Dockerfile.musl-base

# syntax=docker/dockerfile:1

# Which Toolchain Tag to use
ARG IMAGE_TAG=x86_64-musl
# Which registry to use for the musl-toolchain
ARG TOOLCHAIN_REGISTRY=ghcr.io

# Extract the pre-build toolchain from the musl-toolchain image
# This doesn't need to be build everytime since not much will change
FROM ${TOOLCHAIN_REGISTRY}/blackdex/musl-toolchain:${IMAGE_TAG} AS musl-toolchain

# Start building the musl-base
# https://hub.docker.com/_/ubuntu
FROM docker.io/library/ubuntu:22.04

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

ENV DEBIAN_FRONTEND=noninteractive \
    LANG=C.UTF-8 \
    TERM=xterm-256color \
    TZ=UTC

# hadolint ignore=DL3008
RUN apt-get update && \
    apt-get install -y \
        autoconf \
        automake \
        build-essential \
        cmake \
        libtool \
        pkg-config \
        curl \
        file \
        git \
        tzdata \
        ca-certificates \
        libclang-dev \
        --no-install-recommends \
        && \
    # Cleanup apt
    apt-get clean -y && \
    rm -rf /var/cache/* /var/lib/apt/lists/* && \
    # Default cleanups
    find /var/log -type f -delete

# Define the target and openssl architecture to use during build
ARG TARGET=x86_64-unknown-linux-musl
ARG OPENSSL_ARCH=linux-x86_64
ARG ARCH_CPPFLAGS=

ENV TARGET="${TARGET}" \
    TARGET_PREFIX=/usr/local/musl \
    RUSTUP_HOME=/usr/local/rustup \
    CARGO_HOME=/usr/local/cargo \
    SYSROOT="/usr/local/musl/${TARGET}"

ENV PATH="${TARGET_PREFIX}/bin:${CARGO_HOME}/bin:${PATH}" \
    TARGET_PKG_CONFIG_PATH="${TARGET_PREFIX}/lib/pkgconfig" \
    TARGET_LD="${TARGET}-ld" \
    TARGET_AR="${TARGET}-ar" \
    TARGET_CC="${TARGET}-gcc" \
    TARGET_CXX="${TARGET}-g++" \
    TARGET_RANLIB="${TARGET}-ranlib" \
    TARGET_LDFLAGS="-flto=auto -s -pie -static-libstdc++ -L${TARGET_PREFIX}/lib -L${SYSROOT}/lib" \
    SHARED_CPPFLAGS="-I${TARGET_PREFIX}/include -I${SYSROOT}/include ${ARCH_CPPFLAGS}" \
    SHARED_CFLAGS="--sysroot=${SYSROOT} -g0 -O2 -fstack-clash-protection -fstack-protector-strong -fPIE -pie -fpie -Wl,-pie --static -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--sort-common -Wa,--noexecstack" \
    RUST_MUSL_CROSS_TARGET="${TARGET}" \
    # pkg-config
    PKG_CONFIG_PATH="${TARGET_PREFIX}/lib/pkgconfig" \
    PKG_CONFIG_LIBDIR="${TARGET_PREFIX}/lib:${SYSROOT}/lib" \
    PKG_CONFIG_SYSTEM_LIBRARY_PATH="${TARGET_PREFIX}/lib:${SYSROOT}/lib" \
    PKG_CONFIG_SYSTEM_INCLUDE_PATH="${TARGET_PREFIX}/include:${SYSROOT}/include" \
    # Library versions
    SSL_VER="3.0.15" \
    CURL_VER="8.11.0" \
    ZLIB_VER="1.3.1" \
    PQ_11_VER="11.22" \
    PQ_15_VER="15.9" \
    PQ_16_VER="16.5" \
    SQLITE_VER="3470000" \
    MARIADB_VER="3.3.11" \
    LIBXML2_VER="2.13.5"

WORKDIR /tmp

COPY --from=musl-toolchain "/usr/local/musl" "${TARGET_PREFIX}"

RUN mkdir -p "${TARGET_PREFIX}/tbin" /home/rust/src && \
    # Create a symlink to the SYSROOT, this could help with some builds
    ln -sfrn "${SYSROOT}" "/${TARGET}"

