All three tools were using bare `cargo install` with no binstall
attempt, forcing full source compilation on every amd64-musl build.
probe-rs took ~73 minutes, sqlx-cli and sea-orm-cli each ~82 minutes —
totalling ~4 hours of source compilation that crashed the BuildKit
container before the amd64 image could be assembled.
All three publish x86_64-unknown-linux-musl prebuilts on GitHub
releases. Switching to `cargo binstall -y --target ... 2>/dev/null ||
true` means:
- amd64: prebuilt downloaded in seconds; source never attempted
- arm64: no aarch64-musl prebuilt; binstall tries source, fails fast
(ring/openssl missing musl cross-compile headers), || true skips it
- Dockerfile: replace three `cargo install` lines with `cargo binstall`
Dockerfile
sccache source compilation fails for aarch64-musl (openssl-sys has no
musl cross-compile headers). With RUSTC_WRAPPER=sccache set
unconditionally, any arm64 image user who ran cargo hit an immediate
exec error. Guard the wrapper so it is only set when sccache is
actually present in PATH.
cargo-info v0.7.7 depends on openssl-sys and has no arm64-musl
prebuilt on QuickInstall or GitHub Releases. It was wasting ~15 min
of cold-cache build time before failing. Remove it from the tool list.
sccache is now installed as a separate binstall-only line (no source
fallback) so it silently skips on targets where no prebuilt exists,
rather than blocking the build for 15 minutes before failing.
- Dockerfile: remove cargo-info from bulk list; extract sccache to
standalone `cargo binstall ... 2>/dev/null || true` (prebuilt-only)
- rootfs/root/docker/setup/05-custom.sh: guard SCCACHE_DIR and
RUSTC_WRAPPER inside `if command -v sccache` block
Dockerfile
rootfs/root/docker/setup/05-custom.sh
The build host's SSL intercept breaks system curl to *.github.com (cert SAN
mismatch). Cargo uses its own bundled TLS stack and is not affected.
- Dockerfile: remove sccache curl download (was failing with SSL error)
- Dockerfile: remove cargo-binstall curl bootstrap (same SSL failure path)
- Dockerfile: replace both with `cargo install cargo-binstall` (Rust TLS, no curl)
- Dockerfile: remove curlrc IPv4 workaround (no curl calls remain in rust-tools)
- Dockerfile: remove jq from apk (was only used for sccache version parsing)
- Dockerfile: remove RUSTC_WRAPPER/SCCACHE_DIR exports from binstall RUN block
- Dockerfile: remove sccache-native cache mount (unused without RUSTC_WRAPPER)
Dockerfile
IPv6 routing on this host intercepts *.github.com and presents a
certificate for a local domain, causing curl SSL SAN mismatch errors
when downloading sccache and cargo-binstall from GitHub releases.
Same fix as the Go image's 05-custom.sh: write `-4` to /root/.curlrc
at the top of the rust-tools stage so all subsequent curl calls use IPv4.
- Dockerfile: add `printf -- '-4
' > /root/.curlrc` at start of rust-tools stage
Dockerfile
musl-cross does not exist in any Alpine package repo (main, community,
or edge) — both attempts to install it failed at build time.
Zig ships with Alpine (`apk add zig`) and bundles its own musl headers
and stdlib for every target triple, making it a drop-in replacement for
a musl cross-toolchain with zero external dependencies.
Three wrapper scripts are created at install time:
/usr/local/bin/aarch64-linux-musl-gcc → zig cc -target aarch64-linux-musl
/usr/local/bin/aarch64-linux-musl-g++ → zig c++ -target aarch64-linux-musl
/usr/local/bin/aarch64-linux-musl-ar → zig ar
The CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER and CC_*/CXX_*/AR_*
env vars are unchanged — they still point to aarch64-linux-musl-gcc,
which now resolves to the zig wrapper.
- Dockerfile: replace musl-cross apk install with zig + wrapper scripts
Dockerfile
musl-cross is in the Alpine community repo, which rust:alpine does not
enable by default. `apk add --no-cache musl-cross` failed with
"no such package" on both linux/amd64 and linux/amd64->arm64 stages.
