# Neuron Landing — El-native server. # # Two-stage build: # 1. Build the El landing binary in a Debian container with cc + libcurl-dev # from server.c (which was generated on the host by `elc server.el > server.c`) # plus el_runtime.c. # 2. Copy the binary + the pre-rendered index.html + assets into a slim runtime # image. Final image is ~80 MB (mostly libc + libcurl). # # Build: # ./build.sh (regenerates server.c, then docker buildx for linux/amd64) # # Run: # docker run -p 8080:8080 neuron-landing # ── Stage 1a: build liboqs from source ──────────────────────────────────────── # Debian bookworm doesn't ship liboqs, so we build it ourselves. liboqs is # small (~5MB compiled, static) and pinned to a release tag for reproducibility. # Built static, so the runtime image doesn't need a separate liboqs.so. FROM debian:bookworm-slim AS oqs-builder ARG LIBOQS_VERSION=0.10.1 RUN apt-get update \ && apt-get install -y --no-install-recommends \ build-essential cmake ninja-build git \ libssl-dev ca-certificates \ && rm -rf /var/lib/apt/lists/* RUN git clone --depth 1 --branch ${LIBOQS_VERSION} \ https://github.com/open-quantum-safe/liboqs.git /src/liboqs \ && cmake -S /src/liboqs -B /src/liboqs/build -GNinja \ -DCMAKE_INSTALL_PREFIX=/opt/oqs \ -DOQS_BUILD_ONLY_LIB=ON \ -DOQS_DIST_BUILD=ON \ -DBUILD_SHARED_LIBS=OFF \ -DOQS_USE_OPENSSL=ON \ && cmake --build /src/liboqs/build --parallel \ && cmake --install /src/liboqs/build # ── Stage 1b: compile El binary ─────────────────────────────────────────────── FROM debian:bookworm-slim AS builder RUN apt-get update \ && apt-get install -y --no-install-recommends \ build-essential \ libcurl4-openssl-dev \ libssl-dev \ ca-certificates \ && rm -rf /var/lib/apt/lists/* # Pull in liboqs headers + static archive from the previous stage. The # archive is ~5MB; we link it statically so the runtime image stays slim # and we don't need a second apt install in stage 2. COPY --from=oqs-builder /opt/oqs /opt/oqs WORKDIR /build COPY runtime/el_runtime.c runtime/el_runtime.h ./ COPY server.c ./ # -rdynamic is the Linux-specific bit: the runtime resolves El handler # functions (e.g. handle_request) via dlsym(RTLD_DEFAULT, name), and on # glibc that only sees the executable's own symbols if they were exported # by the linker. macOS exports them by default, Linux doesn't. # # liboqs is an optional runtime dependency; el_runtime.c gates all pq_* # entry points behind __has_include(). With the headers + .a # from the oqs-builder stage in /opt/oqs, the post-quantum primitives # (Dilithium-3 / ML-DSA-65 signatures, Kyber-768 / ML-KEM-768 KEM, the # hybrid X25519+Kyber handshake, and SHA3-256) are all available. # -lcrypto pulls in OpenSSL for X25519 + the symmetric primitives liboqs # itself uses internally; libcurl4-openssl-dev already pulls libssl-dev # transitively but we're explicit. RUN cc -std=c11 -O2 -rdynamic \ -I . -I/opt/oqs/include \ -L/opt/oqs/lib \ -o landing server.c el_runtime.c \ -lcurl -lpthread -ldl -lm -loqs -lcrypto # `strip` would discard .symtab but keeps .dynsym (which is what -rdynamic # populated and what dlsym actually looks at), so it'd be safe — but the # binary is small enough that the few MB saved isn't worth the next person # wondering why dlsym fails. # ── Stage 2: runtime ────────────────────────────────────────────────────────── FROM debian:bookworm-slim # libssl3 supplies libcrypto.so.3 for the X25519 + symmetric primitives the # linked binary needs. liboqs itself is statically linked into the binary # (built that way in stage 1a) so there's nothing extra to ship for it. RUN apt-get update \ && apt-get install -y --no-install-recommends \ libcurl4 \ libssl3 \ ca-certificates \ && rm -rf /var/lib/apt/lists/* \ && groupadd -r landing && useradd -r -g landing landing COPY --from=builder /build/landing /usr/local/bin/landing COPY src/index.html /srv/landing/index.html COPY src/assets /srv/landing/assets ENV LANDING_ROOT=/srv/landing ENV PORT=8080 USER landing EXPOSE 8080 # Cloud Run sends SIGTERM on revision shutdown. The runtime doesn't trap it # explicitly, so the kernel just kills the process. That's fine for a stateless # server. CMD ["/usr/local/bin/landing"]