IPv6 routing on this host intercepts *.github.com and presents a
certificate for a local domain, causing curl SSL SAN mismatch errors
when downloading sccache and cargo-binstall from GitHub releases.
Same fix as the Go image's 05-custom.sh: write `-4` to /root/.curlrc
at the top of the rust-tools stage so all subsequent curl calls use IPv4.
- Dockerfile: add `printf -- '-4
' > /root/.curlrc` at start of rust-tools stage
Dockerfile
musl-cross does not exist in any Alpine package repo (main, community,
or edge) — both attempts to install it failed at build time.
Zig ships with Alpine (`apk add zig`) and bundles its own musl headers
and stdlib for every target triple, making it a drop-in replacement for
a musl cross-toolchain with zero external dependencies.
Three wrapper scripts are created at install time:
/usr/local/bin/aarch64-linux-musl-gcc → zig cc -target aarch64-linux-musl
/usr/local/bin/aarch64-linux-musl-g++ → zig c++ -target aarch64-linux-musl
/usr/local/bin/aarch64-linux-musl-ar → zig ar
The CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER and CC_*/CXX_*/AR_*
env vars are unchanged — they still point to aarch64-linux-musl-gcc,
which now resolves to the zig wrapper.
- Dockerfile: replace musl-cross apk install with zig + wrapper scripts
Dockerfile
musl-cross is in the Alpine community repo, which rust:alpine does not
enable by default. `apk add --no-cache musl-cross` failed with
"no such package" on both linux/amd64 and linux/amd64->arm64 stages.
Fix: install curl and jq first (both in main), then fetch musl-cross
from the community repo via --repository flag (no permanent repo change).
- Dockerfile: split rust-tools apk install into main + community steps
Dockerfile
Eliminates QEMU arm64 build (was ~15 hours) by adding a
`rust-tools` stage that mirrors the Go image's `go-tools` pattern:
runs on the build platform (amd64), cross-compiles or downloads all
~50 Rust tools for the target arch, and activates sccache throughout.
Build time for linux/arm64: ~15 hours → ~30–60 minutes.
How it works:
- `FROM --platform=$BUILDPLATFORM rust:alpine AS rust-tools` runs natively
- `cargo binstall --target $RUST_TARGET` fetches GitHub release prebuilts
(zero compilation for most tools)
- Missing prebuilts fall back to `cargo install --target` using the
`aarch64-linux-musl-gcc` cross-toolchain (no QEMU, native speed)
- Native (x86_64) sccache installed as RUSTC_WRAPPER so source-compiled
tools are cached across Docker rebuilds
- `CARGO_INSTALL_ROOT=/rust-tools` keeps tool binaries separate from
rustup shims; `COPY --from=rust-tools /rust-tools/bin/` drops them
into the build stage before `05-custom.sh` runs
Pure-Rust / no-OpenSSL feature flags where possible (CGO=0 equivalent):
- `sqlx-cli`: `--features rustls` (was native-tls)
- `sea-orm-cli`: `--features runtime-tokio-rustls` (was native-tls default)
- `trunk`: already defaults to rustls — no change needed
- `probe-rs`: prebuilt if available, silently skipped otherwise (needs libusb)
sccache is now active by default in all login shells via profile.d/rust.sh
(`RUSTC_WRAPPER=sccache`); opt out with `-e RUSTC_WRAPPER=`.
- Dockerfile: add 110-line rust-tools stage with musl cross-toolchain,
sccache, cargo-binstall, all tool installs for target arch
- Dockerfile: COPY --from=rust-tools before 05-custom.sh RUN step
- Dockerfile: set RUSTC_WRAPPER in build stage; drop unused cargo-registry
and cargo-git cache mounts (no longer needed there)
- rootfs/root/docker/setup/05-custom.sh: remove cargo-binstall bootstrap
and all cargo binstall/install blocks; add RUSTC_WRAPPER to profile.d
- README.md: document rust-tools stage, native cross-compile architecture,
expected build times, sccache-on-by-default, pure-Rust feature flags,
updated cache mount ID table
Dockerfile
README.md
rootfs/root/docker/setup/05-custom.sh
Register QEMU binfmt handlers and fix cache mounts + binstall
resilience so the image builds correctly on both platforms.
- Dockerfile: declare ARG TARGETARCH in build stage; suffix all
arch-specific cache mount ids with ${TARGETARCH} so amd64 and
arm64 get isolated apk, rustup-downloads, cargo-git, and sccache
caches — cargo-registry stays shared (source is arch-neutral)
- rootfs/root/docker/setup/05-custom.sh: append || true to the main
cargo binstall -y block so a single tool with no arm64-musl prebuilt
and a failing source fallback does not abort the entire layer; add
comment explaining the intent
Dockerfile
rootfs/root/docker/setup/05-custom.sh
Cache strategy: BuildKit --mount=type=cache on apk and cargo/rustup/sccache
directories so docker build never re-downloads packages between runs.
sccache is available as a compilation cache; mount /root/.cache/sccache at
runtime to persist compiled artifacts across container invocations.
