feat: dockerize iroh services #494
Conversation
xtask/src/main.rs
Outdated
| .args([ | ||
| "build", | ||
| "-t", | ||
| format!("{}:distroless", image).as_str(), |
There was a problem hiding this comment.
this tags images in the form iroh-one:distroless... that's probably wrong
There was a problem hiding this comment.
yeah, for starters let's do :commit_hash and then builders can also tag with latest
docker/Dockerfile.iroh-gateway
Outdated
|
|
||
| COPY ../ . | ||
|
|
||
| RUN cargo build --bin iroh-gateway --release |
There was a problem hiding this comment.
Can we build with cargo build --profile ci --bin iroh-gateway. This uses the release profile we want to maintain for binaries (additional perf optimizations & slimmer binaries) and also makes future changes simple .toml changes instead of needing to touch all scripts.
There was a problem hiding this comment.
how about we do one-better & create a docker profile that matches ci so they can change independently?
There was a problem hiding this comment.
sgtm, I can push that update then
There was a problem hiding this comment.
pretty sure I can handle in this PR, it's just a change to the workspace Cargo.toml, right?
docker/Dockerfile.iroh-gateway
Outdated
|
|
||
| # Copy our build, changing owndership to distroless-provided "nonroot" user, | ||
| # (65532:65532) | ||
| COPY --from=builder --chown=65532:65532 /iroh/target/release/iroh-gateway ./ |
There was a problem hiding this comment.
I would love to validate the file descriptor limits get raised/set correctly.
There was a problem hiding this comment.
I believe these are set at runtime, no?
There was a problem hiding this comment.
Yes, but docker is weird. It sets up to max ~65k at runtime but if not root the "hard limit" specified on the system level might be low (usually 1024). Since it's a non-root user, we might hit that easily. The proper thing should be setting the FD limit on the image directly as the system level config. Then the runtime can self manage.
There was a problem hiding this comment.
NVM just confirmed, this should be handled by the host system running docker, either by configuring the docker runner directly or supplying --ulimit=12321312 when running stuff. Either way think this is a solid point for docs.
docker/Dockerfile.iroh-one
Outdated
|
|
||
| COPY ../ . | ||
|
|
||
| RUN cargo build --bin iroh-one --release |
docker/Dockerfile.iroh-one
Outdated
| USER nonroot | ||
|
|
||
| # expose gateway port | ||
| EXPOSE 9050 |
There was a problem hiding this comment.
Unsure what the current story on iroh-one <> rpc api is but might want to open 4400-4403 too
docker/Dockerfile.iroh-p2p
Outdated
|
|
||
| COPY ../ . | ||
|
|
||
| RUN cargo build --bin iroh-p2p --release |
docker/Dockerfile.iroh-p2p
Outdated
| USER nonroot | ||
|
|
||
| # expose the default RPC port | ||
| EXPOSE 4401 |
There was a problem hiding this comment.
This is just the RPC port, we also have 4444 for all the p2p traffic as a default.
b5
force-pushed
the
b5/dockerize
branch
2 times, most recently
from
9c1606b
to
ee69474
Compare
building this in arm64 first because compiling amd64 on an M1 mac is slow to the point of not working. This'll take a while to get into a usable place, but I'd welcome any feedback / input / docker tips along the wayUpdate: I think this is in a pretty good spot for review. Seems to work well on my machine, going to try these same Dockerfiles on an an x86 machine tonight.
As with all docker nonsense, this is more searching the web & waiting on compilation than actually doing anything. My main article was How to Create Small Docker Images For Rust. I steered away from alpine after reading this article on the slowness of the MUSL allocator, which alpine relies upon. I haven't tested if those numbers are real.
So far the distroless project has been nice to work with.