# Build zlib (used in openssl, curl, pq, sqlite and mariadb)
# hadolint ignore=DL3003
RUN echo "zlib" && \
    curl -sSL "https://zlib.net/zlib-${ZLIB_VER}.tar.gz" | tar xz && \
    cd "zlib-${ZLIB_VER}" && \
    PKG_CONFIG_PATH="${TARGET_PKG_CONFIG_PATH}" \
    AR="${TARGET_AR}" \
    LD="${TARGET_LD}" \
    RANLIB="${TARGET_RANLIB}" \
    LDFLAGS="${TARGET_LDFLAGS}" \
    CPPFLAGS="${SHARED_CPPFLAGS}" \
    CFLAGS="${SHARED_CFLAGS} -flto=auto -ffat-lto-objects" \
    CC="${TARGET_CC}" \
    ./configure \
      --static \
      --prefix="${TARGET_PREFIX}" && \
    make -j"$(nproc)" && make install && \
    cd /tmp && rm -rf "zlib-${ZLIB_VER}" && \
    # Default cleanups
    find /var/log -type f -delete && rm -rf "${TARGET_PREFIX}/share/man"

# Build OpenSSL (used in curl, pq and mariadb)
# hadolint ignore=DL3003
RUN echo "OpenSSL" && \
    curl -sSL "https://github.com/openssl/openssl/releases/download/openssl-${SSL_VER}/openssl-${SSL_VER}.tar.gz" | tar xz && \
    cd "openssl-${SSL_VER}" && \
    # Download patches for openssl from Alpine to fix CVE's
    # https://pkgs.alpinelinux.org/packages?name=openssl&branch=v3.17&arch=x86_64
    # curl -sSL --retry 3 -o CVE-2023-5678.patch https://git.alpinelinux.org/aports/plain/main/openssl/CVE-2023-5678.patch?h=23d17714028463345b828a18b551172bdddd4eb3 && \
    # Apply these patches
    # git apply --verbose CVE-2023-5678.patch && \
    PKG_CONFIG_PATH="${TARGET_PKG_CONFIG_PATH}" \
    AR="${TARGET_AR}" \
    LD="${TARGET_LD}" \
    RANLIB="${TARGET_RANLIB}" \
    LDFLAGS="${TARGET_LDFLAGS}" \
    CPPFLAGS="${SHARED_CPPFLAGS}" \
    # We can't enable `-flto=auto -ffat-lto-objects` this generates an error which causes other libraries to also fail subsequently.
    # See: https://github.com/openssl/openssl/issues/18663
    CFLAGS="${SHARED_CFLAGS}" \
    CC="${TARGET_CC}" \
    ./Configure \
      # Disable several features, either insecure or not working that well on musl libc or not needed at all
      no-dso \
      no-shared \
      no-ssl3 \
      no-tests \
      no-unit-test \
      no-comp \
      no-zlib \
      no-zlib-dynamic \
      ## rust-openssl currently enables legacy, lets do the same here
      # no-legacy \
      no-md2 \
      no-rc5 \
      no-weak-ssl-ciphers \
      no-camellia \
      no-idea \
      no-seed \
      no-engine \
      no-async \
      # Some Alpine defined configure arguments
      no-mdc2 \
      no-ec2m \
      # Set which OpenSSL Architecture needs to be used
      ${OPENSSL_ARCH} \
      --openssldir="${TARGET_PREFIX}/ssl" \
      --libdir="${TARGET_PREFIX}/lib" \
      --prefix="${TARGET_PREFIX}" && \
    make -j"$(nproc)" depend && \
    make -j"$(nproc)" build_libs && \
    make -j"$(nproc)" build_programs && \
    make install_dev install_runtime && \
    cd /tmp && rm -rf "openssl-${SSL_VER}" && \
    # Move the compiled binaries out off the main musl bin to tbin
    mv -t "${TARGET_PREFIX}/tbin" "${TARGET_PREFIX}/bin/openssl" "${TARGET_PREFIX}/bin/c_rehash" && \
    # Default cleanups
    find /var/log -type f -delete && rm -rf "${TARGET_PREFIX}/share/man"

