diff --git a/content/guides/rust/build-images.md b/content/guides/rust/build-images.md index d2e414274728..9d9ba3b26459 100644 --- a/content/guides/rust/build-images.md +++ b/content/guides/rust/build-images.md @@ -50,7 +50,7 @@ This utility will walk you through creating the following files with sensible de Let's get started! ? What application platform does your project use? Rust -? What version of Rust do you want to use? 1.70.0 +? What version of Rust do you want to use? 1.92.0 ? What port does your server listen on? 8000 ``` @@ -62,6 +62,165 @@ directory: - compose.yaml - README.Docker.md +## Choose a base image + +Before editing your Dockerfile, you need to choose a base image. You can use the [Rust Docker Official Image](https://hub.docker.com/_/rust), +or a [Docker Hardened Image (DHI)](https://hub.docker.com/hardened-images/catalog/dhi/rust). + +Docker Hardened Images (DHIs) are minimal, secure, and production-ready base images maintained by Docker. +They help reduce vulnerabilities and simplify compliance. For more details, see [Docker Hardened Images](/dhi/). + +{{< tabs >}} +{{< tab name="Using Docker Hardened Images" >}} + +Docker Hardened Images (DHIs) are publicly available and can be used directly as base images. +To pull Docker Hardened Images, authenticate once with Docker: + +```bash +docker login dhi.io +``` + +Use DHIs from the dhi.io registry, for example: + +```bash +FROM dhi.io/rust:${RUST_VERSION}-alpine3.22-dev AS build +``` + +The following Dockerfile is equivalent to the one generated by `docker init`, but it uses a Rust DHI as the build base image: + +```dockerfile {title=Dockerfile} +# Make sure RUST_VERSION matches the Rust version +ARG RUST_VERSION=1.92 +ARG APP_NAME=docker-rust-hello + +################################################################################ +# Create a stage for building the application. +################################################################################ + +FROM dhi.io/rust:${RUST_VERSION}-alpine3.22-dev AS build +ARG APP_NAME +WORKDIR /app + +# Install host build dependencies. +RUN apk add --no-cache clang lld musl-dev git + +# Build the application. +RUN --mount=type=bind,source=src,target=src \ + --mount=type=bind,source=Cargo.toml,target=Cargo.toml \ + --mount=type=bind,source=Cargo.lock,target=Cargo.lock \ + --mount=type=cache,target=/app/target/ \ + --mount=type=cache,target=/usr/local/cargo/git/db \ + --mount=type=cache,target=/usr/local/cargo/registry/ \ + cargo build --locked --release && \ + cp ./target/release/$APP_NAME /bin/server + +################################################################################ +# Create a new stage for running the application that contains the minimal +# We use dhi.io/static for the final stage because it’s a minimal Docker Hardened Image runtime (basically “just # enough OS to run the binary”), which helps keep the image small and with a lower attack surface compared to a # # full Alpine/Debian runtime. +################################################################################ + +FROM dhi.io/static:20250419 AS final + +# Create a non-privileged user that the app will run under. +ARG UID=10001 +RUN adduser \ + --disabled-password \ + --gecos "" \ + --home "/nonexistent" \ + --shell "/sbin/nologin" \ + --no-create-home \ + --uid "${UID}" \ + appuser +USER appuser + +# Copy the executable from the "build" stage. +COPY --from=build /bin/server /bin/ + +# Configure rocket to listen on all interfaces. +ENV ROCKET_ADDRESS=0.0.0.0 + +# Expose the port that the application listens on. +EXPOSE 8000 + +# What the container should run when it is started. +CMD ["/bin/server"] + +``` + +{{< /tab >}} +{{< tab name="Using the Docker Official Images" >}} + +```dockerfile {title=Dockerfile} +# Pin the Rust toolchain version used in the build stage. +ARG RUST_VERSION=1.92 + +# Name of the compiled binary produced by Cargo (must match Cargo.toml package name). +ARG APP_NAME=docker-rust-hello + +################################################################################ +# Build stage (DOI Rust image) +# This stage compiles the application. +################################################################################ + +FROM docker.io/library/rust:${RUST_VERSION}-alpine AS build + +# Re-declare args inside the stage if you want to use them here. +ARG APP_NAME + +# All build steps happen inside /app. +WORKDIR /app + +# Install build dependencies needed to compile Rust crates on Alpine +RUN apk add --no-cache clang lld musl-dev git + +# Build the application +RUN --mount=type=bind,source=src,target=src \ + --mount=type=bind,source=Cargo.toml,target=Cargo.toml \ + --mount=type=bind,source=Cargo.lock,target=Cargo.lock \ + --mount=type=cache,target=/app/target/ \ + --mount=type=cache,target=/usr/local/cargo/git/db \ + --mount=type=cache,target=/usr/local/cargo/registry/ \ + cargo build --locked --release && \ + cp ./target/release/$APP_NAME /bin/server + +################################################################################ +# Runtime stage (DOI Alpine image) +# This stage runs the already-compiled binary with minimal dependencies. +################################################################################ + +FROM docker.io/library/alpine:3.18 AS final + +# Create a non-privileged user (recommended best practice) +ARG UID=10001 +RUN adduser \ + --disabled-password \ + --gecos "" \ + --home "/nonexistent" \ + --shell "/sbin/nologin" \ + --no-create-home \ + --uid "${UID}" \ + appuser + +# Drop privileges for runtime. +USER appuser + +# Copy only the compiled binary from the build stage. +COPY --from=build /bin/server /bin/ + +# Rocket: listen on all interfaces inside the container. +ENV ROCKET_ADDRESS=0.0.0.0 + +# Document the port your app listens on. +EXPOSE 8000 + +# Start the application. +CMD ["/bin/server"] +``` +{{< /tab >}} +{{< /tabs >}} + + + For building an image, only the Dockerfile is necessary. Open the Dockerfile in your favorite IDE or text editor and see what it contains. To learn more about Dockerfiles, see the [Dockerfile reference](/reference/dockerfile.md). @@ -85,33 +244,40 @@ Docker uses "latest" as its default tag. Build the Docker image. ```console -$ docker build --tag docker-rust-image . +$ docker build --tag docker-rust-image-dhi . ``` You should see output like the following. ```console -[+] Building 62.6s (14/14) FINISHED - => [internal] load .dockerignore 0.1s - => => transferring context: 2B 0.0s - => [internal] load build definition from Dockerfile 0.1s - => => transferring dockerfile: 2.70kB 0.0s - => resolve image config for docker.io/docker/dockerfile:1 2.3s - => CACHED docker-image://docker.io/docker/dockerfile:1@sha256:39b85bbfa7536a5feceb7372a0817649ecb2724562a38360f4d6a7782a409b14 0.0s - => [internal] load metadata for docker.io/library/debian:bullseye-slim 1.9s - => [internal] load metadata for docker.io/library/rust:1.70.0-slim-bullseye 1.7s - => [build 1/3] FROM docker.io/library/rust:1.70.0-slim-bullseye@sha256:585eeddab1ec712dade54381e115f676bba239b1c79198832ddda397c1f 0.0s - => [internal] load build context 0.0s - => => transferring context: 35.29kB 0.0s - => [final 1/3] FROM docker.io/library/debian:bullseye-slim@sha256:7606bef5684b393434f06a50a3d1a09808fee5a0240d37da5d181b1b121e7637 0.0s - => CACHED [build 2/3] WORKDIR /app 0.0s - => [build 3/3] RUN --mount=type=bind,source=src,target=src --mount=type=bind,source=Cargo.toml,target=Cargo.toml --mount= 57.7s - => CACHED [final 2/3] RUN adduser --disabled-password --gecos "" --home "/nonexistent" --shell "/sbin/nologin" 0.0s - => CACHED [final 3/3] COPY --from=build /bin/server /bin/ 0.0s - => exporting to image 0.0s - => => exporting layers 0.0s - => => writing image sha256:f1aa4a9f58d2ecf73b0c2b7f28a6646d9849b32c3921e42adc3ab75e12a3de14 0.0s - => => naming to docker.io/library/docker-rust-image +[+] Building 1.4s (13/13) FINISHED docker:desktop-linux + => [internal] load build definition from Dockerfile 0.0s + => => transferring dockerfile: 1.67kB 0.0s + => [internal] load metadata for dhi.io/static:20250419 1.1s + => [internal] load metadata for dhi.io/rust:1.92-alpine3.22-dev 1.2s + => [auth] static:pull token for dhi.io 0.0s + => [auth] rust:pull token for dhi.io 0.0s + => [internal] load .dockerignore 0.0s + => => transferring context: 646B 0.0s + => [build 1/3] FROM dhi.io/rust:1.92-alpine3.22-dev@sha256:49eb72825a9e15fe48f2c4875a63c7e7f52a5b430bb52b8254b91d132aa5bf38 