Rust Builder Image

Multi-architecture Rust builder image for distroless projects. This image serves as the foundation for building secure, minimal container images for various services.

Features

• Ubuntu Noble Base: Built on Ubuntu 24.04 LTS with security repositories enabled
• Multi-Architecture Support: Native builds for linux/amd64 and linux/arm64
• Rust 1.92.0: Latest stable Rust toolchain with rustup, rustfmt, and clippy
• Architecture-Optimized: Per-architecture Cargo configuration for optimal performance
• Security First: Ubuntu security repos enabled, cargo-audit built-in, automated vulnerability scanning
• Optimized Build Performance: LLD linker with architecture-specific CPU targeting
• Non-Root User: Runs as UID 51410 (builder user) for enhanced security
• Production-Ready: Gated build pipeline with automated security scanning and compliance checks

Quick Start

Pull the Image

# Latest stable Rust version
docker pull git.breis.ch/images/builder-rust:latest

# Specific Rust version
docker pull git.breis.ch/images/builder-rust:1.92.0

Image Tags

The image is tagged with the following strategy:

• latest: Only applied when the Rust version in the image matches the latest stable release. This ensures latest always points to the most recent stable Rust toolchain.
• <rust-version>: Specific Rust version (e.g., 1.92.0). Always applied.
• <semver>: Git tag versions (e.g., 1.0.0, 1.0, 1). Applied when creating git tags.
• dev-<sha>: Development builds from non-main branches.

Example: If Rust 1.92.0 is the latest stable:

• Push to main → tags: latest, 1.92.0

If Rust 1.93.0 is released (and you still use 1.92.0):

• Push to main → tags: 1.92.0 (no latest)
• To get latest, update .metadata.yml to Rust 1.93.0

Use as Base Image

FROM git.breis.ch/images/builder-rust:latest AS builder

WORKDIR /workspace

# Copy your Rust project
COPY . .

# Build your application
RUN cargo build --release

# Create distroless runtime image
FROM gcr.io/distroless/cc-debian12
COPY --from=builder /workspace/target/release/your-app /app
CMD ["/app"]

Interactive Development

docker run -it --rm -v $(pwd):/workspace git.breis.ch/images/builder-rust:latest bash

Image Details

Installed Tools

Rust Toolchain:

• rustc 1.92.0
• cargo with optimized configuration
• rustfmt (code formatter)
• clippy (linter)
• rustup (toolchain manager)

Native Compilation Targets:

• AMD64 images: x86_64-unknown-linux-gnu
• ARM64 images: aarch64-unknown-linux-gnu

Each architecture image includes only its native target (no cross-compilation).

Security Tools:

• cargo-audit (Rust dependency vulnerability scanner)

Note: Image security scanning (Trivy, Hadolint, etc.) is performed externally by CI/CD workflows, not embedded in the image.

System Libraries:

• OpenSSL development libraries
• PostgreSQL client libraries
• Compression libraries (zlib, lz4, zstd)

Cargo Configuration

The image includes an architecture-specific optimized Cargo configuration located at /usr/local/cargo/config.toml:

• LLD Linker: Faster build times compared to the default linker
• LTO Enabled: Link-Time Optimization for release builds
• Symbol Stripping: Automatic symbol stripping for smaller binaries
• Architecture-Specific Optimizations:
  • AMD64 images: Optimized for x86-64-v2 (SSE3, SSSE3, SSE4.1, SSE4.2, POPCNT)
  • ARM64 images: Optimized for neoverse-n1 (modern ARM servers/cloud)
• Sparse Registry Protocol: Faster crate index updates

Each architecture image only contains configurations relevant to that architecture, reducing bloat and improving build performance.

Multi-Architecture Support

This image is built and distributed as a multi-architecture manifest. Docker automatically selects the correct architecture for your platform.

Verify the manifest:

docker buildx imagetools inspect git.breis.ch/images/builder-rust:latest

Pull a specific architecture:

docker pull --platform linux/amd64 git.breis.ch/images/builder-rust:latest
docker pull --platform linux/arm64 git.breis.ch/images/builder-rust:latest

Security

This image undergoes continuous security scanning with automated build failures on HIGH or CRITICAL vulnerabilities.

Security Features:

• Non-root user (UID 51410)
• Ubuntu 24.04 LTS with security repositories enabled
• Automated vulnerability scanning (Trivy, Grype)
• SBOM (Software Bill of Materials) generated for every build

Vulnerability Information:

• View scan results in GitHub Security tab
• Check SBOM artifacts for detailed component inventory
• Report vulnerabilities to: security@breis.ch

Compliance

Automated compliance checks ensure:

• ✅ Dockerfile passes Hadolint linting
• ✅ Image size under 2GB
• ✅ All Rust tools functional
• ✅ Security tools operational
• ✅ Container runs as non-root
• ✅ OCI annotations present
• ✅ Multi-architecture manifest valid

Configuration

Centralized Metadata

Image metadata is centralized in .metadata.yml for easy customization:

versions:
  rust: "1.92.0"
  ubuntu: "noble"  # Ubuntu 24.04 LTS

Note: The container registry is automatically determined from your Forgejo instance URL.

CI/CD Pipeline

The project uses a single consolidated workflow that handles building, testing, and publishing:

build-and-test.yml

Triggers:

• Daily at 6:00 AM UTC (scheduled)
• On push/merge to main branch
• Manual trigger (workflow_dispatch)

Pipeline stages:

1. Build: Multi-arch image build (linux/amd64, linux/arm64) with SBOM generation
2. Compliance: Hadolint, image size, Rust tools, OCI labels, build capability, multi-arch validation
3. Security: Trivy and Grype vulnerability scanning with automated reporting

All SBOM artifacts are uploaded and retained for 90 days.

Use Cases

This builder image is designed as the foundation for distroless service images:

• PostgreSQL distroless builds
• Redis distroless builds
• MariaDB distroless builds
• Nginx distroless builds
• Custom Rust applications
• Microservices

Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Ensure all CI checks pass
5. Submit a pull request

Development Guidelines

• Follow existing code style and conventions
• Update documentation for any feature changes
• Add tests where applicable
• Ensure Hadolint passes for Dockerfile changes

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

• Issues: Report bugs or request features via GitHub Issues
• Security: Report vulnerabilities to security@breis.ch

Maintenance

• Rust Version Updates: Manually update RUST_VERSION in .metadata.yml
• Automated Builds: Weekly rebuilds on Mondays at 2:00 AM UTC
• Security Patches: Incorporated automatically through daily scans and weekly rebuilds

---

Maintainer: Clément - BEXSYS Repository: https://git.breis.ch/images/builder-rust Registry: git.breis.ch/images/builder-rust