fix(connlib): Use debian:12-slim for Rust base image (#3243)

Fixes #3215

docker-compose.yml

@@ -148,7 +148,7 @@ services:
 
   gateway:
     healthcheck:
-      test: ["CMD-SHELL", "ip link | grep tun-firezone"]
+      test: ["CMD-SHELL", "cat /proc/net/dev | grep tun-firezone"]
     environment:
       FIREZONE_TOKEN: "SFMyNTY.g2gDaAJtAAAAJDNjZWYwNTY2LWFkZmQtNDhmZS1hMGYxLTU4MDY3OTYwOGY2Zm0AAABAamp0enhSRkpQWkdCYy1vQ1o5RHkyRndqd2FIWE1BVWRwenVScjJzUnJvcHg3NS16bmhfeHBfNWJUNU9uby1yYm4GAEC0b0KJAWIAAVGA.9Oirn9t8rvQpfOhW7hwGBFVzeMm9di0xYGTlwf9cFFk"
       RUST_LOG: firezone_gateway=trace,wire=trace,connlib_gateway_shared=trace,firezone_tunnel=trace,connlib_shared=trace,warn

rust/Dockerfile

@@ -1,28 +1,31 @@
 # Global args to use in build commands
-ARG ALPINE_VERSION="3.19"
+ARG DEBIAN_VERSION="12-slim"
 ARG CARGO_CHEF_VERSION="0.1.62"
 ARG RUSTUP_VERSION="1.26.0"
-ARG RUSTUP_x86_DOWNLOAD_SHA256="7aa9e2a380a9958fc1fc426a3323209b2c86181c6816640979580f62ff7d48d4"
-ARG RUSTUP_aarch64_DOWNLOAD_SHA256="b1962dfc18e1fd47d01341e6897cace67cddfabf547ef394e8883939bd6e002e"
+ARG RUSTUP_x86_DOWNLOAD_SHA256="0b2f6c8f85a3d02fde2efc0ced4657869d73fccfce59defb4e8d29233116e6db"
+ARG RUSTUP_aarch64_DOWNLOAD_SHA256="673e336c81c65e6b16dcdede33f4cc9ed0f08bde1dbe7a935f113605292dc800"
 ARG RUST_VERSION="1.74.1"
 
-FROM alpine:${ALPINE_VERSION} as rust
+FROM debian:${DEBIAN_VERSION} as rust
 
 # Important!  Update this no-op ENV variable when this Dockerfile
 # is updated with the current date. It will force refresh of all
 # of the base images and things like `apk add` won't be using
 # old cached versions when the Dockerfile is built.
 ENV REFRESHED_AT=2023-12-11 \
+  DEBIAN_FRONTEND=noninteractive \
   LANG=C.UTF-8 \
   TERM=xterm
 
 RUN set -xe \
-  # Upgrade Alpine and base packages
-  && apk --no-cache --update-cache --available upgrade \
+  # Upgrade Debian and base packages
+  && apt-get update -qq \
   # Install required deps
-  && apk add --no-cache --update-cache \
+  && apt-get install -y --no-install-recommends \
   ca-certificates \
-  gcc
+  curl \
+  gcc \
+  libc6-dev
 
 ENV RUSTUP_HOME=/usr/local/rustup \
   CARGO_HOME=/usr/local/cargo \
@@ -33,17 +36,17 @@ ARG RUSTUP_x86_DOWNLOAD_SHA256
 ARG RUSTUP_aarch64_DOWNLOAD_SHA256
 ARG RUST_VERSION
 RUN set -eux; \
-  apkArch="$(apk --print-arch)"; \
-  case "$apkArch" in \
-  x86_64) rustArch='x86_64-unknown-linux-musl'; rustupSha256=${RUSTUP_x86_DOWNLOAD_SHA256} ;; \
-  aarch64) rustArch='aarch64-unknown-linux-musl'; rustupSha256=${RUSTUP_aarch64_DOWNLOAD_SHA256} ;; \
-  *) echo >&2 "unsupported architecture: $apkArch"; exit 1 ;; \
+  arch="$(uname -m)"; \
+  case "$arch" in \
+  x86_64) rustTarget='x86_64-unknown-linux-gnu'; rustupSha256=${RUSTUP_x86_DOWNLOAD_SHA256} ;; \
+  aarch64) rustTarget='aarch64-unknown-linux-gnu'; rustupSha256=${RUSTUP_aarch64_DOWNLOAD_SHA256} ;; \
+  *) echo >&2 "unsupported architecture: $arch"; exit 1 ;; \
   esac; \
-  url="https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/${rustArch}/rustup-init"; \
-  wget "$url"; \
+  url="https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/${rustTarget}/rustup-init"; \
+  curl "$url" -O; \
   echo "${rustupSha256} *rustup-init" | sha256sum -c -; \
   chmod +x rustup-init; \
-  ./rustup-init -y --no-modify-path --profile minimal --default-toolchain ${RUST_VERSION} --default-host ${rustArch}; \
+  ./rustup-init -y --no-modify-path --profile minimal --default-toolchain ${RUST_VERSION} --default-host ${rustTarget}; \
   rm rustup-init; \
   chmod -R a+w $RUSTUP_HOME $CARGO_HOME; \
   rustup --version; \
@@ -55,7 +58,6 @@ FROM rust as chef
 