# Build curl (needs with-zlib and all this stuff to allow https)
# hadolint ignore=DL3003
RUN echo "libcurl" && \
    curl -sSL "https://curl.se/download/curl-${CURL_VER}.tar.gz" | tar xz && \
    cd "curl-${CURL_VER}" && \
    # Rename libatomic.la to libatomic.la_disabled
    if [[ "${TARGET}" == "arm-unknown-linux-musleabi" ]] ; then \
      mv -vf "${SYSROOT}/lib/libatomic.la" "${SYSROOT}/lib/libatomic.la_disabled" && \
      export LIBS="-latomic" ; \
    fi && \
    AR="${TARGET_AR}" \
    LD="${TARGET_LD}" \
    RANLIB="${TARGET_RANLIB}" \
    LDFLAGS="${TARGET_LDFLAGS}" \
    CPPFLAGS="${SHARED_CPPFLAGS}" \
    CFLAGS="${SHARED_CFLAGS} -flto=auto -ffat-lto-objects" \
    CC="${TARGET_CC}" \
    ./configure \
      --with-sysroot="${SYSROOT}" \
      --host="${TARGET}" \
      --target="${TARGET}" \
      --disable-shared \
      --enable-static \
      --enable-ipv6 \
      --with-zlib \
      --with-openssl \
      --disable-ldap \
      --disable-manual \
      --disable-docs \
      --without-libpsl \
      --without-libgsasl \
      --without-libidn2 \
      --without-libssh2 \
      --enable-optimize \
      --with-ca-path=/etc/ssl/certs/ \
      --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \
      --with-ca-fallback \
      --bindir="${TARGET_PREFIX}/tbin" \
      --sbindir="${TARGET_PREFIX}/tbin" \
      --prefix="${TARGET_PREFIX}" && \
    make -j"$(nproc)" && make install && \
    cd /tmp && rm -rf "curl-${CURL_VER}" && \
    # Rename libatomic.la_disabled back to libatomic.la
    if [[ "${TARGET}" == "arm-unknown-linux-musleabi" ]] ; then \
      mv -vf "${SYSROOT}/lib/libatomic.la_disabled" "${SYSROOT}/lib/libatomic.la" ; \
    fi && \
    # Default cleanups
    find /var/log -type f -delete && rm -rf "${TARGET_PREFIX}/share/man"

# Build libpq v11
# hadolint ignore=DL3003
RUN echo "PostgreSQL v11" && \
    curl -sSL "https://ftp.postgresql.org/pub/source/v${PQ_11_VER}/postgresql-${PQ_11_VER}.tar.gz" | tar xz && \
    cd "postgresql-${PQ_11_VER}" && \
    if [[ "${TARGET}" == "arm-unknown-linux-musleabi" ]] ; then export LIBS="-latomic" ; fi && \
    AR="${TARGET_AR}" \
    LD="${TARGET_LD}" \
    RANLIB="${TARGET_RANLIB}" \
    LDFLAGS="${TARGET_LDFLAGS}" \
    CPPFLAGS="${SHARED_CPPFLAGS}" \
    CFLAGS="${SHARED_CFLAGS} -flto=auto -ffat-lto-objects" \
    CC="${TARGET_CC}" \
   ./configure \
      --host="${TARGET}" \
      --target="${TARGET}" \
      --without-readline \
      --with-openssl \
      --disable-rpath \
      --with-system-tzdata=/usr/share/zoneinfo \
      --prefix="${TARGET_PREFIX}/pq11" && \
    # build libpq only
    cd src/interfaces/libpq && \
      make -j"$(nproc)" all-static-lib && \
      make -j"$(nproc)" install-lib-static && \
    cd /tmp && rm -rf "postgresql-${PQ_11_VER}" && \
    # Default cleanups
    find /var/log -type f -delete && rm -rf "${TARGET_PREFIX}/share/man"

