qrkourier · April 8, 2025 15:52
diff --git a/Dockerfile.debian b/Dockerfile.debian
 # this may still be useful for building arm 32bit images, e.g., assuming the binary was built in the default path,
 # docker buildx build --platform linux/arm/v7 --file ./Dockerfile.debian --tag ziti-edge-tunnel:armv7 .
 # 
 # run command "run-host" doesn't require elevated privileges, and "docker run --network container:myserverapp" would allow this container to host services targeting the loopback interface of "myserverapp"
 # docker run --name ziti-host --detach --restart unless-stopped --network host --volume ziti-host:/ziti-edge-tunnel --env ZITI_ENROLL_TOKEN="$(< /tmp/jwt)" ziti-edge-tunnel:armv7
 #
 FROM debian:buster-slim AS fetch-ziti-artifacts

 WORKDIR /

 RUN apt-get -q update && apt-get -q install -y --no-install-recommends ca-certificates
 # workaround for `openssl rehash` not working on arm.
 RUN /bin/bash -c "if ! compgen -G '/etc/ssl/certs/*.[0-9]' > /dev/null; then c_rehash /etc/ssl/certs; fi"

 ################
 #
 #  Main Image
 #
 ################

 FROM debian:buster-slim

 RUN mkdir -p /usr/local/bin /etc/ssl/certs
 # libsystemd: install the shared object, necessary in conjunction with      --volume "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket"     to communicate with the host's dbus socket to configure systemd-resolved
 # iproute2: install /sbin/ip, necessary in conjunction with    --device="/dev/net/tun:/dev/net/tun"    to up the tun device, assign routes, and assign source IP 
 RUN apt-get -q update && apt-get -q install -y --no-install-recommends iproute2 libsystemd0
 COPY --from=fetch-ziti-artifacts /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs
 COPY ./build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel /usr/local/bin/
 COPY ./docker/docker-entrypoint.sh /
 RUN chmod +x /docker-entrypoint.sh
 RUN mkdir -p /ziti-edge-tunnel

 ENTRYPOINT [ "/docker-entrypoint.sh" ]
 CMD [ "run-host" ]
	# this may still be useful for building arm 32bit images, e.g., assuming the binary was built in the default path,
	# docker buildx build --platform linux/arm/v7 --file ./Dockerfile.debian --tag ziti-edge-tunnel:armv7 .
	#
	# run command "run-host" doesn't require elevated privileges, and "docker run --network container:myserverapp" would allow this container to host services targeting the loopback interface of "myserverapp"
	# docker run --name ziti-host --detach --restart unless-stopped --network host --volume ziti-host:/ziti-edge-tunnel --env ZITI_ENROLL_TOKEN="$(< /tmp/jwt)" ziti-edge-tunnel:armv7
	#
	FROM debian:buster-slim AS fetch-ziti-artifacts

	WORKDIR /

	RUN apt-get -q update && apt-get -q install -y --no-install-recommends ca-certificates
	# workaround for `openssl rehash` not working on arm.
	RUN /bin/bash -c "if ! compgen -G '/etc/ssl/certs/*.[0-9]' > /dev/null; then c_rehash /etc/ssl/certs; fi"

	################
	#
	# Main Image
	#
	################

	FROM debian:buster-slim

	RUN mkdir -p /usr/local/bin /etc/ssl/certs
	# libsystemd: install the shared object, necessary in conjunction with --volume "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket" to communicate with the host's dbus socket to configure systemd-resolved
	# iproute2: install /sbin/ip, necessary in conjunction with --device="/dev/net/tun:/dev/net/tun" to up the tun device, assign routes, and assign source IP
	RUN apt-get -q update && apt-get -q install -y --no-install-recommends iproute2 libsystemd0
	COPY --from=fetch-ziti-artifacts /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs
	COPY ./build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel /usr/local/bin/
	COPY ./docker/docker-entrypoint.sh /
	RUN chmod +x /docker-entrypoint.sh
	RUN mkdir -p /ziti-edge-tunnel

	ENTRYPOINT [ "/docker-entrypoint.sh" ]
	CMD [ "run-host" ]