The build host's SSL intercept breaks system curl to *.github.com (cert SAN
mismatch). Cargo uses its own bundled TLS stack and is not affected.
- Dockerfile: remove sccache curl download (was failing with SSL error)
- Dockerfile: remove cargo-binstall curl bootstrap (same SSL failure path)
- Dockerfile: replace both with `cargo install cargo-binstall` (Rust TLS, no curl)
- Dockerfile: remove curlrc IPv4 workaround (no curl calls remain in rust-tools)
- Dockerfile: remove jq from apk (was only used for sccache version parsing)
- Dockerfile: remove RUSTC_WRAPPER/SCCACHE_DIR exports from binstall RUN block
- Dockerfile: remove sccache-native cache mount (unused without RUSTC_WRAPPER)
Dockerfile
IPv6 routing on this host intercepts *.github.com and presents a
certificate for a local domain, causing curl SSL SAN mismatch errors
when downloading sccache and cargo-binstall from GitHub releases.
Same fix as the Go image's 05-custom.sh: write `-4` to /root/.curlrc
at the top of the rust-tools stage so all subsequent curl calls use IPv4.
- Dockerfile: add `printf -- '-4
' > /root/.curlrc` at start of rust-tools stage
Dockerfile
musl-cross does not exist in any Alpine package repo (main, community,
or edge) — both attempts to install it failed at build time.
Zig ships with Alpine (`apk add zig`) and bundles its own musl headers
and stdlib for every target triple, making it a drop-in replacement for
a musl cross-toolchain with zero external dependencies.
Three wrapper scripts are created at install time:
/usr/local/bin/aarch64-linux-musl-gcc → zig cc -target aarch64-linux-musl
/usr/local/bin/aarch64-linux-musl-g++ → zig c++ -target aarch64-linux-musl
/usr/local/bin/aarch64-linux-musl-ar → zig ar
The CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER and CC_*/CXX_*/AR_*
env vars are unchanged — they still point to aarch64-linux-musl-gcc,
which now resolves to the zig wrapper.
- Dockerfile: replace musl-cross apk install with zig + wrapper scripts
Dockerfile
musl-cross is in the Alpine community repo, which rust:alpine does not
enable by default. `apk add --no-cache musl-cross` failed with
"no such package" on both linux/amd64 and linux/amd64->arm64 stages.
Fix: install curl and jq first (both in main), then fetch musl-cross
from the community repo via --repository flag (no permanent repo change).
- Dockerfile: split rust-tools apk install into main + community steps
Dockerfile
Audit found three accuracy bugs and one section ordering violation:
- Add wasm-opt (binaryen) to WASM tools table — installed via pkmgr
in 05-custom.sh but was missing from the tools reference entirely
- Fix wasm32-emscripten → wasm32-unknown-emscripten in cross-compile
targets table (wrong triple name)
- Move "Install and run container" (dockermgr) from position 10 to
immediately after "Pull" — both are production install paths and must
appear before the Development section per canonical section order rules
- Rename "Build the image locally" → "Development" to match canonical
section naming; it is the last substantive section before License
- README.md: add binaryen/wasm-opt row to WASM tools table
- README.md: correct wasm32-unknown-emscripten triple
- README.md: move Install and run container section to top (after Pull)
- README.md: rename build section to Development; move to end
README.md
Eliminates QEMU arm64 build (was ~15 hours) by adding a
`rust-tools` stage that mirrors the Go image's `go-tools` pattern:
runs on the build platform (amd64), cross-compiles or downloads all
~50 Rust tools for the target arch, and activates sccache throughout.
Build time for linux/arm64: ~15 hours → ~30–60 minutes.