Fix: install curl and jq first (both in main), then fetch musl-cross
from the community repo via --repository flag (no permanent repo change).
- Dockerfile: split rust-tools apk install into main + community steps
Dockerfile
Eliminates QEMU arm64 build (was ~15 hours) by adding a
`rust-tools` stage that mirrors the Go image's `go-tools` pattern:
runs on the build platform (amd64), cross-compiles or downloads all
~50 Rust tools for the target arch, and activates sccache throughout.
Build time for linux/arm64: ~15 hours → ~30–60 minutes.
How it works:
- `FROM --platform=$BUILDPLATFORM rust:alpine AS rust-tools` runs natively
- `cargo binstall --target $RUST_TARGET` fetches GitHub release prebuilts
(zero compilation for most tools)
- Missing prebuilts fall back to `cargo install --target` using the
`aarch64-linux-musl-gcc` cross-toolchain (no QEMU, native speed)
- Native (x86_64) sccache installed as RUSTC_WRAPPER so source-compiled
tools are cached across Docker rebuilds
- `CARGO_INSTALL_ROOT=/rust-tools` keeps tool binaries separate from
rustup shims; `COPY --from=rust-tools /rust-tools/bin/` drops them
into the build stage before `05-custom.sh` runs
Pure-Rust / no-OpenSSL feature flags where possible (CGO=0 equivalent):
- `sqlx-cli`: `--features rustls` (was native-tls)
- `sea-orm-cli`: `--features runtime-tokio-rustls` (was native-tls default)
- `trunk`: already defaults to rustls — no change needed
- `probe-rs`: prebuilt if available, silently skipped otherwise (needs libusb)
sccache is now active by default in all login shells via profile.d/rust.sh
(`RUSTC_WRAPPER=sccache`); opt out with `-e RUSTC_WRAPPER=`.
- Dockerfile: add 110-line rust-tools stage with musl cross-toolchain,
sccache, cargo-binstall, all tool installs for target arch
- Dockerfile: COPY --from=rust-tools before 05-custom.sh RUN step
- Dockerfile: set RUSTC_WRAPPER in build stage; drop unused cargo-registry
and cargo-git cache mounts (no longer needed there)
- rootfs/root/docker/setup/05-custom.sh: remove cargo-binstall bootstrap
and all cargo binstall/install blocks; add RUSTC_WRAPPER to profile.d
- README.md: document rust-tools stage, native cross-compile architecture,
expected build times, sccache-on-by-default, pure-Rust feature flags,
updated cache mount ID table
Dockerfile
README.md
rootfs/root/docker/setup/05-custom.sh
Register QEMU binfmt handlers and fix cache mounts + binstall
resilience so the image builds correctly on both platforms.
- Dockerfile: declare ARG TARGETARCH in build stage; suffix all
arch-specific cache mount ids with ${TARGETARCH} so amd64 and
arm64 get isolated apk, rustup-downloads, cargo-git, and sccache
caches — cargo-registry stays shared (source is arch-neutral)
- rootfs/root/docker/setup/05-custom.sh: append || true to the main
cargo binstall -y block so a single tool with no arm64-musl prebuilt
and a failing source fallback does not abort the entire layer; add
comment explaining the intent
Dockerfile
rootfs/root/docker/setup/05-custom.sh
Cache strategy: BuildKit --mount=type=cache on apk and cargo/rustup/sccache
directories so docker build never re-downloads packages between runs.
sccache is available as a compilation cache; mount /root/.cache/sccache at
runtime to persist compiled artifacts across container invocations.
Added gdb, a nightly toolchain (miri + rust-src), and a broad set of
linting, formatting, debugging, fuzzing, and analysis tools.