# Build libpq v15
# hadolint ignore=DL3003
RUN echo "PostgreSQL v15" && \
    curl -sSL "https://ftp.postgresql.org/pub/source/v${PQ_15_VER}/postgresql-${PQ_15_VER}.tar.gz" | tar xz && \
    cd "postgresql-${PQ_15_VER}" && \
    if [[ "${TARGET}" == "arm-unknown-linux-musleabi" ]] ; then export LIBS="-latomic" ; fi && \
    AR="${TARGET_AR}" \
    LD="${TARGET_LD}" \
    RANLIB="${TARGET_RANLIB}" \
    LDFLAGS="${TARGET_LDFLAGS}" \
    CPPFLAGS="${SHARED_CPPFLAGS}" \
    CFLAGS="${SHARED_CFLAGS} -flto=auto -ffat-lto-objects" \
    CC="${TARGET_CC}" \
   ./configure \
      --host="${TARGET}" \
      --target="${TARGET}" \
      --without-readline \
      --with-ssl=openssl \
      --disable-rpath \
      --with-system-tzdata=/usr/share/zoneinfo \
      --prefix="${TARGET_PREFIX}/pq15" && \
    # build common, port and libpq only
    cd src/common && \
      make -j"$(nproc)" all && \
      make -j"$(nproc)" install && \
    cd ../../src/port && \
      make -j"$(nproc)" all && \
      make -j"$(nproc)" install && \
    cd ../../src/interfaces/libpq && \
      make -j"$(nproc)" all-static-lib && \
      make -j"$(nproc)" install-lib-static && \
    # Merge these libraries so pq-sys will work without using pkg-config
    cd "${TARGET_PREFIX}/pq15/lib" && \
      mkdir -v merge && cd merge && \
      # Extract the generated .a files
      "${TARGET_AR}" x ../libpq.a && \
      "${TARGET_AR}" x ../libpgcommon.a && \
      "${TARGET_AR}" x ../libpgport.a && \
      # Merge all these files again into one libpq.a file
      # This is needed because the pq-sys crate only checks this file: https://github.com/sgrif/pq-sys/issues/27
      "${TARGET_AR}" cvq libpq.a ./*.o && \
      # Move and cleanup
      mv -vf libpq.a ../libpq.a && \
      cd ../ && \
      "${TARGET_AR}" sv libpq.a && \
      rm -rf merge libpgcommon* libpgport* && \
    # Remove the source
    cd /tmp && rm -rf "postgresql-${PQ_15_VER}" && \
    # Default cleanups
    find /var/log -type f -delete && rm -rf "${TARGET_PREFIX}/pq15/share/man"

# Build libpq v16
# hadolint ignore=DL3003
RUN echo "PostgreSQL v16" && \
    curl -sSL "https://ftp.postgresql.org/pub/source/v${PQ_16_VER}/postgresql-${PQ_16_VER}.tar.gz" | tar xz && \
    cd "postgresql-${PQ_16_VER}" && \
    if [[ "${TARGET}" == "arm-unknown-linux-musleabi" ]] ; then export LIBS="-latomic" ; fi && \
    AR="${TARGET_AR}" \
    LD="${TARGET_LD}" \
    RANLIB="${TARGET_RANLIB}" \
    LDFLAGS="${TARGET_LDFLAGS}" \
    CPPFLAGS="${SHARED_CPPFLAGS}" \
    CFLAGS="${SHARED_CFLAGS} -flto=auto -ffat-lto-objects" \
    CC="${TARGET_CC}" \
   ./configure \
      --host="${TARGET}" \
      --target="${TARGET}" \
      --without-readline \
      --with-ssl=openssl \
      --disable-rpath \
      --without-icu \
      --with-system-tzdata=/usr/share/zoneinfo \
      --prefix="${TARGET_PREFIX}/pq16" && \
    # build common, port and libpq only
    cd src/common && \
      make -j"$(nproc)" all && \
      make -j"$(nproc)" install && \
    cd ../../src/port && \
      make -j"$(nproc)" all && \
      make -j"$(nproc)" install && \
    cd ../../src/interfaces/libpq && \
      make -j"$(nproc)" all-static-lib && \
      make -j"$(nproc)" install-lib-static && \
    # Merge these libraries so pq-sys will work without using pkg-config
    cd "${TARGET_PREFIX}/pq16/lib" && \
      mkdir -v merge && cd merge && \
      # Extract the generated .a files
      "${TARGET_AR}" x ../libpq.a && \
      "${TARGET_AR}" x ../libpgcommon.a && \
      "${TARGET_AR}" x ../libpgport.a && \
      # Merge all these files again into one libpq.a file
      # This is needed because the pq-sys crate only checks this file: https://github.com/sgrif/pq-sys/issues/27
      "${TARGET_AR}" cvq libpq.a ./*.o && \
      # Move and cleanup
      mv -vf libpq.a ../libpq.a && \
      cd ../ && \
      "${TARGET_AR}" sv libpq.a && \
      rm -rf merge libpgcommon* libpgport* && \
    # Remove the source
    cd /tmp && rm -rf "postgresql-${PQ_16_VER}" && \
    # Default cleanups
    find /var/log -type f -delete && rm -rf "${TARGET_PREFIX}/pq16/share/man"

