socket-btm/Dockerfile.local-dev at main · SocketDev/socket-btm · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# Local Development Dockerfile - Build binject/binpress with LIEF from source
#
# This Dockerfile is for local development and testing. It builds LIEF from source
# in the same container as binject/binpress to ensure perfect ABI compatibility.
# This matches the Depot.dev configuration (AlmaLinux 8, gcc 8.5.0, glibc 2.28).
#
# Usage:
#   docker buildx build --platform linux/amd64 \
#     -f Dockerfile.local-dev \
#     --target export \
#     --output type=local,dest=./build-output \
#     .
#
# The binaries will be exported to ./build-output/binject and ./build-output/binpress
#
# Requirements:
#   - Git submodules must be initialized (especially packages/lief-builder/upstream/lief)
#   - Run: git submodule update --init --recursive
#
FROM almalinux:8 AS lief-builder

# Install build dependencies (matching Depot.dev exactly)
ARG PNPM_VERSION=11.0.0-rc.0
RUN dnf -y update && \
    dnf -y install epel-release dnf-plugins-core && \
    dnf config-manager --set-enabled powertools && \
    dnf -y install \
        gcc-c++ \
        git \
        ccache \
        ninja-build \
        curl \
        ca-certificates \
        python3.11 \
        python3.11-pip \
        cmake \
        patch \
        glibc-static \
        libstdc++-static \
        openssl-devel \
        make \
        && \
    curl -fsSL https://rpm.nodesource.com/setup_current.x | bash - && \
    dnf -y install nodejs && \
    ARCH=$(uname -m | sed 's/x86_64/x64/' | sed 's/aarch64/arm64/') && \
    curl -fsSL -o /tmp/pnpm.tar.gz "https://github.com/pnpm/pnpm/releases/download/v${PNPM_VERSION}/pnpm-linux-${ARCH}.tar.gz" && \
    ACTUAL_SHA256=$(sha256sum /tmp/pnpm.tar.gz | cut -d' ' -f1) && \
    if [ "$ARCH" = "x64" ]; then EXPECTED="fe82b94125a6b743456b869e823611a8837b545f2535e4602578e4c9fdb5742a"; \
    else EXPECTED="69ad2d528f4a2c00fd42541a80c13491c57e66b2765b2d9d89829aeb0f6482be"; fi && \
    if [ "$ACTUAL_SHA256" != "$EXPECTED" ]; then echo "pnpm checksum mismatch!" >&2; exit 1; fi && \
    tar -xzf /tmp/pnpm.tar.gz -C /usr/local/bin && rm /tmp/pnpm.tar.gz && \
    dnf clean all

WORKDIR /workspace

# Copy workspace config and package files
COPY package.json pnpm-workspace.yaml pnpm-lock.yaml .gitmodules .node-version ./

# Copy packages (but NOT build/downloaded - we'll build LIEF from source)
COPY packages/build-infra/package.json packages/build-infra/
COPY packages/build-infra/lib packages/build-infra/lib
COPY packages/build-infra/make packages/build-infra/make
COPY packages/build-infra/scripts packages/build-infra/scripts
COPY packages/build-infra/src packages/build-infra/src

COPY packages/bin-infra/package.json packages/bin-infra/
COPY packages/bin-infra/src packages/bin-infra/src
COPY packages/bin-infra/scripts packages/bin-infra/scripts
COPY packages/bin-infra/make packages/bin-infra/make
COPY packages/bin-infra/upstream/zstd packages/bin-infra/upstream/zstd
COPY packages/bin-infra/patches packages/bin-infra/patches

COPY packages/lief-builder/package.json packages/lief-builder/
COPY packages/lief-builder/scripts packages/lief-builder/scripts
COPY packages/lief-builder/make packages/lief-builder/make
COPY packages/lief-builder/upstream/lief packages/lief-builder/upstream/lief

COPY packages/binject/package.json packages/binject/
COPY packages/binject/src packages/binject/src
COPY packages/binject/scripts packages/binject/scripts
COPY packages/binject/make packages/binject/make
COPY packages/binject/upstream packages/binject/upstream
COPY packages/binject/Makefile* packages/binject/

COPY packages/binpress/package.json packages/binpress/
COPY packages/binpress/src packages/binpress/src
COPY packages/binpress/scripts packages/binpress/scripts
COPY packages/binpress/Makefile* packages/binpress/

# Ensure zstd source is available
COPY .github/scripts/ensure-zstd.sh .github/scripts/ensure-zstd.sh
COPY .gitmodules .gitmodules
RUN .github/scripts/ensure-zstd.sh

# Build OpenSSL static library (required for SHA256 in smol_segment)
RUN curl -fsSL https://www.openssl.org/source/openssl-1.1.1w.tar.gz -o /tmp/openssl.tar.gz && \
    cd /tmp && tar xzf openssl.tar.gz && cd openssl-1.1.1w && \
    ./config no-shared --prefix=/usr/local/ssl --openssldir=/usr/local/ssl && \
    make -j$(nproc) && \
    make install_sw && \
    cd / && rm -rf /tmp/openssl*

ARG TARGETARCH=amd64

# Set library paths for OpenSSL
ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
ENV LDFLAGS="-L/usr/local/ssl/lib -lcrypto"
ENV CFLAGS="-I/usr/local/ssl/include"
ENV CXXFLAGS=""

# Install dependencies
ENV CI=true
RUN pnpm install --frozen-lockfile

# Build LIEF from source (this ensures ABI compatibility)
WORKDIR /workspace/packages/lief-builder
ENV BUILD_MODE=dev
RUN if [ "$TARGETARCH" = "amd64" ]; then \
        export CFLAGS="$CFLAGS -march=x86-64 -mtune=generic" && \
        export CXXFLAGS="$CXXFLAGS -march=x86-64 -mtune=generic"; \
    fi && \
    pnpm run build

# Build binject
WORKDIR /workspace/packages/binject
ENV BUILD_MODE=dev
RUN pnpm run build

# Build binpress
WORKDIR /workspace/packages/binpress
RUN pnpm run build

# Export binaries
FROM scratch AS export
COPY --from=lief-builder /workspace/packages/binject/build/dev/out/Final/binject /binject
COPY --from=lief-builder /workspace/packages/binpress/build/dev/out/Final/binpress /binpress