Added gdb, a nightly toolchain (miri + rust-src), and a broad set of
linting, formatting, debugging, fuzzing, and analysis tools.
- Dockerfile: add # syntax=docker/dockerfile:1 pragma; add BuildKit cache
mount for /var/cache/apk on the packages RUN step; add cache mounts for
cargo/registry (shared), cargo/git, rustup/downloads, and sccache on the
custom commands RUN step; add SCCACHE_DIR and CARGO_INCREMENTAL ENV vars;
extend VOLUME to include /root/.cache/sccache
- rootfs/root/docker/setup/05-custom.sh: add gdb to system packages;
install nightly toolchain (minimal profile) with miri + rust-src; extend
binstall block with sccache, typos, taplo-cli, cargo-sort, cargo-hack,
cargo-criterion, dprint, cargo-careful, cargo-public-api,
cargo-spellcheck, cargo-geiger, grcov; add fallback cargo installs for
cargo-udeps, cargo-fuzz, cargo-minimal-versions; export SCCACHE_DIR and
CARGO_INCREMENTAL in /etc/profile.d/rust.sh; create /root/.cache/sccache
Dockerfile
rootfs/root/docker/setup/05-custom.sh
Install latest stable Rust at build time via rustup-init with SHA256
verification. Add 30 cross-compile targets, cargo-binstall, and a
comprehensive set of cargo development tools. Match the official
rust:alpine env-var convention (RUSTUP_HOME / CARGO_HOME) and declare
those paths as Docker VOLUMEs. Add the Go-image pattern: rust-workflow
runs automatically when the container is invoked with no args, while
explicit commands pass through unchanged. Copy language-agnostic
healthcheck, copy, and symlink utilities from the Go image.
- Dockerfile: WORKDIR /app in final stage; add RUSTUP_HOME, CARGO_HOME,
RUSTUP_TOOLCHAIN ENV vars; extend VOLUME to include cargo and rustup paths
- rootfs/root/docker/setup/05-custom.sh: full Rust toolchain install —
build deps (build-base musl-dev clang lld cmake openssl-dev), SHA256-
verified rustup-init, stable toolchain with rust-src/rust-analyzer/
llvm-tools-preview, 30 cross-compile targets, cargo-binstall bootstrap,
cargo tool suite via binstall, cross-linker config.toml, /usr/local/bin
symlinks, ~/.cargo and ~/.rustup home symlinks, /etc/profile.d/rust.sh
- rootfs/usr/local/bin/rust-workflow: default workflow script —
fmt --check → clippy -D warnings → test --all → build --release;
honours CARGO_WORKDIR and CARGO_BUILD_TARGET env vars
- rootfs/usr/local/bin/entrypoint.sh: __no_exit guarded by $# -eq 0 in
START_SERVICES block; * catch-all now calls rust-workflow on no args
- rootfs/usr/local/bin/healthcheck: copied from Go image (HTTP/TCP/
process/file health probe)
- rootfs/usr/local/bin/copy: copied from Go image (recursive copy utility)
- rootfs/usr/local/bin/symlink: copied from Go image (symlink utility)
Dockerfile
rootfs/root/docker/setup/05-custom.sh
rootfs/usr/local/bin/copy
rootfs/usr/local/bin/entrypoint.sh
rootfs/usr/local/bin/healthcheck
rootfs/usr/local/bin/rust-workflow
rootfs/usr/local/bin/symlink
Update the embedded entrypoint copies in rootfs/ to match the
upstream template change. Internal state files renamed to dotfiles
so they're not matched by `/run/*.pid` cleanup globs:
- /run/init.d/entrypoint.pid -> /run/.entrypoint.pid
- /run/no_exit.pid -> /run/.no_exit.pid
- /run/backup.pid -> /run/.backup.pid
- /run/__start_init_scripts.pid -> /run/.start_init_scripts.pid
Per-service PIDs in /run/init.d/ are unchanged.
Dockerfile
.env.scripts
rootfs/usr/local/bin/copy
rootfs/usr/local/bin/entrypoint.sh
rootfs/usr/local/bin/healthcheck
rootfs/usr/local/bin/symlink
rootfs/usr/local/etc/docker/functions/entrypoint.sh
rootfs/usr/local/etc/docker/init.d/00-rust.sh
rootfs/usr/local/share/template-files/config/env/default.sample
rootfs/usr/local/share/template-files/config/env/examples/zz-entrypoint.sh
jason