- Dockerfile: add # syntax=docker/dockerfile:1 pragma; add BuildKit cache
mount for /var/cache/apk on the packages RUN step; add cache mounts for
cargo/registry (shared), cargo/git, rustup/downloads, and sccache on the
custom commands RUN step; add SCCACHE_DIR and CARGO_INCREMENTAL ENV vars;
extend VOLUME to include /root/.cache/sccache
- rootfs/root/docker/setup/05-custom.sh: add gdb to system packages;
install nightly toolchain (minimal profile) with miri + rust-src; extend
binstall block with sccache, typos, taplo-cli, cargo-sort, cargo-hack,
cargo-criterion, dprint, cargo-careful, cargo-public-api,
cargo-spellcheck, cargo-geiger, grcov; add fallback cargo installs for
cargo-udeps, cargo-fuzz, cargo-minimal-versions; export SCCACHE_DIR and
CARGO_INCREMENTAL in /etc/profile.d/rust.sh; create /root/.cache/sccache
Dockerfile
rootfs/root/docker/setup/05-custom.sh
Install latest stable Rust at build time via rustup-init with SHA256
verification. Add 30 cross-compile targets, cargo-binstall, and a
comprehensive set of cargo development tools. Match the official
rust:alpine env-var convention (RUSTUP_HOME / CARGO_HOME) and declare
those paths as Docker VOLUMEs. Add the Go-image pattern: rust-workflow
runs automatically when the container is invoked with no args, while
explicit commands pass through unchanged. Copy language-agnostic
healthcheck, copy, and symlink utilities from the Go image.
- Dockerfile: WORKDIR /app in final stage; add RUSTUP_HOME, CARGO_HOME,
RUSTUP_TOOLCHAIN ENV vars; extend VOLUME to include cargo and rustup paths
- rootfs/root/docker/setup/05-custom.sh: full Rust toolchain install —
build deps (build-base musl-dev clang lld cmake openssl-dev), SHA256-
verified rustup-init, stable toolchain with rust-src/rust-analyzer/
llvm-tools-preview, 30 cross-compile targets, cargo-binstall bootstrap,
cargo tool suite via binstall, cross-linker config.toml, /usr/local/bin
symlinks, ~/.cargo and ~/.rustup home symlinks, /etc/profile.d/rust.sh
- rootfs/usr/local/bin/rust-workflow: default workflow script —
fmt --check → clippy -D warnings → test --all → build --release;
honours CARGO_WORKDIR and CARGO_BUILD_TARGET env vars
- rootfs/usr/local/bin/entrypoint.sh: __no_exit guarded by $# -eq 0 in
START_SERVICES block; * catch-all now calls rust-workflow on no args
- rootfs/usr/local/bin/healthcheck: copied from Go image (HTTP/TCP/
process/file health probe)
- rootfs/usr/local/bin/copy: copied from Go image (recursive copy utility)
- rootfs/usr/local/bin/symlink: copied from Go image (symlink utility)
Dockerfile
rootfs/root/docker/setup/05-custom.sh
rootfs/usr/local/bin/copy
rootfs/usr/local/bin/entrypoint.sh
rootfs/usr/local/bin/healthcheck
rootfs/usr/local/bin/rust-workflow
rootfs/usr/local/bin/symlink
Update the embedded entrypoint copies in rootfs/ to match the
upstream template change. Internal state files renamed to dotfiles
so they're not matched by `/run/*.pid` cleanup globs:
- /run/init.d/entrypoint.pid -> /run/.entrypoint.pid
- /run/no_exit.pid -> /run/.no_exit.pid
- /run/backup.pid -> /run/.backup.pid
- /run/__start_init_scripts.pid -> /run/.start_init_scripts.pid
Per-service PIDs in /run/init.d/ are unchanged.
Dockerfile
.env.scripts
rootfs/usr/local/bin/copy
rootfs/usr/local/bin/entrypoint.sh
rootfs/usr/local/bin/healthcheck
rootfs/usr/local/bin/symlink
rootfs/usr/local/etc/docker/functions/entrypoint.sh
rootfs/usr/local/etc/docker/init.d/00-rust.sh
rootfs/usr/local/share/template-files/config/env/default.sample
rootfs/usr/local/share/template-files/config/env/examples/zz-entrypoint.sh
jason
