From 9a6b2da88c2a8dbb984fe66111c73b649620a1ee Mon Sep 17 00:00:00 2001
From: Jun Kurihara <junkurihara@users.noreply.github.com>
Date: Wed, 28 Aug 2024 20:17:26 +0900
Subject: [PATCH] feat: rust alpine (musl) build

---
 .github/workflows/release-docker.yml | 39 +++++++++++++++++-----
 docker/Dockerfile-slim               | 49 ++++++++++++++++++++++++++++
 docker/docker-compose.yml            |  6 ++--
 docker/entrypoint.sh                 | 38 +++++++++++++++++++--
 4 files changed, 119 insertions(+), 13 deletions(-)
 create mode 100644 docker/Dockerfile-slim

diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index 62f2a1d..84e2b5a 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -21,6 +21,23 @@ jobs:
     if: ${{ github.event_name == 'push' }} || ${{ github.event_name == 'pull_request' && github.event.pull_request.merged == true }}
     strategy:
       fail-fast: false
+      matrix:
+        include:
+          - target: "default"
+            dockerfile: ./docker/Dockerfile
+            platforms: linux/amd64
+            # Aliases must be used only for release builds
+            aliases: |
+              jqtype/doh-auth-proxy:latest
+              ghcr.io/junkurihara/doh-auth-proxy:latest
+          - target: "slim"
+            dockerfile: ./docker/Dockerfile-slim
+            platforms: linux/amd64
+            tags-suffix: "-slim"
+            # Aliases must be used only for release builds
+            aliases: |
+              jqtype/doh-auth-proxy:slim
+              ghcr.io/junkurihara/doh-auth-proxy:slim
 
     steps:
       - name: checkout
@@ -55,11 +72,13 @@ jobs:
           context: .
           push: true
           tags: |
-            ${{ env.GHCR }}/${{ env.GHCR_IMAGE_NAME }}:latest
-            ${{ env.DH_REGISTRY_NAME }}:latest
-          file: ./docker/Dockerfile
+            ${{ env.GHCR }}/${{ env.GHCR_IMAGE_NAME }}:latest${{ matrix.tags-suffix }}
+            ${{ env.DH_REGISTRY_NAME }}:latest${{ matrix.tags-suffix }}
+            ${{ matrix.aliases }}
+          file: ${{ matrix.dockerfile }}
           cache-from: type=gha,scope=doh-auth-proxy-latest
           cache-to: type=gha,mode=max,scope=doh-auth-proxy-latest
+          platforms: ${{ matrix.platforms }}
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Nightly build and push x86_64
@@ -69,11 +88,12 @@ jobs:
           context: .
           push: true
           tags: |
-            ${{ env.GHCR }}/${{ env.GHCR_IMAGE_NAME }}:nightly
-            ${{ env.DH_REGISTRY_NAME }}:nightly
-          file: ./docker/Dockerfile
+            ${{ env.GHCR }}/${{ env.GHCR_IMAGE_NAME }}:nightly${{ matrix.tags-suffix }}
+            ${{ env.DH_REGISTRY_NAME }}:nightly${{ matrix.tags-suffix }}
+          file: ${{ matrix.dockerfile }}
           cache-from: type=gha,scope=doh-auth-proxy-nightly
           cache-to: type=gha,mode=max,scope=doh-auth-proxy-nightly
+          platforms: ${{ matrix.platforms }}
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Unstable build and push x86_64 for 'feat/*' branches (for development purposes)
@@ -83,11 +103,12 @@ jobs:
           context: .
           push: true
           tags: |
-            ${{ env.GHCR }}/${{ env.GHCR_IMAGE_NAME }}:unstable
-            ${{ env.DH_REGISTRY_NAME }}:unstable
-          file: ./docker/Dockerfile
+            ${{ env.GHCR }}/${{ env.GHCR_IMAGE_NAME }}:unstable${{ matrix.tags-suffix }}
+            ${{ env.DH_REGISTRY_NAME }}:unstable${{ matrix.tags-suffix }}
+          file: ${{ matrix.dockerfile }}
           cache-from: type=gha,scope=doh-auth-proxy-unstable
           cache-to: type=gha,mode=max,scope=doh-auth-proxy-unstable
+          platforms: ${{ matrix.platforms }}
           labels: ${{ steps.meta.outputs.labels }}
 