How it works:
- `FROM --platform=$BUILDPLATFORM rust:alpine AS rust-tools` runs natively
- `cargo binstall --target $RUST_TARGET` fetches GitHub release prebuilts
(zero compilation for most tools)
- Missing prebuilts fall back to `cargo install --target` using the
`aarch64-linux-musl-gcc` cross-toolchain (no QEMU, native speed)
- Native (x86_64) sccache installed as RUSTC_WRAPPER so source-compiled
tools are cached across Docker rebuilds
- `CARGO_INSTALL_ROOT=/rust-tools` keeps tool binaries separate from
rustup shims; `COPY --from=rust-tools /rust-tools/bin/` drops them
into the build stage before `05-custom.sh` runs
Pure-Rust / no-OpenSSL feature flags where possible (CGO=0 equivalent):
- `sqlx-cli`: `--features rustls` (was native-tls)
- `sea-orm-cli`: `--features runtime-tokio-rustls` (was native-tls default)
- `trunk`: already defaults to rustls — no change needed
- `probe-rs`: prebuilt if available, silently skipped otherwise (needs libusb)
sccache is now active by default in all login shells via profile.d/rust.sh
(`RUSTC_WRAPPER=sccache`); opt out with `-e RUSTC_WRAPPER=`.
- Dockerfile: add 110-line rust-tools stage with musl cross-toolchain,
sccache, cargo-binstall, all tool installs for target arch
- Dockerfile: COPY --from=rust-tools before 05-custom.sh RUN step
- Dockerfile: set RUSTC_WRAPPER in build stage; drop unused cargo-registry
and cargo-git cache mounts (no longer needed there)
- rootfs/root/docker/setup/05-custom.sh: remove cargo-binstall bootstrap
and all cargo binstall/install blocks; add RUSTC_WRAPPER to profile.d
- README.md: document rust-tools stage, native cross-compile architecture,
expected build times, sccache-on-by-default, pure-Rust feature flags,
updated cache mount ID table
Dockerfile
README.md
rootfs/root/docker/setup/05-custom.sh
Two inaccuracies corrected:
- rust-workflow is not run automatically on `docker run` with no args;
the container starts in monitoring mode and rust-workflow must be
called explicitly — update all examples to pass `rust-workflow` as
the command argument and rename the section heading accordingly
- Cache mount IDs in the BuildKit section were missing the per-arch
suffix; corrected to apk-cache-<arch>, cargo-git-<arch>,
rustup-downloads-<arch>, sccache-build-<arch> and added a note
explaining why per-arch IDs are used in multi-platform builds
- README.md: fix default-behavior section and cache mount ID table
README.md
Register QEMU binfmt handlers and fix cache mounts + binstall
resilience so the image builds correctly on both platforms.
- Dockerfile: declare ARG TARGETARCH in build stage; suffix all
arch-specific cache mount ids with ${TARGETARCH} so amd64 and
arm64 get isolated apk, rustup-downloads, cargo-git, and sccache
caches — cargo-registry stays shared (source is arch-neutral)
- rootfs/root/docker/setup/05-custom.sh: append || true to the main
cargo binstall -y block so a single tool with no arm64-musl prebuilt
and a failing source fallback does not abort the entire layer; add
comment explaining the intent
Dockerfile
rootfs/root/docker/setup/05-custom.sh
Stale copies called __initialize_default_templates, __initialize_config_dir,
and __initialize_data_dir which are not in the old functions library,
causing container startup failures. Replaced with current template
versions (202606041210-git) which no longer call those missing functions.
- rootfs/usr/local/bin/entrypoint.sh: update to current template
- rootfs/usr/local/etc/docker/functions/entrypoint.sh: update to current template
rootfs/usr/local/bin/entrypoint.sh
rootfs/usr/local/etc/docker/functions/entrypoint.sh
--domainname on the container sets the kernel domainname, which c-ares
uses to infer a search domain even when /etc/resolv.conf has no search
line. This caused c-ares to query github.com.casjay.work AAAA and get
the host's own IPv6 address, routing all outbound HTTPS to the local
nginx instead of the real server.
