Skip to content

Commit 8caefe4

Browse files
edithturnedithturn
committed
docs: update Rust build guide for public Docker Hardened Images
1 parent 21f4de5 commit 8caefe4

File tree

1 file changed

+58
-89
lines changed

1 file changed

+58
-89
lines changed

content/guides/rust/build-images.md

Lines changed: 58 additions & 89 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ This utility will walk you through creating the following files with sensible de
5050
Let's get started!
5151

5252
? What application platform does your project use? Rust
53-
? What version of Rust do you want to use? 1.91.1
53+
? What version of Rust do you want to use? 1.92.0
5454
? What port does your server listen on? 8000
5555
```
5656

@@ -73,73 +73,24 @@ They help reduce vulnerabilities and simplify compliance. For more details, see
7373
{{< tabs >}}
7474
{{< tab name="Using Docker Hardened Images" >}}
7575

76-
Docker Hardened Images (DHIs) are available for Rust in the Hardened Image catalog. Unlike the official image, you must first mirror the Rust DHI into your Docker organization.
77-
Follow the [DHI quickstart](/dhi/get-started/) to mirror the `dhi-rust` repository. Mirrored repositories must start with `dhi-`, for example:
78-
`FROM <your-namespace>/dhi-rust:${RUST_VERSION}-alpine`.
76+
Docker Hardened Images (DHIs) are publicly available and can be used directly as base images.
77+
To pull Docker Hardened Images, authenticate once with Docker:
7978

80-
The following Dockerfile is equivalent to the one generated by `docker init`, but it uses a Rust DHI as the build base image:
81-
82-
```dockerfile {title=Dockerfile}
83-
# Make sure RUST_VERSION matches the Rust version
84-
ARG RUST_VERSION=1.91.1
85-
ARG APP_NAME=docker-rust-hello
86-
87-
################################################################################
88-
# Create a stage for building the application.
89-
FROM <your-namespace>/dhi-rust:${RUST_VERSION}-alpine AS build
90-
ARG APP_NAME
91-
WORKDIR /app
92-
93-
# Install host build dependencies.
94-
RUN apk add --no-cache clang lld musl-dev git
95-
96-
# Build the application.
97-
RUN --mount=type=bind,source=src,target=src \
98-
--mount=type=bind,source=Cargo.toml,target=Cargo.toml \
99-
--mount=type=bind,source=Cargo.lock,target=Cargo.lock \
100-
--mount=type=cache,target=/app/target/ \
101-
--mount=type=cache,target=/usr/local/cargo/git/db \
102-
--mount=type=cache,target=/usr/local/cargo/registry/ \
103-
cargo build --locked --release && \
104-
cp ./target/release/$APP_NAME /bin/server
105-
106-
################################################################################
107-
# Runtime stage with minimal dependencies.
108-
FROM alpine:3.18 AS final
109-
110-
# Create a non-privileged user that the app will run under.
111-
ARG UID=10001
112-
RUN adduser \
113-
--disabled-password \
114-
--gecos "" \
115-
--home "/nonexistent" \
116-
--shell "/sbin/nologin" \
117-
--no-create-home \
118-
--uid "${UID}" \
119-
appuser
120-
USER appuser
121-
122-
# Copy the executable from the "build" stage.
123-
COPY --from=build /bin/server /bin/
79+
```bash
80+
docker login
81+
```
12482

125-
# Configure rocket to listen on all interfaces.
126-
ENV ROCKET_ADDRESS=0.0.0.0
127-
# Expose the port that the application listens on.
128-
EXPOSE 8000
129-
130-
# What the container should run when it is started.
131-
CMD ["/bin/server"]
83+
Use DHIs from the dhi.io registry, for example:
13284

85+
```bash
86+
FROM dhi.io/rust:${RUST_VERSION}-alpine AS build
13387
```
134-
{{< /tab >}}
135-
{{< tab name="Using the official Rust image" >}}
13688

137-
By default, docker init creates a multi-stage Dockerfile that uses the official Rust image
138-
in the build stage and Alpine as the runtime image. For example:
89+
The following Dockerfile is equivalent to the one generated by `docker init`, but it uses a Rust DHI as the build base image:
13990