# Build libsqlite3
# hadolint ignore=DL3003
RUN echo "SQLite3" && \
    curl -sSL "https://www.sqlite.org/2024/sqlite-autoconf-${SQLITE_VER}.tar.gz" | tar xz && \
    cd "sqlite-autoconf-${SQLITE_VER}" && \
    AR="${TARGET_AR}" \
    LD="${TARGET_LD}" \
    RANLIB="${TARGET_RANLIB}" \
    LDFLAGS="${TARGET_LDFLAGS}" \
    CPPFLAGS="${SHARED_CPPFLAGS}" \
    CFLAGS="${SHARED_CFLAGS} -flto=auto -ffat-lto-objects" \
    CC="${TARGET_CC}" \
    # libsqlite3-sys crate default flags
    CFLAGS+=" -DSQLITE_CORE" \
    CFLAGS+=" -DSQLITE_DEFAULT_FOREIGN_KEYS=1" \
    CFLAGS+=" -DSQLITE_ENABLE_API_ARMOR" \
    CFLAGS+=" -DSQLITE_ENABLE_COLUMN_METADATA" \
    CFLAGS+=" -DSQLITE_ENABLE_DBSTAT_VTAB" \
    CFLAGS+=" -DSQLITE_ENABLE_FTS3" \
    CFLAGS+=" -DSQLITE_ENABLE_FTS3_PARENTHESIS" \
    CFLAGS+=" -DSQLITE_ENABLE_FTS5" \
    CFLAGS+=" -DSQLITE_ENABLE_JSON1" \
    CFLAGS+=" -DSQLITE_ENABLE_MEMORY_MANAGEMENT" \
    CFLAGS+=" -DSQLITE_ENABLE_RTREE" \
    CFLAGS+=" -DSQLITE_ENABLE_STAT2" \
    CFLAGS+=" -DSQLITE_ENABLE_STAT4" \
    CFLAGS+=" -DSQLITE_SOUNDEX" \
    CFLAGS+=" -DSQLITE_THREADSAFE=1" \
    CFLAGS+=" -DSQLITE_USE_URI" \
    CFLAGS+=" -DHAVE_USLEEP=1" \
    CFLAGS+=" -D_POSIX_THREAD_SAFE_FUNCTIONS" \
    CFLAGS+=" -DHAVE_ISNAN" \
    CFLAGS+=" -DHAVE_LOCALTIME_R" \
    CFLAGS+=" -DSQLITE_ENABLE_UNLOCK_NOTIFY" \
    CFLAGS+=" -DSQLITE_ENABLE_PREUPDATE_HOOK" \
    CFLAGS+=" -DSQLITE_ENABLE_SESSION" \
    # Alpine pkg default flags
    CFLAGS+=" -DSQLITE_SECURE_DELETE" \
    CFLAGS+=" -DSQLITE_ENABLE_FTS4" \
    CFLAGS+=" -DSQLITE_MAX_VARIABLE_NUMBER=250000" \
    CFLAGS+=" -DSQLITE_MAX_EXPR_DEPTH=10000" \
    CFLAGS+=" -DSQLITE_ENABLE_GEOPOLY=1" \
    ./configure \
      --with-sysroot="${SYSROOT}" \
      --host="${TARGET}" \
      --target="${TARGET}" \
      --disable-shared \
      --enable-static \
      --enable-threadsafe \
      --enable-fts3 \
      --enable-fts4 \
      --enable-fts5 \
      --enable-rtree \
      --enable-dynamic-extensions \
      --bindir="${TARGET_PREFIX}/tbin" \
      --sbindir="${TARGET_PREFIX}/tbin" \
      --prefix="${TARGET_PREFIX}" && \
    # rpath removal - Same as Alpine
    sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool && \
    sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool && \
    make -j"$(nproc)" && make install && \
    cd /tmp && rm -rf "sqlite-autoconf-${SQLITE_VER}" && \
    # Default cleanups
    find /var/log -type f -delete && rm -rf "${TARGET_PREFIX}/share/man"

