squiddish/Dockerfile at master · phrontizo/squiddish · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# Multi-stage build for Squiddish caching proxy
# Uses cross-compilation via xx (no QEMU emulation) for fast multi-arch builds
# Supports: linux/amd64, linux/arm64
#
# Build: docker buildx build --platform linux/amd64,linux/arm64 -t squiddish .

# xx provides cross-compilation helpers (maintained by Docker Inc)
FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1 AS xx

FROM --platform=$BUILDPLATFORM rust:1.85-alpine AS builder
COPY --from=xx / /

ARG TARGETPLATFORM

WORKDIR /build

# Install cross-compilation toolchain:
# - clang/lld: natively cross-compile (no QEMU needed)
# - musl-dev: native headers for build scripts
# - xx-apk: installs target-arch musl headers into the correct sysroot
RUN apk add --no-cache clang lld musl-dev && \
    xx-apk add --no-cache musl-dev

# Determine Rust target triple and add it
RUN RUST_TARGET="$(xx-info march)-unknown-linux-musl" && \
    echo "$RUST_TARGET" > /tmp/rust-target && \
    rustup target add "$RUST_TARGET"

# Configure cross-compilation linker and CC ONLY when cross-compiling.
# Build scripts must compile for the HOST using the native linker/CC.
# Setting these for the host triple would break build script compilation.
RUN RUST_TARGET=$(cat /tmp/rust-target) && \
    HOST_ARCH=$(uname -m) && \
    TARGET_ARCH=$(echo $RUST_TARGET | cut -d- -f1) && \
    mkdir -p .cargo && \
    if [ "$HOST_ARCH" != "$TARGET_ARCH" ]; then \
        printf '[target.%s]\nlinker = "xx-clang"\n' "$RUST_TARGET" > .cargo/config.toml && \
        echo "xx-clang" > /tmp/target-cc; \
    else \
        touch .cargo/config.toml && \
        echo "" > /tmp/target-cc; \
    fi

# Copy manifests and lock file for reproducible, cacheable dependency builds
COPY Cargo.toml Cargo.lock ./

# Build dependencies only (Docker layer cache — rebuilds only when Cargo.toml/lock change)
RUN RUST_TARGET=$(cat /tmp/rust-target) && \
    TARGET_CC=$(cat /tmp/target-cc) && \
    if [ -n "$TARGET_CC" ]; then \
        CC_VAR="CC_$(echo $RUST_TARGET | tr '-' '_')"; \
        export "$CC_VAR=$TARGET_CC"; \
    fi && \
    mkdir src && \
    echo "fn main() {}" > src/main.rs && \
    touch src/lib.rs && \
    cargo build --release --target $RUST_TARGET 2>/dev/null || true && \
    rm -rf src

# Copy source code
COPY src ./src
COPY tests ./tests

# Build the actual binary and verify it targets the correct platform
RUN RUST_TARGET=$(cat /tmp/rust-target) && \
    TARGET_CC=$(cat /tmp/target-cc) && \
    if [ -n "$TARGET_CC" ]; then \
        CC_VAR="CC_$(echo $RUST_TARGET | tr '-' '_')"; \
        export "$CC_VAR=$TARGET_CC"; \
    fi && \
    touch src/main.rs src/lib.rs && \
    cargo build --release --target $RUST_TARGET && \
    xx-verify target/$RUST_TARGET/release/squiddish && \
    cp target/$RUST_TARGET/release/squiddish /build/squiddish

# Runtime stage - from scratch for minimal image
FROM scratch

# Link this image to the GitHub repository for GHCR permissions
LABEL org.opencontainers.image.source="https://github.com/phrontizo/squiddish"

# Copy CA certificates for HTTPS
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# Copy the statically linked binary
COPY --from=builder /build/squiddish /squiddish

# Copy license files
COPY LICENCE /LICENCE
COPY THIRD-PARTY-NOTICES /THIRD-PARTY-NOTICES

# Environment variables with defaults
# Size units: B, KB, MB, GB, TB (e.g., "1GB", "512MB", "2.5GB")
# Time units: s, m, h, d (e.g., "5m", "2h", "7d")
# Plain numbers: bytes for sizes, seconds for times
ENV SQUIDDISH_BIND_ADDR="0.0.0.0:3128" \
    SQUIDDISH_MEMORY_SIZE="1GB" \
    SQUIDDISH_DISK_SIZE="100GB" \
    SQUIDDISH_CACHE_DIR="/cache" \
    SQUIDDISH_TTL="7d" \
    SQUIDDISH_APT_ENABLED="true" \
    SQUIDDISH_APT_LIST_TTL="1h" \
    SQUIDDISH_APT_PACKAGE_TTL="30d" \
    SQUIDDISH_APT_OTHER_TTL="1d" \
    SQUIDDISH_MAX_BODY_SIZE="10GB" \
    SQUIDDISH_MAX_CONNECTIONS="1000" \
    SQUIDDISH_TIMEOUT="5m" \
    SQUIDDISH_STRICT_HTTPS="true" \
    RUST_LOG="squiddish=info"

# Run as non-root user
USER 1000:1000

EXPOSE 3128

VOLUME ["/cache"]

ENTRYPOINT ["/squiddish"]