14091
```dockerfile {title=Dockerfile}
14192
# Make sure RUST_VERSION matches the Rust version
142-
ARG RUST_VERSION=1.91.1
93+
ARG RUST_VERSION=1.92
14394
ARG APP_NAME=docker-rust-hello
14495

14596
################################################################################
@@ -163,7 +114,7 @@ RUN --mount=type=bind,source=src,target=src \
163114
cp ./target/release/$APP_NAME /bin/server
164115

165116
################################################################################
166-
# Runtime stage with minimal dependencies.
117+
# Create a new stage for running the application that contains the minimal
167118
FROM alpine:3.18 AS final
168119

169120
# Create a non-privileged user that the app will run under.
@@ -183,6 +134,7 @@ COPY --from=build /bin/server /bin/
183134

184135
# Configure rocket to listen on all interfaces.
185136
ENV ROCKET_ADDRESS=0.0.0.0
137+
186138
# Expose the port that the application listens on.
187139
EXPOSE 8000
188140

@@ -225,30 +177,47 @@ $ docker build --tag docker-rust-image .
225177
You should see output like the following.
226178

227179
```console
228-
[+] Building 2.2s (18/18) FINISHED
229-
=> [internal] load build definition from Dockerfile 0.0s
230-
=> => transferring dockerfile: 2.92kB 0.0s
231-
=> resolve image config for docker-image://docker.io/docker/dockerfile:1 1.2s
232-
=> [auth] docker/dockerfile:pull token for registry-1.docker.io 0.0s
233-
=> => resolve docker.io/docker/dockerfile:1@sha256:b6afd42430b15f2d2a4c5a02b919e98a525b785b1aaff16747d2f623364e39b6 0.0s
234-
=> [internal] load metadata for docker.io/library/alpine:3.18 0.8s
235-
=> [internal] load metadata for docker.io/library/rust:1.91.1-alpine 0.7s
236-
=> [auth] library/rust:pull token for registry-1.docker.io 0.0s
237-
=> [auth] library/alpine:pull token for registry-1.docker.io 0.0s
238-
=> [internal] load .dockerignore 0.0s
239-
=> => transferring context: 683B 0.0s
240-
=> [build 1/4] FROM docker.io/library/rust:1.91.1-alpine@sha256:3419c5212b75ce4e7786b71bd2bd49587a2481f8b42ca685d719d265a11c7e96 0.0s
241-
=> => resolve docker.io/library/rust:1.91.1-alpine@sha256:3419c5212b75ce4e7786b71bd2bd49587a2481f8b42ca685d719d265a11c7e96 0.0s
242-
=> [final 1/3] FROM docker.io/library/alpine:3.18@sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f 0.0s
243-
=> => resolve docker.io/library/alpine:3.18@sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f 0.0s
244-
=> [internal] load build context 0.0s
245-
=> => transferring context: 265B 0.0s
246-
=> exporting to image 0.0s
247-
=> => exporting layers 0.0s
248-
=> => exporting manifest sha256:0c9f89589c2bf35bbeb642222fe8c42d2479ee6e9c9028a57aeeacf591aa5375 0.0s
249-
=> => exporting config sha256:09a032b66ff64682e6c4a74896017e33854169b5ceb0e51603597d1d2a68358d 0.0s
250-
=> => naming to docker.io/library/docker-rust-image:latest 0.0s
251-
=> => unpacking to docker.io/library/docker-rust-image:latest
180+
[+] Building 85.0s (18/18) FINISHED docker:desktop-linux
181+
=> [internal] load build definition from Dockerfile 0.0s
182+
=> => transferring dockerfile: 2.88kB 0.0s
183+
=> resolve image config for docker-image://docker.io/docker/dockerfile:1 0.8s
184+
=> [auth] docker/dockerfile:pull token for registry-1.docker.io 0.0s
185+
=> CACHED docker-image://docker.io/docker/dockerfile:1@sha256:b6afd42430b15f2d2a4c5a02b919e98a525b785b1aaff16747d2f623364e39b6 0.0s
186+
=> => resolve docker.io/docker/dockerfile:1@sha256:b6afd42430b15f2d2a4c5a02b919e98a525b785b1aaff16747d2f623364e39b6 0.0s
187+
=> [internal] load metadata for docker.io/library/rust:1.92-alpine 1.3s
188+
=> [internal] load metadata for docker.io/library/alpine:3.18 0.5s
189+
=> [auth] library/rust:pull token for registry-1.docker.io 0.0s
190+
=> [auth] library/alpine:pull token for registry-1.docker.io 0.0s
191+
=> [internal] load .dockerignore 0.0s
192+
=> => transferring context: 646B 0.0s
193+
=> [build 1/4] FROM docker.io/library/rust:1.92-alpine@sha256:f6c22e0a256c05d44fca23bf530120b5d4a6249a393734884281ca80782329bc 9.0s