# Building MariaDB
# It seems that MariaDB has some issues when compiled with LTO enabled https://jira.mariadb.org/browse/MDEV-25633
# Therefor i will not compile MariaDB with LTO, but -O2 should help a bit in getting some better performance.
# hadolint ignore=DL3003,SC2016
RUN echo "MariaDB Connector/C" && \
    curl -sSL "https://github.com/mariadb-corporation/mariadb-connector-c/archive/refs/tags/v${MARIADB_VER}.tar.gz" | tar xz && \
    cd "mariadb-connector-c-${MARIADB_VER}" && \
    # Download patches for mariadb from Alpine to fix building issues
    # https://pkgs.alpinelinux.org/packages?name=mariadb-connector-c&branch=v3.20&arch=x86_64
    curl -sSL --retry 3 -o unused-parameter.patch https://git.alpinelinux.org/aports/plain/main/mariadb-connector-c/unused-parameter.patch?id=7b23681869b1fdf0c8b7c11d7c0c0a94fcaedf03 && \
    # Apply these patches
    git apply --verbose unused-parameter.patch && \
    # Prevent shared library from being build, building the shared library will cause linking errors, and we do not use it at all.
    sed -i 's#ADD_LIBRARY(libmariadb SHARED ${libmariadb_RC} ${MARIADB_OBJECTS} ${EMPTY_FILE})#ADD_LIBRARY(libmariadb STATIC ${libmariadb_RC} ${MARIADB_OBJECTS} ${EMPTY_FILE})#' libmariadb/CMakeLists.txt && \
    if [[ "${TARGET}" == "arm-unknown-linux-musleabi" ]] ; then \
      echo -e "%rename libgcc old_libgcc\n*libgcc:\n-latomic %(old_libgcc)" > /tmp/gcc-atomic-patch.specs && \
      export _GCC_SPECS="-specs=/tmp/gcc-atomic-patch.specs" ; \
    fi && \
    # Build the patched version
    mkdir build && cd build && \
    AR="${TARGET_AR}" \
    LD="${TARGET_LD}" \
    RANLIB="${TARGET_RANLIB}" \
    LDFLAGS="${TARGET_LDFLAGS}" \
    CPPFLAGS="${SHARED_CPPFLAGS}" \
    CFLAGS="${_GCC_SPECS} ${SHARED_CFLAGS} -flto=auto -ffat-lto-objects" \
    CC="${TARGET_CC}" \
    cmake \
      -DCMAKE_SYSROOT="${SYSROOT}" \
      -DCMAKE_IGNORE_PATH="/usr/include" \
      -DCMAKE_INSTALL_PREFIX="${TARGET_PREFIX}" \
      -DINSTALL_BINDIR="tbin" \
      -DBUILD_SHARED_LIBS=OFF \
      -DCMAKE_SYSTEM_NAME=Linux \
      -DCMAKE_HOST_SYSTEM_NAME=Linux \
      -DINSTALL_LIBDIR=lib \
      -DINSTALL_INCLUDEDIR=include/mysql \
      -DCMAKE_BUILD_TYPE=MinSizeRel \
      -DWITH_EXTERNAL_ZLIB=ON \
      -DWITH_SSL=OPENSSL \
      -DWITH_MYSQLCOMPAT=ON \
      -DWITH_UNIT_TESTS=OFF \
      -DCLIENT_PLUGIN_DIALOG=STATIC \
      -DCLIENT_PLUGIN_MYSQL_CLEAR_PASSWORD=STATIC \
      -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=STATIC \
      -DCLIENT_PLUGIN_SHA256_PASSWORD=STATIC \
      -DCLIENT_PLUGIN_CLIENT_ED25519=STATIC \
      -DCLIENT_PLUGIN_REMOTE_IO=OFF \
      -DDEFAULT_CHARSET=utf8mb4 \
    ../ && \
    make -j"$(nproc)" && make install && \
    cd /tmp && rm -rf "mariadb-connector-c-${MARIADB_VER}" && \
    # Create some compatibilty symlinks so pkg-config and diesel can find all the correct files
    ln -sfnr "${TARGET_PREFIX}/include/mysql/mariadb_version.h" "${TARGET_PREFIX}/include/mysql/mysql_version.h" && \
    # Create and fix the default pkg-config for mysqlclient using the libmariadb generated file
    # We need the library to point to mysqlclient instead of mariadb, else mysqlclient-sys crate will not link it statically!
    sed "s#Name: libmariadb#Name: mysqlclient#g" "${TARGET_PREFIX}/lib/pkgconfig/libmariadb.pc" | \
      sed "s#${TARGET_PREFIX}/lib/lib##g" | \
      sed 's#\.a##g' | \
      sed 's#-ldl\s##g' | \
      sed 's#-lmariadb#-lmysqlclient#g' > "${TARGET_PREFIX}/lib/pkgconfig/mysqlclient.pc" && \
    # Default cleanups
    find /var/log -type f -delete && rm -rf "${TARGET_PREFIX}/share/man" "${TARGET_PREFIX}/man"

