pierrelf.com
Rust implementation of OCI Distribution Spec with granular access control
1# Build stage - using bookworm (Debian 12) which is more current
2# Note: The builder image may show vulnerabilities, but these are not present in the final runtime image
3# since we use a multi-stage build with distroless runtime (only 79.6MB, minimal attack surface)
4FROM rust:1.91.1-trixie AS builder
5
6WORKDIR /app
7
8# Install build dependencies
9RUN apt-get update && apt-get install -y \
10 pkg-config \
11 libssl-dev \
12 && rm -rf /var/lib/apt/lists/*
13
14# Copy manifests
15COPY Cargo.toml ./
16
17# Copy source code
18COPY src ./src
19
20# Build release binary (both grain and grainctl)
21RUN cargo build --release
22
23# Runtime stage - use Google's distroless image for minimal attack surface
24FROM gcr.io/distroless/cc-debian12:nonroot
25
26WORKDIR /app
27
28# Copy binaries from builder
29COPY --from=builder /app/target/release/grain /app/grain
30COPY --from=builder /app/target/release/grainctl /app/grainctl
31
32# Expose registry port
33EXPOSE 8888
34
35# Set default environment variables
36ENV RUST_LOG=info
37
38# Default command (distroless already runs as nonroot user)
39CMD ["/app/grain", "--host", "0.0.0.0:8888", "--users-file", "/data/users.json"]