polkadot collator builder (#740)

* dockerfiles: polkadot-collator_builder.Containerfile and docs

* dockerfiles: optimize test dockerfile

docker/polkadot-collator_builder.Containerfile

@@ -0,0 +1,36 @@
+# This file is sourced from https://github.com/paritytech/polkadot/blob/master/scripts/dockerfiles/polkadot/polkadot_builder.Dockerfile
+# This is the build stage for Polkadot-collator. Here we create the binary in a temporary image.
+FROM docker.io/paritytech/ci-linux:production as builder
+
+WORKDIR /cumulus
+COPY . /cumulus
+
+RUN cargo build --release --locked -p polkadot-collator
+
+# This is the 2nd stage: a very small image where we copy the Polkadot binary."
+FROM docker.io/library/ubuntu:20.04
+
+LABEL io.parity.image.type="builder" \
+    io.parity.image.authors="devops-team@parity.io" \
+    io.parity.image.vendor="Parity Technologies" \
+    io.parity.image.description="Multistage Docker image for Polkadot-collator" \
+    io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/docker/test-parachain-collator.dockerfile" \
+    io.parity.image.documentation="https://github.com/paritytech/cumulus"
+
+COPY --from=builder /cumulus/target/release/polkadot-collator /usr/local/bin
+
+RUN useradd -m -u 1000 -U -s /bin/sh -d /cumulus polkadot-collator && \
+    mkdir -p /data /cumulus/.local/share && \
+    chown -R polkadot-collator:polkadot-collator /data && \
+    ln -s /data /cumulus/.local/share/polkadot-collator && \
+# unclutter and minimize the attack surface
+    rm -rf /usr/bin /usr/sbin && \
+# check if executable works in this container
+    /usr/local/bin/polkadot-collator --version
+
+USER polkadot-collator
+
+EXPOSE 30333 9933 9944 9615
+VOLUME ["/data"]
+
+ENTRYPOINT ["/usr/local/bin/polkadot-collator"]

docker/test-parachain-collator.dockerfile

@@ -1,23 +1,8 @@
-FROM rust:buster as builder
+# This file is sourced from https://github.com/paritytech/polkadot/blob/master/scripts/dockerfiles/polkadot/polkadot_builder.Dockerfile
+FROM docker.io/paritytech/ci-linux:production as builder
 
-RUN apt-get update && apt-get install time clang libclang-dev llvm -y
-RUN rustup toolchain install nightly
-RUN rustup target add wasm32-unknown-unknown --toolchain nightly
-RUN command -v wasm-gc || cargo +nightly install --git https://github.com/alexcrichton/wasm-gc --force
-
-WORKDIR /paritytech/cumulus
-
-# Ideally, we could just do something like `COPY . .`, but that doesn't work:
-# it busts the cache every time non-source files like inject_bootnodes.sh change,
-# as well as when non-`.dockerignore`'d transient files (*.log and friends)
-# show up. There is no way to exclude particular files, or write a negative
-# rule, using Docker's COPY syntax, which derives from go's filepath.Match rules.
-#
-# We can't combine these into a single big COPY operation like
-# `COPY collator consensus network runtime test Cargo.* .`, because in that case
-# docker will copy the _contents_ of each directory into the image workdir,
-# not the actual directory. We're stuck just enumerating them.
-COPY . .
+WORKDIR /cumulus
+COPY . /cumulus
 
 RUN cargo build --release --locked -p polkadot-collator