-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathDockerfile.hierophant
More file actions
111 lines (97 loc) · 5.11 KB
/
Dockerfile.hierophant
File metadata and controls
111 lines (97 loc) · 5.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# Retrieve a specified image for building.
ARG BUILD_IMAGE=unattended/petros:latest
# Retrieve a specified image for final container runtime.
ARG RUNTIME_IMAGE=debian:trixie-slim@sha256:66b37a5078a77098bfc80175fb5eb881a3196809242fd295b25502854e12cbec
# Build from the base image.
FROM ${BUILD_IMAGE} AS builder
# Build type: "source" (default) or "prebuilt" (CI)
ARG BUILD_TYPE=source
# The `VENDOR_BASE_URL` specifies where to download vendored dependencies.
ARG VENDOR_BASE_URL
RUN test -n "${VENDOR_BASE_URL}" || ( \
echo "ERROR: VENDOR_BASE_URL build argument is required!" >&2 \
&& exit 1)
ENV VENDOR_BASE_URL=${VENDOR_BASE_URL}
# Circuit version to use (matches SP1 SDK version).
ARG SP1_CIRCUITS_VERSION
RUN test -n "${SP1_CIRCUITS_VERSION}" || ( \
echo "ERROR: SP1_CIRCUITS_VERSION build argument is required!" >&2 \
&& exit 1)
ENV SP1_CIRCUITS_VERSION=${SP1_CIRCUITS_VERSION}
# Download the vendored SP1 circuit files FIRST, before the cargo build.
# Placing vendoring above the source COPY + compile means docker's layer
# cache holds the 2.5 GB of circuit artifacts across routine source edits ;
# only a prover/ or vendor.sh change (or a vendor-arg bump) re-downloads.
# Remote: ${VENDOR_BASE_URL}/sp1/${SP1_CIRCUITS_VERSION}/{groth16,plonk}.tar.gz
WORKDIR /tmp
COPY container/vendor.sh /tmp/vendor.sh
COPY provers/ /tmp/provers/
RUN /tmp/vendor.sh "groth16.tar.gz" "provers/sp1/${SP1_CIRCUITS_VERSION}" "sp1/${SP1_CIRCUITS_VERSION}/" && \
/tmp/vendor.sh "plonk.tar.gz" "provers/sp1/${SP1_CIRCUITS_VERSION}" "sp1/${SP1_CIRCUITS_VERSION}/"
RUN mkdir -p /home/petros/.sp1/circuits/groth16/${SP1_CIRCUITS_VERSION} && \
mkdir -p /home/petros/.sp1/circuits/plonk/${SP1_CIRCUITS_VERSION} && \
cp -r /tmp/extracted-groth16/${SP1_CIRCUITS_VERSION}/* /home/petros/.sp1/circuits/groth16/${SP1_CIRCUITS_VERSION}/ && \
cp -r /tmp/extracted-plonk/${SP1_CIRCUITS_VERSION}/* /home/petros/.sp1/circuits/plonk/${SP1_CIRCUITS_VERSION}/ && \
touch /home/petros/.sp1/circuits/groth16/.download_complete && \
touch /home/petros/.sp1/circuits/plonk/.download_complete
# Prepare the build image. COPY only the workspace members that cargo
# actually resolves (see Cargo.toml's `[workspace] members = [...]`). The
# test-client crates under src/sp1-fibonacci/ and src/risc0-fibonacci/ are
# excluded from the workspace and are irrelevant to building the
# hierophant binary; copying them in would make any test-client edit
# invalidate this layer and every layer below it. Cargo still requires
# every workspace member directory to exist at resolution time, so all
# of them must be present even when the hierophant binary doesn't
# transitively depend on every member (e.g. `src/fibonacci` is consumed
# only by the integration-test guests / hosts but is listed as a member
# to keep it in the repo's one workspace lockfile).
WORKDIR /build
COPY Cargo.toml Cargo.lock ./
COPY src/hierophant/ src/hierophant/
COPY src/contemplant/ src/contemplant/
COPY src/network-lib/ src/network-lib/
COPY src/fibonacci/ src/fibonacci/
# Conditionally build from source or use a pre-built binary.
COPY out/ /build/out/
RUN if [ "$BUILD_TYPE" = "prebuilt" ]; then \
echo "Using pre-built binary from ./out/hierophant"; \
test -f /build/out/hierophant || (echo "ERROR: BUILD_TYPE=prebuilt but no binary found in ./out/hierophant" >&2 && exit 1); \
cp /build/out/hierophant /build/hierophant-binary; \
else \
echo "Building from source ..."; \
cargo build --release --bin hierophant --locked; \
cp /build/target/release/hierophant /build/hierophant-binary; \
fi
# Prepare a runtime container.
FROM ${RUNTIME_IMAGE}
# OCI image labels for metadata and documentation.
LABEL org.opencontainers.image.title="Hierophant"
LABEL org.opencontainers.image.source=https://github.com/unattended-backpack/hierophant
LABEL org.opencontainers.image.description="Prove all things; hold fast that which is good. Hierophant is the master of a self-hosted ZK prover network."
LABEL org.opencontainers.image.vendor="Unattended Backpack, Inc."
LABEL org.opencontainers.image.licenses="LicenseRef-VPL WITH AGPL-3.0-only"
# Copy binaries from builder.
COPY --from=builder /build/hierophant-binary /usr/local/bin/hierophant
# Copy vendored circuit artifacts from build stage.
COPY --from=builder /home/petros/.sp1/circuits /opt/sp1/circuits
# Install runtime dependencies and fix binary interpreter.
RUN apt-get update && \
apt-get install -y --no-install-recommends \
ca-certificates \
patchelf && \
chmod +x /usr/local/bin/hierophant && \
patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 /usr/local/bin/hierophant && \
apt-get remove -y patchelf && \
apt-get autoremove -y && \
rm -rf /var/lib/apt/lists/*
# Prepare specific non-root user for security.
RUN useradd --system --create-home --shell /bin/bash hierophant && \
chown hierophant:hierophant /usr/local/bin/hierophant && \
mkdir -p /home/hierophant/.sp1/circuits && \
cp -r /opt/sp1/circuits/* /home/hierophant/.sp1/circuits/ && \
chown -R hierophant:hierophant /home/hierophant/.sp1 && \
rm -rf /opt/sp1
USER hierophant
WORKDIR /home/hierophant
ENV RUST_LOG=info RUST_LOG_STYLE=always RUST_BACKTRACE=1
ENTRYPOINT ["/usr/local/bin/hierophant"]