Adding 'search .' and 'options ndots:0' explicitly disables search
domain inference regardless of the kernel domainname setting.
- rootfs/usr/local/etc/resolv.conf: add search . and options ndots:0
rootfs/usr/local/etc/resolv.conf
Hosts with a search domain cause containers to inherit it. When the
zone has a wildcard AAAA record, public hostnames resolve to the host's
own IPv6 address instead of the real server, breaking all outbound
HTTPS and DNS from inside the container.
The entrypoint already has a hook: if /usr/local/etc/resolv.conf
exists it replaces /etc/resolv.conf at container startup. Ship a
clean resolv.conf with Cloudflare + Google DNS and no search domain
so container DNS is always correct regardless of host configuration.
- rootfs/usr/local/etc/resolv.conf: new file — clean DNS, no search domain
rootfs/usr/local/etc/resolv.conf
Synced from casjay-dotfiles templates. Updated functions now check
for existence before copying template-files directories, skipping
gracefully when they are absent.
- rootfs/usr/local/etc/docker/functions/entrypoint.sh: updated to latest
rootfs/usr/local/etc/docker/functions/entrypoint.sh
- README rewritten from 137 → 439 lines: full tool tables, env var reference, volume/cache guide, cross-compile target matrix, sccache remote backend docs, BuildKit cache mount info
- Update image name from `casjaysdevdocker/rust` to `casjaysdev/rust` throughout
- Add `clang-dev`, `llvm-dev`, `openssl-libs-static` to build deps; add `perf` (non-fatal) for flamegraph/samply support
- Fix rustup nightly component flag syntax (split into two `--component` flags)
- Move `cargo-nextest` to fallback block with `--locked`; rename `typos` → `typos-cli` and `cargo-flamegraph` → `flamegraph` to match correct crate names
README.md
rootfs/root/docker/setup/05-custom.sh
Complete rewrite of README.md to document the default rust-workflow
behavior, all installed tools (organized by category), the full cache
strategy (BuildKit mounts + runtime volumes + sccache), cross-compile
targets and tooling, miri usage, environment variables, and docker-compose
example with all volumes wired up.
- README.md: add default-workflow quickstart; add tool tables for linting,
formatting, testing, coverage, benchmarking, profiling, fuzzing,
debugging, inspection, build/release, cross-compile, WASM, docs, and
dev-loop categories; add cache section covering BuildKit --mount cache
IDs, named volumes, host bind mounts, sccache activation and remote
backends; add cross-compile section with pure-Rust/zigbuild/cross usage
and caveats table; add miri section; update env vars table with
SCCACHE_DIR, CARGO_INCREMENTAL, RUSTC_WRAPPER, CARGO_WORKDIR,
CARGO_BUILD_TARGET; update docker run and docker-compose examples to
include all three volumes
README.md
Cache strategy: BuildKit --mount=type=cache on apk and cargo/rustup/sccache
directories so docker build never re-downloads packages between runs.
sccache is available as a compilation cache; mount /root/.cache/sccache at
runtime to persist compiled artifacts across container invocations.
Added gdb, a nightly toolchain (miri + rust-src), and a broad set of
linting, formatting, debugging, fuzzing, and analysis tools.
