rustfs
diff --git a/‎Dockerfile
Lines changed: 63 additions & 71 deletions b/‎Dockerfile
Lines changed: 63 additions & 71 deletions
@@ -1,66 +1,64 @@
-# Multi-stage build for RustFS production image
-
-# Build stage: Download and extract RustFS binary
+# -------------------
+# Build stage
+# -------------------
 FROM alpine:3.22 AS build
 
-# Build arguments for platform and release
 ARG TARGETARCH
 ARG RELEASE=latest
 
-# Install minimal dependencies for downloading and extracting
 RUN apk add --no-cache ca-certificates curl unzip
-
-# Create build directory
 WORKDIR /build
 
-# Set architecture-specific variables
-RUN if [ "$TARGETARCH" = "amd64" ]; then \
-        echo "x86_64-musl" > /tmp/arch; \
-    elif [ "$TARGETARCH" = "arm64" ]; then \
-        echo "aarch64-musl" > /tmp/arch; \
+# Download and extract release package matching current TARGETARCH
+# - If RELEASE=latest: take first tag_name from /releases (may include pre-releases)
+# - Otherwise use specified tag (e.g. v0.1.2)
+RUN set -eux; \
+    case "$TARGETARCH" in \
+      amd64)  ARCH_SUBSTR="x86_64-musl"  ;; \
+      arm64)  ARCH_SUBSTR="aarch64-musl" ;; \
+      *) echo "Unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \
+    esac; \
+    if [ "$RELEASE" = "latest" ]; then \
+      TAG="$(curl -fsSL https://api.github.com/repos/rustfs/rustfs/releases \
+              | grep -o '"tag_name": "[^"]*"' | cut -d'"' -f4 | head -n 1)"; \
     else \
-        echo "unsupported" > /tmp/arch; \
-    fi
-RUN ARCH=$(cat /tmp/arch) && \
-    if [ "$ARCH" = "unsupported" ]; then \
-        echo "Unsupported architecture: $TARGETARCH" && exit 1; \
-    fi && \
-    if [ "${RELEASE}" = "latest" ]; then \
-        # For latest, download from GitHub releases using the -latest suffix
-        PACKAGE_NAME="rustfs-linux-${ARCH}-latest.zip"; \
-        # Use GitHub API to get the latest release URL
-        LATEST_RELEASE_URL=$(curl -s https://api.github.com/repos/rustfs/rustfs/releases/latest | grep -o '"browser_download_url": "[^"]*'"${PACKAGE_NAME}"'"' | cut -d'"' -f4 | head -1); \
-        if [ -z "$LATEST_RELEASE_URL" ]; then \
-            echo "Failed to find latest release for ${PACKAGE_NAME}" >&2; \
-            exit 1; \
-        fi; \
-        DOWNLOAD_URL="$LATEST_RELEASE_URL"; \
-    else \
-        # For specific versions, construct the GitHub release URL directly
-        # RELEASE is the GitHub release tag (e.g., "1.0.0-alpha.42")
-        # VERSION is the version in filename (e.g., "v1.0.0-alpha.42")
-        VERSION="v${RELEASE}"; \
-        PACKAGE_NAME="rustfs-linux-${ARCH}-${VERSION}.zip"; \
-        DOWNLOAD_URL="https://github.com/rustfs/rustfs/releases/download/${RELEASE}/${PACKAGE_NAME}"; \
-    fi && \
-    echo "Downloading ${PACKAGE_NAME} from ${DOWNLOAD_URL}" >&2 && \
-    curl -f -L "${DOWNLOAD_URL}" -o rustfs.zip && \
-    unzip rustfs.zip -d /build && \
-    chmod +x /build/rustfs && \
-    rm rustfs.zip || { echo "Failed to download or extract ${PACKAGE_NAME}" >&2; exit 1; }
-
-# Runtime stage: Configure runtime environment
-FROM alpine:3.22.1
+      TAG="$RELEASE"; \
+    fi; \
+    echo "Using tag: $TAG (arch pattern: $ARCH_SUBSTR)"; \
+    # Find download URL in assets list for this tag that contains arch substring and ends with .zip
+    URL="$(curl -fsSL "https://api.github.com/repos/rustfs/rustfs/releases/tags/$TAG" \
+           | grep -o "\"browser_download_url\": \"[^\"]*${ARCH_SUBSTR}[^\"]*\\.zip\"" \
+           | cut -d'"' -f4 | head -n 1)"; \
+    if [ -z "$URL" ]; then echo "Failed to locate release asset for $ARCH_SUBSTR at tag $TAG" >&2; exit 1; fi; \
+    echo "Downloading: $URL"; \
+    curl -fL "$URL" -o rustfs.zip; \
+    unzip -q rustfs.zip -d /build; \
+    # If binary is not in root directory, try to locate and move from zip to /build/rustfs
+    if [ ! -x /build/rustfs ]; then \
+      BIN_PATH="$(unzip -Z -1 rustfs.zip | grep -E '(^|/)rustfs$' | head -n 1 || true)"; \
+      if [ -n "$BIN_PATH" ]; then \
+        mkdir -p /build/.tmp && unzip -q rustfs.zip "$BIN_PATH" -d /build/.tmp && \
+        mv "/build/.tmp/$BIN_PATH" /build/rustfs; \
+      fi; \
+    fi; \
+    [ -x /build/rustfs ] || { echo "rustfs binary not found in asset" >&2; exit 1; }; \
+    chmod +x /build/rustfs; \
+    rm -rf rustfs.zip /build/.tmp || true
+
+
+# -------------------
+# Runtime stage
+# -------------------
+FROM alpine:3.22
 