0.0s + => => resolve dhi.io/rust:1.92-alpine3.22-dev@sha256:49eb72825a9e15fe48f2c4875a63c7e7f52a5b430bb52b8254b91d132aa5bf38 0.0s + => [final 1/2] FROM dhi.io/static:20250419@sha256:74fc43fa240887b8159970e434244039aab0c6efaaa9cf044004cdc22aa2a34d 0.0s + => => resolve dhi.io/static:20250419@sha256:74fc43fa240887b8159970e434244039aab0c6efaaa9cf044004cdc22aa2a34d 0.0s + => [internal] load build context 0.0s + => => transferring context: 117B 0.0s + => CACHED [build 2/3] WORKDIR /build 0.0s + => CACHED [build 3/3] RUN --mount=type=bind,source=src,target=src --mount=type=bind,source=Cargo.toml,target=Cargo.toml --mount=type=bind,source=Cargo.lock,target=Cargo 0.0s + => CACHED [final 2/2] COPY --from=build /build/target/release/docker-rust-hello /server 0.0s + => exporting to image 0.1s + => => exporting layers 0.0s + => => exporting manifest sha256:cc937bbdd712ef6e5445501f77e02ef8455ef64c567598786d46b7b21a4d4fa8 0.0s + => => exporting config sha256:077507b483af4b5e1a928e527e4bb3a4aaf0557e1eea81cd39465f564c187669 0.0s + => => exporting attestation manifest sha256:11b60e7608170493da1fdd88c120e2d2957f2a72a22edbc9cfbdd0dd37d21f89 0.0s + => => exporting manifest list sha256:99a1b925a8d6ebf80e376b8a1e50cd806ec42d194479a3375e1cd9d2911b4db9 0.0s + => => naming to docker.io/library/docker-rust-image-dhi:latest 0.0s + => => unpacking to docker.io/library/docker-rust-image-dhi:latest 0.0s + +View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/yczk0ijw8kc5g20e8nbc8r6lj ``` ## View local images @@ -122,11 +288,11 @@ To list images, run the `docker images` command. ```console $ docker images -REPOSITORY TAG IMAGE ID CREATED SIZE -docker-rust-image latest 8cae92a8fbd6 3 minutes ago 123MB +IMAGE ID DISK USAGE CONTENT SIZE EXTRA +docker-rust-image-dhi:latest 99a1b925a8d6 11.6MB 2.45MB U ``` -You should see at least one image listed, including the image you just built `docker-rust-image:latest`. +You should see at least one image listed, including the image you just built `docker-rust-image-dhi:latest`. ## Tag images @@ -146,31 +312,29 @@ Now, run the `docker images` command to see a list of the local images. ```console $ docker images -REPOSITORY TAG IMAGE ID CREATED SIZE -docker-rust-image latest 8cae92a8fbd6 4 minutes ago 123MB -docker-rust-image v1.0.0 8cae92a8fbd6 4 minutes ago 123MB -rust latest be5d294735c6 4 minutes ago 113MB +IMAGE ID DISK USAGE CONTENT SIZE EXTRA +docker-rust-image-dhi:latest 99a1b925a8d6 11.6MB 2.45MB U +docker-rust-image-dhi:v1.0.0 99a1b925a8d6 11.6MB 2.45MB U ``` -You can see that two images start with `docker-rust-image`. You know they're the same image because if you take a look at the `IMAGE ID` column, you can see that the values are the same for the two images. +You can see that two images start with `docker-rust-image-dhi`. You know they're the same image because if you take a look at the `IMAGE ID` column, you can see that the values are the same for the two images. Remove the tag you just created. To do this, use the `rmi` command. The `rmi` command stands for remove image. ```console -$ docker rmi docker-rust-image:v1.0.0 -Untagged: docker-rust-image:v1.0.0 +$ docker rmi docker-rust-image-dhi:v1.0.0 +Untagged: docker-rust-image-dhi:v1.0.0 ``` Note that the response from Docker tells you that Docker didn't remove the image, but only "untagged" it. You can check this by running the `docker images` command. ```console $ docker images -REPOSITORY TAG IMAGE ID CREATED SIZE -docker-rust-image latest 8cae92a8fbd6 6 minutes ago 123MB -rust latest be5d294735c6 6 minutes ago 113MB +IMAGE ID DISK USAGE CONTENT SIZE EXTRA +docker-rust-image-dhi:latest 99a1b925a8d6 11.6MB 2.45MB U ``` -Docker removed the image tagged with `:v1.0.0`, but the `docker-rust-image:latest` tag is available on your machine. +Docker removed the image tagged with `:v1.0.0`, but the `docker-rust-image-dhi:latest` tag is available on your machine. ## Summary @@ -182,6 +346,7 @@ Related information: - [.dockerignore file](/reference/dockerfile.md#dockerignore-file) - [docker init CLI reference](/reference/cli/docker/init.md) - [docker build CLI reference](/reference/cli/docker/buildx/build.md) +- [Docker Hardened