 ARG CARGO_CHEF_VERSION
 RUN set -xe \
-  && apk add --no-cache musl-dev  \
   && cargo install cargo-chef --locked --version=${CARGO_CHEF_VERSION} \
   && rm -rf $CARGO_HOME/registry/
 
@@ -90,13 +92,14 @@ ARG PACKAGE
 RUN cargo build -p ${PACKAGE} $([ -v "${TARGET}" ] && "--target ${TARGET}")
 
 # Image which is used to run the application binary
-FROM alpine:${ALPINE_VERSION} AS runtime
+FROM debian:${DEBIAN_VERSION} AS runtime
 
 # Important!  Update this no-op ENV variable when this Dockerfile
 # is updated with the current date. It will force refresh of all
 # of the base images and things like `apk add` won't be using
 # old cached versions when the Dockerfile is built.
 ENV REFRESHED_AT=2023-10-23 \
+  DEBIAN_FRONTEND=noninteractive \
   LANG=C.UTF-8 \
   TERM=xterm \
   RUST_BACKTRACE=1
@@ -105,14 +108,17 @@ WORKDIR /bin
 
 ## curl is needed by the entrypoint script
 RUN set -xe \
-  && apk add --no-cache curl
+  && apt-get update -qq \
+  && apt-get install -y --no-install-recommends curl
 
 COPY ./docker-init.sh .
 
 ## iptables are needed only by gateway for masquerading
 ARG PACKAGE
 RUN set -xe \
-  && \[ "${PACKAGE}" = "firezone-gateway" ] && apk add --no-cache iptables ip6tables || true
+  && \[ "${PACKAGE}" = "firezone-gateway" ] \
+  && apt-get update -qq \
+  && apt-get install -y --no-install-recommends iptables || true
 
 ENTRYPOINT ["docker-init.sh"]
 
@@ -124,7 +130,8 @@ CMD $PACKAGE
 FROM runtime AS debug
 
 RUN set -xe \
-  && apk add --no-cache iperf3
+  && apt-get update -qq \
+  && apt-get install -y --no-install-recommends iperf3
 
 ARG TARGET
 COPY --from=builder /build/target/${TARGET}/debug/${PACKAGE} .

rust/docker-init.sh

@@ -2,13 +2,15 @@
 
 if [ "${FIREZONE_ENABLE_MASQUERADE}" = "1" ]; then
   IFACE="tun-firezone"
-  # TODO: Can we get away with not installing iptables? Nearly 20 MB.
-  iptables-nft -A FORWARD -i $IFACE -j ACCEPT
-  iptables-nft -A FORWARD -o $IFACE -j ACCEPT
-  iptables-nft -t nat -A POSTROUTING -o eth+ -j MASQUERADE
-  ip6tables-nft -A FORWARD -i $IFACE -j ACCEPT
-  ip6tables-nft -A FORWARD -o $IFACE -j ACCEPT
-  ip6tables-nft -t nat -A POSTROUTING -o eth+ -j MASQUERADE
+  # Enable masquerading for ethernet and wireless interfaces
+  iptables -C FORWARD -i $IFACE -j ACCEPT > /dev/null 2>&1 || iptables -A FORWARD -i $IFACE -j ACCEPT
+  iptables -C FORWARD -o $IFACE -j ACCEPT > /dev/null 2>&1 || iptables -A FORWARD -o $IFACE -j ACCEPT
+  iptables -t nat -C POSTROUTING -o e+ -j MASQUERADE > /dev/null 2>&1 || iptables -t nat -A POSTROUTING -o e+ -j MASQUERADE
+  iptables -t nat -C POSTROUTING -o w+ -j MASQUERADE > /dev/null 2>&1 || iptables -t nat -A POSTROUTING -o w+ -j MASQUERADE
+  ip6tables -C FORWARD -i $IFACE -j ACCEPT > /dev/null 2>&1 || ip6tables -A FORWARD -i $IFACE -j ACCEPT
+  ip6tables -C FORWARD -o $IFACE -j ACCEPT > /dev/null 2>&1 || ip6tables -A FORWARD -o $IFACE -j ACCEPT
+  ip6tables -t nat -C POSTROUTING -o e+ -j MASQUERADE > /dev/null 2>&1 || ip6tables -t nat -A POSTROUTING -o e+ -j MASQUERADE
+  ip6tables -t nat -C POSTROUTING -o w+ -j MASQUERADE > /dev/null 2>&1 || ip6tables -t nat -A POSTROUTING -o w+ -j MASQUERADE
 fi
 
 if [ "${LISTEN_ADDRESS_DISCOVERY_METHOD}" = "gce_metadata" ]; then