   dispatch_release:
diff --git a/docker/Dockerfile-slim b/docker/Dockerfile-slim
new file mode 100644
index 0000000..5e97a48
--- /dev/null
+++ b/docker/Dockerfile-slim
@@ -0,0 +1,49 @@
+########################################
+FROM rust:alpine AS builder
+
+ARG CFLAGS=-Ofast
+ARG BUILD_DEPS=musl-dev
+
+WORKDIR /tmp
+
+COPY . /tmp/
+
+ARG RUSTFLAGS="-C link-arg=-s"
+
+RUN apk add --no-cache ${BUILD_DEPS} &&\
+    echo "Building DoH Auth Proxy from source" && \
+    cargo build --release --no-default-features --package doh-auth-proxy && \
+    strip --strip-all /tmp/target/release/doh-auth-proxy
+
+########################################
+FROM alpine:latest AS runner
+
+LABEL maintainer="Jun Kurihara"
+
+SHELL ["/bin/sh", "-x", "-c"]
+ENV SERIAL 2
+
+ARG RUNTIME_DEPS="logrotate ca-certificates su-exec bash"
+
+RUN apk add --no-cache ${RUNTIME_DEPS} && \
+    update-ca-certificates && \
+    find / -type d -path /proc -prune -o -type f -perm /u+s -exec chmod u-s {} \; && \
+    find / -type d -path /proc -prune -o -type f -perm /g+s -exec chmod g-s {} \; && \
+    mkdir -p /modoh/bin &&\
+    mkdir -p /modoh/log
+
+COPY --from=builder /tmp/target/release/doh-auth-proxy /modoh/bin/doh-auth-proxy
+COPY ./docker/run.sh /modoh
+COPY ./docker/entrypoint.sh /modoh
+
+RUN chmod +x /modoh/run.sh && \
+    chmod +x /modoh/entrypoint.sh
+
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+ENV SSL_CERT_DIR=/etc/ssl/certs
+
+EXPOSE 53/udp 53/tcp
+
+CMD ["/modoh/entrypoint.sh"]
+
+ENTRYPOINT ["/modoh/entrypoint.sh"]
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index f7df84d..1e72552 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -1,11 +1,13 @@
 services:
   doh-proxy:
-    image: jqtype/doh-auth-proxy:latest
+    image: jqtype/doh-auth-proxy:slim
+    # image: jqtype/doh-auth-proxy:latest
     container_name: doh-auth-proxy
     ## Uncomment if you build by yourself
     build:
       context: ../
-      dockerfile: ./docker/Dockerfile
+      dockerfile: ./docker/Dockerfile-slim
+      # dockerfile: ./docker/Dockerfile
     init: true
     restart: unless-stopped
     ports:
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 3c79d02..0fe15e3 100644
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -101,6 +101,27 @@ function setup_ubuntu () {
   fi
 }
 
+#######################################
+function setup_alpine () {
+  id ${USER} > /dev/null
+  # Check the existence of the user, if not exist, create it.
+  if [ $? -eq 1 ]; then
+    echo "doh-auth-proxy: Create user ${USER} with ${USER_ID}:${GROUP_ID}"
+    addgroup -g ${GROUP_ID} ${USER}
+    adduser -H -D -u ${USER_ID} -G ${USER} ${USER}
+  fi
+
+  # for crontab when logging
+  if ${LOGGING} || ${QUERY_LOGGING} ; then
+    # Set up logrotate
+    setup_logrotate
+
+    # Setup cron
+    cp -f /etc/periodic/daily/logrotate /etc/periodic/15min
+    crond -b -l 8
+  fi
+}
+
 #######################################
 
 if [ $(whoami) != "root" -o $(id -u) -ne 0 -a $(id -g) -ne 0 ]; then
@@ -109,8 +130,21 @@ if [ $(whoami) != "root" -o $(id -u) -ne 0 -a $(id -g) -ne 0 ]; then
   exit 1
 fi
 
-# set up user and cron for ubuntu base image
-setup_ubuntu
+# Check gosu or su-exec, determine linux distribution, and set up user
+if [ $(command -v gosu) ]; then
+  # Ubuntu Linux
+  alias gosu='gosu'
+  setup_ubuntu
+  LINUX="Ubuntu"
+elif [ $(command -v su-exec) ]; then
+  # Alpine Linux
+  alias gosu='su-exec'
+  setup_alpine
+  LINUX="Alpine"
+else
+  echo "Unknown distribution!"
+  exit 1
+fi
 
 # Check the given user and its uid:gid
 if [ $(id -u ${USER}) -ne ${USER_ID} -a $(id -g ${USER}) -ne ${GROUP_ID} ]; then