Images](/dhi/) ## Next steps diff --git a/content/guides/rust/run-containers.md b/content/guides/rust/run-containers.md index f02194d365ce..9cf3d99eb7cc 100644 --- a/content/guides/rust/run-containers.md +++ b/content/guides/rust/run-containers.md @@ -24,7 +24,7 @@ To run an image inside of a container, you use the `docker run` command. The `do Use `docker run` to run the image you built in [Build your Rust image](build-images.md). ```console -$ docker run docker-rust-image +$ docker run docker-rust-image-dhi ``` After running this command, you’ll notice that you weren't returned to the command prompt. This is because your application is a server that runs in a loop waiting for incoming requests without returning control back to the OS until you stop the container. @@ -50,7 +50,7 @@ To publish a port for your container, you’ll use the `--publish` flag (`-p` fo You didn't specify a port when running the application in the container and the default is 8000. If you want your previous request going to port 8000 to work, you can map the host's port 3001 to the container's port 8000: ```console -$ docker run --publish 3001:8000 docker-rust-image +$ docker run --publish 3001:8000 docker-rust-image-dhi ``` Now, rerun the curl command. Remember to open a new terminal. @@ -74,8 +74,8 @@ Press ctrl-c to stop the container. This is great so far, but your sample application is a web server and you don't have to be connected to the container. Docker can run your container in detached mode or in the background. To do this, you can use the `--detach` or `-d` for short. Docker starts your container the same as before but this time will "detach" from the container and return you to the terminal prompt. ```console -$ docker run -d -p 3001:8000 docker-rust-image -ce02b3179f0f10085db9edfccd731101868f58631bdf918ca490ff6fd223a93b +$ docker run -d -p 3001:8000 docker-rust-image-dhi +3e4830e7f01304811d97dd3469d47a0c7a916a8b6c28ce0ef19c6f689a521144 ``` Docker started your container in the background and printed the Container ID on the terminal. @@ -99,8 +99,8 @@ Since you ran your container in the background, how do you know if your containe You should see output like the following. ```console -CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES -3074745e412c docker-rust-image "/bin/server" 8 seconds ago Up 7 seconds 0.0.0.0:3001->8000/tcp wonderful_kalam +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +3e4830e7f013 docker-rust-image-dhi "/server" 23 seconds ago Up 22 seconds 0.0.0.0:3001->8000/tcp, [::]:3001->8000/tcp youthful_lamport ``` The `docker ps` command provides a bunch of information about your running containers. You can see the container ID, the image running inside the container, the command that was used to start the container, when it was created, the status, ports that were exposed, and the name of the container. @@ -108,8 +108,8 @@ The `docker ps` command provides a bunch of information about your running conta You are probably wondering where the name of your container is coming from. Since you didn’t provide a name for the container when you started it, Docker generated a random name. You’ll fix this in a minute, but first you need to stop the container. To stop the container, run the `docker stop` command which does just that, stops the container. You need to pass the name of the container or you can use the container ID. ```console -$ docker stop wonderful_kalam -wonderful_kalam +$ docker stop youthful_lamport +youthful_lamport ``` Now, rerun the `docker ps` command to see a list of running containers. @@ -125,14 +125,10 @@ You can start, stop, and restart Docker containers. When you stop a container, i ```console $ docker ps -a -CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS - NAMES -3074745e412c docker-rust-image "/bin/server" 3 minutes ago Exited (0) 6 seconds ago - wonderful_kalam -6cfa26e2e3c9 docker-rust-image "/bin/server" 14 minutes ago Exited (0) 5 minutes ago - friendly_montalcini -4cbe94b2ea0e docker-rust-image "/bin/server" 15 minutes ago Exited (0) 14 minutes ago - tender_bose +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +3e4830e7f013 docker-rust-image-dhi "/server" About a minute ago Exited (0) 28 seconds ago youthful_lamport +60009b7eaf40 docker-rust-image-dhi "/server" 2 minutes ago Exited (0) About a minute ago sharp_noyce +152e1d7d9eea docker-rust-image-dhi "/server ." 