194+
=> => resolve docker.io/library/rust:1.92-alpine@sha256:f6c22e0a256c05d44fca23bf530120b5d4a6249a393734884281ca80782329bc 0.1s
195+
=> => sha256:4150afa531694b681cd299599f1d2391c5f4a409844096124ffc475e4eb1ea2f 268.07MB / 268.07MB 6.6s
196+
=> => sha256:1074353eec0db2c1d81d5af2671e56e00cf5738486f5762609ea33d606f88612 3.86MB / 3.86MB 0.4s
197+
=> => sha256:14182cde8de9d61826651827a8dd082edaa51d4a5a8e9567c2a1e416e32c75e8 75.12MB / 75.12MB 1.9s
198+
=> => extracting sha256:1074353eec0db2c1d81d5af2671e56e00cf5738486f5762609ea33d606f88612 0.1s
199+
=> => extracting sha256:14182cde8de9d61826651827a8dd082edaa51d4a5a8e9567c2a1e416e32c75e8 0.8s
200+
=> => extracting sha256:4150afa531694b681cd299599f1d2391c5f4a409844096124ffc475e4eb1ea2f 1.9s
201+
=> [final 1/3] FROM docker.io/library/alpine:3.18@sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f 0.1s
202+
=> => resolve docker.io/library/alpine:3.18@sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f 0.1s
203+
=> [internal] load build context 0.1s
204+
=> => transferring context: 41.56kB 0.0s
205+
=> CACHED [final 2/3] RUN adduser --disabled-password --gecos "" --home "/nonexistent" --shell "/sbin/nologin" --no-create-home --uid "10001" appuse 0.0s
206+
=> [build 2/4] WORKDIR /app 0.4s
207+
=> [build 3/4] RUN apk add --no-cache clang lld musl-dev git 2.8s
208+
=> [build 4/4] RUN --mount=type=bind,source=src,target=src --mount=type=bind,source=Cargo.toml,target=Cargo.toml --mount=type=bind,source=Cargo.lock,target=Cargo.lock 69.9s
209+
=> [final 3/3] COPY --from=build /bin/server /bin/ 0.1s
210+
=> exporting to image 0.4s
211+
=> => exporting layers 0.3s
212+
=> => exporting manifest sha256:46028e22a9d976f062b51b2444bf0ccaf3930637e70fe576c8185029e2d91927 0.0s
213+
=> => exporting config sha256:948f75c524906ae8444ec8fc8b95b9e773878b5b5123586391f54e34aad4c493 0.0s
214+
=> => exporting attestation manifest sha256:71e9aac25186f83b404bd91433d72a5a764a378c6f5ef75098da92a9990483f7 0.0s
215+
=> => exporting manifest list sha256:c713a4f71c510999215a4a3e7f225fea7c9a26df118504906486a6e934f0beb0 0.0s
216+
=> => naming to docker.io/library/docker-rust-image:latest 0.0s
217+
=> => unpacking to docker.io/library/docker-rust-image:latest 0.0s
218+
219+
View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/zudqyd9mk3zaq1bl1h6q7vsiz
220+
252221
```
253222

254223
## View local images
@@ -260,7 +229,7 @@ To list images, run the `docker images` command.
260229
```console
261230
$ docker images
262231
REPOSITORY TAG IMAGE ID CREATED SIZE
263-
docker-rust-image latest 0c9f89589c2b 3 minutes ago 123MB
232+
docker-rust-image latest 41423bf3040a 3 minutes ago 5.33MB
264233
```
265234

266235
You should see at least one image listed, including the image you just built `docker-rust-image:latest`.
@@ -284,8 +253,8 @@ Now, run the `docker images` command to see a list of the local images.
284253
```console
285254
$ docker images
286255
REPOSITORY TAG IMAGE ID CREATED SIZE
287-
docker-rust-image latest 0c9f89589c2b 4 minutes ago 123MB
288-
docker-rust-image v1.0.0 0c9f89589c2b 4 minutes ago 123MB
256+
docker-rust-image latest 41423bf3040a 4 minutes ago 5.33MB
257+
docker-rust-image v1.0.0 41423bf3040a 4 minutes ago 5.33MB
289258
```
290259

291260
You can see that two images start with `docker-rust-image`. You know they're the same image because if you take a look at the `IMAGE ID` column, you can see that the values are the same for the two images.
@@ -302,7 +271,7 @@ Note that the response from Docker tells you that Docker didn't remove the image
302271
```console
303272
$ docker images
304273
REPOSITORY TAG IMAGE ID CREATED SIZE
305-
docker-rust-image latest 0c9f89589c2b 6 minutes ago 123MB
274+
docker-rust-image latest 41423bf3040a 6 minutes ago 5.33MB
306275
```
307276

308277
Docker removed the image tagged with `:v1.0.0`, but the `docker-rust-image:latest` tag is available on your machine.

0 commit comments

Comments
 (0)