-# Build arguments and labels
 ARG RELEASE=latest
 ARG BUILD_DATE
 ARG VCS_REF
 
 LABEL name="RustFS" \
       vendor="RustFS Team" \
       maintainer="RustFS Team <dev@rustfs.com>" \
-      version="${RELEASE}" \
+      version="v${RELEASE#v}" \
       release="${RELEASE}" \
       build-date="${BUILD_DATE}" \
       vcs-ref="${VCS_REF}" \
@@ -69,43 +67,37 @@ LABEL name="RustFS" \
       url="https://rustfs.com" \
       license="Apache-2.0"
 
-# Install runtime dependencies
-RUN echo "https://dl-cdn.alpinelinux.org/alpine/v3.20/community" >> /etc/apk/repositories && \
-    apk update && \
-    apk add --no-cache ca-certificates bash gosu coreutils shadow && \
+# Install only runtime requirements: certificates and coreutils (provides chroot --userspec)
+RUN apk add --no-cache ca-certificates coreutils && \
     addgroup -g 1000 rustfs && \
-    adduser -u 1000 -G rustfs -s /bin/bash -D rustfs
+    adduser  -u 1000 -G rustfs -s /sbin/nologin -D rustfs
 
-# Copy CA certificates and RustFS binary from build stage
+# Copy binary and entry script (ensure fixed entrypoint.sh exists in repository)
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=build /build/rustfs /usr/bin/rustfs
-
-# Copy entry point script
 COPY entrypoint.sh /entrypoint.sh
 
-# Set permissions
 RUN chmod +x /usr/bin/rustfs /entrypoint.sh && \
     mkdir -p /data /logs && \
     chown rustfs:rustfs /data /logs && \
-    chmod 700 /data /logs
-
-# Environment variables (credentials should be set via environment or secrets)
-ENV RUSTFS_ADDRESS=:9000 \
-    RUSTFS_ACCESS_KEY=rustfsadmin \
-    RUSTFS_SECRET_KEY=rustfsadmin \
-    RUSTFS_CONSOLE_ENABLE=true \
-    RUSTFS_VOLUMES=/data \
-    RUST_LOG=warn \
-    RUSTFS_OBS_LOG_DIRECTORY=/logs \
-    RUSTFS_SINKS_FILE_PATH=/logs
+    chmod 0750 /data /logs
+
+# Default environment (can be overridden in docker run/compose)
+ENV RUSTFS_ADDRESS=":9000" \
+    RUSTFS_ACCESS_KEY="rustfsadmin" \
+    RUSTFS_SECRET_KEY="rustfsadmin" \
+    RUSTFS_CONSOLE_ENABLE="true" \
+    RUSTFS_VOLUMES="/data" \
+    RUST_LOG="warn" \
+    RUSTFS_OBS_LOG_DIRECTORY="/logs" \
+    RUSTFS_SINKS_FILE_PATH="/logs" \
+    RUSTFS_USERNAME="rustfs" \
+    RUSTFS_GROUPNAME="rustfs" \
+    RUSTFS_UID="1000" \
+    RUSTFS_GID="1000"
 
-# Expose port
 EXPOSE 9000
-
-# Volumes for data and logs
 VOLUME ["/data", "/logs"]
 
-# Set entry point
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["/usr/bin/rustfs"]
-