Production container with pre-baked service binaries #30

New issue

Closed

opened 2026-02-26 13:21:19 +00:00 by mik-tf · 0 comments

mik-tf commented

2026-02-26 13:21:19 +00:00

Owner

Context

The current dev container (PR #28) ships a Rust toolchain and builds services from source at startup. This works for development but has drawbacks for production:

~1.4 GB image (includes Rust toolchain, libssl-dev, pkg-config, etc.)
First startup takes 5-10 minutes while services clone + compile
Requires SSH key mounted for private repo access at runtime
Parallel cargo builds can OOM on small machines

Goal

A production container that starts serving immediately with all binaries pre-built.

Approach

Builder stage

Extend the current builder stage to also build all service binaries:

FROM rust:bookworm AS builder
# ... existing hero_services_server + zinit build ...

# Clone and build each service
RUN --mount=type=ssh \
    git clone -b development ssh://git@forge.ourworld.tf/lhumina_code/hero_auth.git /build/hero_auth && \
    cd /build/hero_auth && cargo build --release && \
    cp /build/target/release/hero_auth /root/hero/bin/

# Repeat for each service...

Runtime stage

Switch from rust:slim-bookworm (~800 MB) to debian:bookworm-slim (~80 MB):

FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates libssl3 curl iproute2 \
    && rm -rf /var/lib/apt/lists/*

COPY --from=builder /root/hero/bin/ /root/hero/bin/

No Rust toolchain, no git, no SSH keys needed at runtime.

Expected result

Image size: ~100-200 MB (down from ~1.4 GB)
Startup time: seconds (down from 5-10 minutes)
No SSH key required at runtime
All services start immediately via zinit

Prerequisites

PR #28 merged (dev container working)
Issue #29 resolved (all services building successfully)

Notes

The dev container remains useful for development and debugging
Both images can coexist: hero_zero:dev and hero_zero:<version>
CI can build both from the same workflow with a build arg selecting the variant

## Context The current dev container (PR #28) ships a Rust toolchain and builds services from source at startup. This works for development but has drawbacks for production: - ~1.4 GB image (includes Rust toolchain, libssl-dev, pkg-config, etc.) - First startup takes 5-10 minutes while services clone + compile - Requires SSH key mounted for private repo access at runtime - Parallel cargo builds can OOM on small machines ## Goal A production container that starts serving immediately with all binaries pre-built. ## Approach ### Builder stage Extend the current builder stage to also build all service binaries: ```dockerfile FROM rust:bookworm AS builder # ... existing hero_services_server + zinit build ... # Clone and build each service RUN --mount=type=ssh \ git clone -b development ssh://git@forge.ourworld.tf/lhumina_code/hero_auth.git /build/hero_auth && \ cd /build/hero_auth && cargo build --release && \ cp /build/target/release/hero_auth /root/hero/bin/ # Repeat for each service... ``` ### Runtime stage Switch from `rust:slim-bookworm` (~800 MB) to `debian:bookworm-slim` (~80 MB): ```dockerfile FROM debian:bookworm-slim RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates libssl3 curl iproute2 \ && rm -rf /var/lib/apt/lists/* COPY --from=builder /root/hero/bin/ /root/hero/bin/ ``` No Rust toolchain, no git, no SSH keys needed at runtime. ### Expected result - Image size: ~100-200 MB (down from ~1.4 GB) - Startup time: seconds (down from 5-10 minutes) - No SSH key required at runtime - All services start immediately via zinit ## Prerequisites - PR #28 merged (dev container working) - Issue #29 resolved (all services building successfully) ## Notes - The dev container remains useful for development and debugging - Both images can coexist: `hero_zero:dev` and `hero_zero:<version>` - CI can build both from the same workflow with a build arg selecting the variant