# Build libxml2
# hadolint ignore=DL3003
RUN echo "libxml" && \
    curl -sSL --retry 3 "https://download.gnome.org/sources/libxml2/${LIBXML2_VER%.*}/libxml2-${LIBXML2_VER}.tar.xz" | tar xJ && \
    cd "libxml2-${LIBXML2_VER}" && \
    AR="${TARGET_AR}" \
    LD="${TARGET_LD}" \
    RANLIB="${TARGET_RANLIB}" \
    LDFLAGS="${TARGET_LDFLAGS}" \
    CPPFLAGS="${SHARED_CPPFLAGS}" \
    CFLAGS="${SHARED_CFLAGS} -flto=auto -ffat-lto-objects -fno-semantic-interposition" \
    CC="${TARGET_CC}" \
    ./configure \
      --host="${TARGET}" \
      --target="${TARGET}" \
      --enable-static \
      --disable-shared \
      --without-python \
      --without-debug \
      --with-sysroot="${SYSROOT}" \
      --bindir="${TARGET_PREFIX}/tbin" \
      --sbindir="${TARGET_PREFIX}/tbin" \
      --prefix="${TARGET_PREFIX}" && \
    # echo "done" && cd /tmp
    make -j"$(nproc)" install-binPROGRAMS install-pkgconfigDATA && \
    cd /tmp && rm -rf "libxml2-${LIBXML2_VER}" && \
    # Default cleanups
    find /var/log -type f -delete && \
    rm -rf "${TARGET_PREFIX}/share/man" "${TARGET_PREFIX}/share/doc" "${TARGET_PREFIX}/share/gtk-doc"


# Install the Rust toolchain and `musl` target.
ARG RUST_CHANNEL=stable
ARG RUSTC_HASH=

RUN echo "Triggering Rust install for channel '${RUST_CHANNEL}' and rustc-hash '${RUSTC_HASH}'." && \
    # `--target` to musl so that our users don't need to keep overriding it manually.
    # `--profile minimal` to reduce the image size, we do not need to cargo/rust manual within docker
    curl --proto '=https' --tlsv1.2 -sqSf https://sh.rustup.rs | \
      sh -s -- -y --profile minimal --component rustfmt --default-toolchain "${RUST_CHANNEL}" --target "${RUST_MUSL_CROSS_TARGET}" && \
    rustup set profile minimal && \
    # Truncate all files within the share folder, since we do not need them, but removing them prevents us from installing or updating toolchains
    find "${RUSTUP_HOME}/toolchains/${RUST_CHANNEL}-$(uname -m)-unknown-linux-gnu/share/" -type f -exec truncate -s0 {} \; && \
    # When the Rust channel is stable, we create a symlink to the stable folder with the version number
    # This prevents cargo from downloading the same stuff twice if someone overrules the version with a version number instead of stable
    if [[ "${RUST_CHANNEL}" == "stable" ]] ; then STABLE_VER=$(rustc -V | grep -oE "[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]") ; ln -vfsr "${RUSTUP_HOME}/toolchains/stable-$(uname -m)-unknown-linux-gnu" "${RUSTUP_HOME}/toolchains/${STABLE_VER}-$(uname -m)-unknown-linux-gnu" ; fi && \
    echo -ne ""\
      "[build]\n"\
      "target = \"${RUST_MUSL_CROSS_TARGET}\"\n"\
      "rustflags = [\"-Ctarget-feature=+crt-static\", \"-Clink-self-contained=yes\", \"-Cprefer-dynamic=no\", \"-L/${TARGET_PREFIX}/lib\", \"-L${SYSROOT}/lib\"]\n"\
      "\n"\
      "[target.${RUST_MUSL_CROSS_TARGET}]\n"\
      "linker = \"${RUST_MUSL_CROSS_TARGET}-ld\"\n"\
      "\n" > "${CARGO_HOME}/config.toml" && \
    #
    # Link the strip command to musl-strip which is more widely used as the default strip command
    ln -sfnr "${TARGET_PREFIX}/bin/${TARGET}-strip" "${TARGET_PREFIX}/bin/musl-strip" && \
    #
    # Add some compatibility links to the new CARGO_HOME and RUSTUP_HOME directories
    # Without these it might break current CI's using this image
    ln -sfnr "${CARGO_HOME}" /root/.cargo && \
    ln -sfnr "${RUSTUP_HOME}" /root/.rustup

