a01eeb98df145267c3bcdfcad3f802e3c69
lighthouse/Dockerfile.reproducible
antondlr f0500a01ee Fix reproducible image runtime deps: copy libz from builder, drop libssl COPY 
ldd on the built binary shows only libz.so.1 is missing from distroless/cc-debian11;
libssl/libcrypto are statically linked by this build and do not need to be copied.
libstdc++.so.6 and libgcc_s.so.1 are already present in the distroless/cc variant.

Also consolidates the mv + mkdir into a single RUN layer.

Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
2026-04-20 12:49:30 +02:00

38 lines
1.8 KiB
Docker
Raw Blame History

# Single version tag to maintain for reproducible builds.
# This multi-arch index digest resolves to the correct arch-specific image at build time.
# To update: run `docker manifest inspect rust:X.Y-bullseye --verbose` and replace the digest below.
# rust:1.88-bullseye
ARG RUST_IMAGE="rust:1.88-bullseye@sha256:60c95b78b164bc809090509235ab00797a07740fe8733b48593cd42de72b5ee1"
FROM ${RUST_IMAGE} AS builder
# Install specific version of the build dependencies
RUN apt-get update && apt-get install -y libclang-dev=1:11.0-51+nmu5 cmake=3.18.4-2+deb11u1 libjemalloc-dev=5.2.1-3
ARG RUST_TARGET="x86_64-unknown-linux-gnu"
# Copy the project to the container
COPY ./ /app
WORKDIR /app
# Build the project with the reproducible settings
RUN make build-reproducible
# Move the binary and runtime libs to fixed paths for arch-independent copying below.
# ldd shows the binary dynamically requires: libz.so.1, libstdc++.so.6, libgcc_s.so.1,
# and glibc — the latter three are already in distroless/cc; only libz needs to be copied.
# libssl/libcrypto are statically linked by this build (no dynamic dep on them).
# libz lives under an arch-specific triplet dir; normalise to /libs/ for a clean COPY below.
RUN mv /app/target/${RUST_TARGET}/release/lighthouse /lighthouse \
&& mkdir /libs \
&& find /lib -maxdepth 3 -name "libz.so.1" -exec cp {} /libs/ \;
# Final image: distroless/cc-debian11 (Bullseye) — matches builder OS for ABI compatibility.
# The cc variant already includes libc, libgcc, and libstdc++.
# gcr.io/distroless/cc-debian11:nonroot
FROM gcr.io/distroless/cc-debian11:nonroot@sha256:f7fa4923556853754e9ff647df410d5711fc4d99a8dafa777ec617cf4a6700f6
COPY --from=builder /libs/libz.so.1 /usr/lib/
COPY --from=builder /lighthouse /lighthouse
ENTRYPOINT [ "/lighthouse" ]
Reference in New Issue View Git Blame Copy Permalink