- Dockerfile: add # syntax=docker/dockerfile:1 pragma; add BuildKit cache
mount for /var/cache/apk on the packages RUN step; add cache mounts for
cargo/registry (shared), cargo/git, rustup/downloads, and sccache on the
custom commands RUN step; add SCCACHE_DIR and CARGO_INCREMENTAL ENV vars;
extend VOLUME to include /root/.cache/sccache
- rootfs/root/docker/setup/05-custom.sh: add gdb to system packages;
install nightly toolchain (minimal profile) with miri + rust-src; extend
binstall block with sccache, typos, taplo-cli, cargo-sort, cargo-hack,
cargo-criterion, dprint, cargo-careful, cargo-public-api,
cargo-spellcheck, cargo-geiger, grcov; add fallback cargo installs for
cargo-udeps, cargo-fuzz, cargo-minimal-versions; export SCCACHE_DIR and
CARGO_INCREMENTAL in /etc/profile.d/rust.sh; create /root/.cache/sccache
Dockerfile
rootfs/root/docker/setup/05-custom.sh
Install latest stable Rust at build time via rustup-init with SHA256
verification. Add 30 cross-compile targets, cargo-binstall, and a
comprehensive set of cargo development tools. Match the official
rust:alpine env-var convention (RUSTUP_HOME / CARGO_HOME) and declare
those paths as Docker VOLUMEs. Add the Go-image pattern: rust-workflow
runs automatically when the container is invoked with no args, while
explicit commands pass through unchanged. Copy language-agnostic
healthcheck, copy, and symlink utilities from the Go image.
- Dockerfile: WORKDIR /app in final stage; add RUSTUP_HOME, CARGO_HOME,
RUSTUP_TOOLCHAIN ENV vars; extend VOLUME to include cargo and rustup paths
- rootfs/root/docker/setup/05-custom.sh: full Rust toolchain install —
build deps (build-base musl-dev clang lld cmake openssl-dev), SHA256-
verified rustup-init, stable toolchain with rust-src/rust-analyzer/
llvm-tools-preview, 30 cross-compile targets, cargo-binstall bootstrap,
cargo tool suite via binstall, cross-linker config.toml, /usr/local/bin
symlinks, ~/.cargo and ~/.rustup home symlinks, /etc/profile.d/rust.sh
- rootfs/usr/local/bin/rust-workflow: default workflow script —
fmt --check → clippy -D warnings → test --all → build --release;
honours CARGO_WORKDIR and CARGO_BUILD_TARGET env vars
- rootfs/usr/local/bin/entrypoint.sh: __no_exit guarded by $# -eq 0 in
START_SERVICES block; * catch-all now calls rust-workflow on no args
- rootfs/usr/local/bin/healthcheck: copied from Go image (HTTP/TCP/
process/file health probe)
- rootfs/usr/local/bin/copy: copied from Go image (recursive copy utility)
- rootfs/usr/local/bin/symlink: copied from Go image (symlink utility)
Dockerfile
rootfs/root/docker/setup/05-custom.sh
rootfs/usr/local/bin/copy
rootfs/usr/local/bin/entrypoint.sh
rootfs/usr/local/bin/healthcheck
rootfs/usr/local/bin/rust-workflow
rootfs/usr/local/bin/symlink
Update the embedded entrypoint copies in rootfs/ to match the
upstream template change. Internal state files renamed to dotfiles
so they're not matched by `/run/*.pid` cleanup globs:
- /run/init.d/entrypoint.pid -> /run/.entrypoint.pid
- /run/no_exit.pid -> /run/.no_exit.pid
- /run/backup.pid -> /run/.backup.pid
- /run/__start_init_scripts.pid -> /run/.start_init_scripts.pid
Per-service PIDs in /run/init.d/ are unchanged.
Dockerfile
.env.scripts
rootfs/usr/local/bin/copy
rootfs/usr/local/bin/entrypoint.sh
rootfs/usr/local/bin/healthcheck
rootfs/usr/local/bin/symlink
rootfs/usr/local/etc/docker/functions/entrypoint.sh
rootfs/usr/local/etc/docker/init.d/00-rust.sh
rootfs/usr/local/share/template-files/config/env/default.sample
rootfs/usr/local/share/template-files/config/env/examples/zz-entrypoint.sh
Aligns README install/run snippets with the new convention split:
rootfs/ for Dockerfile-build content (image filesystem), volumes/
for docker-compose host bind-mounts. Compose mounts, host bind
paths, and runtime data dirs are renamed; Dockerfile COPY/ADD
sources (where present) are preserved.
README.md
jason