ENV HOST="x86_64-unknown-linux-gnu" \
    # General
    CARGO_BUILD_TARGET="${TARGET}" \
    BINDGEN_EXTRA_CLANG_ARGS="--sysroot=${SYSROOT} ${SHARED_CPPFLAGS}" \
    TARGET_C_INCLUDE_PATH="${SHARED_CPPFLAGS}" \
    PKG_CONFIG_ALLOW_CROSS=1 \
    PKG_CONFIG_ALL_STATIC=1 \
    TARGET_PKG_CONFIG_ALLOW_CROSS=1 \
    TARGET_PKG_CONFIG_PATH="${PKG_CONFIG_PATH}" \
    TARGET_PKG_CONFIG_LIBDIR="${PKG_CONFIG_LIBDIR}" \
    # pq-sys (PosgreSQL) support
    PQ_LIB_STATIC=1 \
    PQ_LIB_DIR="${TARGET_PREFIX}/pq15/lib" \
    # openssl-sys support
    OPENSSL_STATIC=1 \
    OPENSSL_DIR="${TARGET_PREFIX}" \
    OPENSSL_LIB_DIR="${TARGET_PREFIX}/lib" \
    OPENSSL_INCLUDE_DIR="${TARGET_PREFIX}/include" \
    DEP_OPENSSL_INCLUDE="${TARGET_PREFIX}/include" \
    SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
    SSL_CERT_DIR=/etc/ssl/certs \
    # Rust libz-sys support
    LIBZ_SYS_STATIC=1 \
    ZLIB_STATIC=1 \
    # Rust curl-sys support
    LIBCURL_STATIC=1 \
    # Rust mysqlclient-sys support
    MYSQLCLIENT_STATIC=1 \
    # Rust libsqlite3-sys support
    SQLITE3_STATIC=1 \
    SQLITE3_LIB_DIR="${TARGET_PREFIX}/lib" \
    SQLITE3_INCLUDE_DIR="${TARGET_PREFIX}/include" \
    # Rust libxml2 support
    LIBXML_2.0_STATIC=1 \
    # If the ARCH_CPPFLAGS is set, we probably also need to pass it on to Rust.
    # For example aarch64 needs `-mno-outline-atomic` set during builds.
    # Here we pass-on the ARCH_CPPFLAGS so that Rust is able to use the same
    # Also set the correct library path to make sure all pre-build libraries will be found.
    # And some hardening flags, the same as used above to keep the binary as secure as possible.
    TARGET_CPPFLAGS="${SHARED_CPPFLAGS}" \
    TARGET_CFLAGS="--sysroot=${SYSROOT} -fstack-clash-protection -fstack-protector-strong -fPIE -pie -fpie -Wl,-pie -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--sort-common -Wl,-z,pack-relative-relocs -Wa,--noexecstack -L${TARGET_PREFIX}/lib -L${SYSROOT}/lib ${ARCH_CPPFLAGS}" \
    TARGET_CXXFLAGS="--sysroot=${SYSROOT} -fstack-clash-protection -fstack-protector-strong -fPIE -pie -fpie -Wl,-pie -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--sort-common -Wl,-z,pack-relative-relocs -Wa,--noexecstack -L${TARGET_PREFIX}/lib -L${SYSROOT}/lib ${ARCH_CPPFLAGS}" \
    # Tell some crates that we are cross compiling
    CROSS_COMPILE=1

WORKDIR /home/rust/src

LABEL maintainer="BlackDex <black.dex@gmail.com>"
LABEL org.opencontainers.image.create="$(date --utc --iso-8601=seconds)"
LABEL org.opencontainers.image.documentation="https://github.com/BlackDex/rust-musl/"
LABEL org.opencontainers.image.licenses="Apache License 2.0"
LABEL org.opencontainers.image.url="https://github.com/BlackDex/rust-musl/"
LABEL org.opencontainers.image.description="MUSL Cross Build Base Image for Rust ${TARGET} with ZLib, OpenSSL, cURL, PostgreSQL, SQLite and MariaDB static libraries"