Will Anderson
112 lines
4.6 KiB
Docker
112 lines
4.6 KiB
Docker
# Neuron Landing — El-native server.
|
|
#
|
|
# Two-stage build:
|
|
# 1. Build the El landing binary in a Debian container with cc + libcurl-dev
|
|
# from server.c (which was generated on the host by `elc server.el > server.c`)
|
|
# plus el_runtime.c.
|
|
# 2. Copy the binary + the pre-rendered index.html + assets into a slim runtime
|
|
# image. Final image is ~80 MB (mostly libc + libcurl).
|
|
#
|
|
# Build:
|
|
# ./build.sh (regenerates server.c, then docker buildx for linux/amd64)
|
|
#
|
|
# Run:
|
|
# docker run -p 8080:8080 neuron-landing
|
|
|
|
# ── Stage 1a: build liboqs from source ────────────────────────────────────────
|
|
# Debian bookworm doesn't ship liboqs, so we build it ourselves. liboqs is
|
|
# small (~5MB compiled, static) and pinned to a release tag for reproducibility.
|
|
# Built static, so the runtime image doesn't need a separate liboqs.so.
|
|
FROM debian:bookworm-slim AS oqs-builder
|
|
|
|
ARG LIBOQS_VERSION=0.10.1
|
|
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
build-essential cmake ninja-build git \
|
|
libssl-dev ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
RUN git clone --depth 1 --branch ${LIBOQS_VERSION} \
|
|
https://github.com/open-quantum-safe/liboqs.git /src/liboqs \
|
|
&& cmake -S /src/liboqs -B /src/liboqs/build -GNinja \
|
|
-DCMAKE_INSTALL_PREFIX=/opt/oqs \
|
|
-DOQS_BUILD_ONLY_LIB=ON \
|
|
-DOQS_DIST_BUILD=ON \
|
|
-DBUILD_SHARED_LIBS=OFF \
|
|
-DOQS_USE_OPENSSL=ON \
|
|
&& cmake --build /src/liboqs/build --parallel \
|
|
&& cmake --install /src/liboqs/build
|
|
|
|
# ── Stage 1b: compile El binary ───────────────────────────────────────────────
|
|
FROM debian:bookworm-slim AS builder
|
|
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
build-essential \
|
|
libcurl4-openssl-dev \
|
|
libssl-dev \
|
|
ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Pull in liboqs headers + static archive from the previous stage. The
|
|
# archive is ~5MB; we link it statically so the runtime image stays slim
|
|
# and we don't need a second apt install in stage 2.
|
|
COPY --from=oqs-builder /opt/oqs /opt/oqs
|
|
|
|
WORKDIR /build
|
|
COPY runtime/el_runtime.c runtime/el_runtime.h ./
|
|
COPY server.c ./
|
|
|
|
# -rdynamic is the Linux-specific bit: the runtime resolves El handler
|
|
# functions (e.g. handle_request) via dlsym(RTLD_DEFAULT, name), and on
|
|
# glibc that only sees the executable's own symbols if they were exported
|
|
# by the linker. macOS exports them by default, Linux doesn't.
|
|
#
|
|
# liboqs is an optional runtime dependency; el_runtime.c gates all pq_*
|
|
# entry points behind __has_include(<oqs/oqs.h>). With the headers + .a
|
|
# from the oqs-builder stage in /opt/oqs, the post-quantum primitives
|
|
# (Dilithium-3 / ML-DSA-65 signatures, Kyber-768 / ML-KEM-768 KEM, the
|
|
# hybrid X25519+Kyber handshake, and SHA3-256) are all available.
|
|
# -lcrypto pulls in OpenSSL for X25519 + the symmetric primitives liboqs
|
|
# itself uses internally; libcurl4-openssl-dev already pulls libssl-dev
|
|
# transitively but we're explicit.
|
|
RUN cc -std=c11 -O2 -rdynamic \
|
|
-I . -I/opt/oqs/include \
|
|
-L/opt/oqs/lib \
|
|
-o landing server.c el_runtime.c \
|
|
-lcurl -lpthread -ldl -lm -loqs -lcrypto
|
|
# `strip` would discard .symtab but keeps .dynsym (which is what -rdynamic
|
|
# populated and what dlsym actually looks at), so it'd be safe — but the
|
|
# binary is small enough that the few MB saved isn't worth the next person
|
|
# wondering why dlsym fails.
|
|
|
|
# ── Stage 2: runtime ──────────────────────────────────────────────────────────
|
|
FROM debian:bookworm-slim
|
|
|
|
# libssl3 supplies libcrypto.so.3 for the X25519 + symmetric primitives the
|
|
# linked binary needs. liboqs itself is statically linked into the binary
|
|
# (built that way in stage 1a) so there's nothing extra to ship for it.
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
libcurl4 \
|
|
libssl3 \
|
|
ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/* \
|
|
&& groupadd -r landing && useradd -r -g landing landing
|
|
|
|
COPY --from=builder /build/landing /usr/local/bin/landing
|
|
COPY src/index.html /srv/landing/index.html
|
|
COPY src/assets /srv/landing/assets
|
|
|
|
ENV LANDING_ROOT=/srv/landing
|
|
ENV PORT=8080
|
|
|
|
USER landing
|
|
EXPOSE 8080
|
|
|
|
# Cloud Run sends SIGTERM on revision shutdown. The runtime doesn't trap it
|
|
# explicitly, so the kernel just kills the process. That's fine for a stateless
|
|
# server.
|
|
CMD ["/usr/local/bin/landing"]
|