4 minutes ago Exited (0) 2 minutes ago magical_bhabha ``` You should now see several containers listed. These are containers that you started and stopped but you haven't removed. @@ -140,20 +136,17 @@ You should now see several containers listed. These are containers that you star Restart the container that you just stopped. Locate the name of the container you just stopped and replace the name of the container in following restart command. ```console -$ docker restart wonderful_kalam +$ docker restart youthful_lamport ``` -Now list all the containers again using the `docker ps` command. +Now list all the containers again using the `docker ps --all` command. ```console $ docker ps --all -CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS - NAMES -3074745e412c docker-rust-image "/bin/server" 6 minutes ago Up 4 seconds 0.0.0.0:3001->8000/tcp wonderful_kalam -6cfa26e2e3c9 docker-rust-image "/bin/server" 16 minutes ago Exited (0) 7 minutes ago - friendly_montalcini -4cbe94b2ea0e docker-rust-image "/bin/server" 18 minutes ago Exited (0) 17 minutes ago - tender_bose +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +3e4830e7f013 docker-rust-image-dhi "/server" 3 minutes ago Up 7 seconds 0.0.0.0:3001->8000/tcp, [::]:3001->8000/tcp youthful_lamport +60009b7eaf40 docker-rust-image-dhi "/server" 4 minutes ago Exited (0) 3 minutes ago sharp_noyce +152e1d7d9eea docker-rust-image-dhi "/server ." 5 minutes ago Exited (0) 4 minutes ago magical_bhabha ``` Notice that the container you just restarted has been started in detached mode. Also, observe the status of the container is "Up X seconds". When you restart a container, it starts with the same flags or commands that it was originally started with. @@ -161,8 +154,8 @@ Notice that the container you just restarted has been started in detached mode. Now, stop and remove all of your containers and take a look at fixing the random naming issue. Stop the container you just started. Find the name of your running container and replace the name in the following command with the name of the container on your system. ```console -$ docker stop wonderful_kalam -wonderful_kalam +$ docker stop youthful_lamport +youthful_lamport ``` Now that you have stopped all of your containers, remove them. When you remove a container, it's no longer running, nor is it in the stopped status, but the process inside the container has been stopped and the metadata for the container has been removed. @@ -170,10 +163,10 @@ Now that you have stopped all of your containers, remove them. When you remove a To remove a container, run the `docker rm` command with the container name. You can pass multiple container names to the command using a single command. Again, replace the container names in the following command with the container names from your system. ```console -$ docker rm wonderful_kalam friendly_montalcini tender_bose -wonderful_kalam -friendly_montalcini -tender_bose +$ docker rm youthful_lamport friendly_montalcini tender_bose +youthful_lamport +sharp_noyce +magical_bhabha ``` Run the `docker ps --all` command again to see that Docker removed all containers. @@ -183,11 +176,11 @@ Now, it's time to address the random naming issue. Standard practice is to name To name a container, you just need to pass the `--name` flag to the `docker run` command. ```console -$ docker run -d -p 3001:8000 --name docker-rust-container docker-rust-image +$ docker run -d -p 3001:8000 --name docker-rust-container docker-rust-image-dhi 1aa5d46418a68705c81782a58456a4ccdb56a309cb5e6bd399478d01eaa5cdda $ docker ps -CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES -c68fa18de1f6 docker-rust-image "/bin/server" 7 seconds ago Up 6 seconds 0.0.0.0:3001->8000/tcp docker-rust-container +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +219b2e3c7c38 docker-rust-image-dhi "/server" 6 seconds ago Up 5 seconds 0.0.0.0:3001->8000/tcp, [::]:3001->8000/tcp docker-rust-container ``` That’s better! You can now easily identify your container based on the name.