# shadow-rs development image — Alpine 3.23 (musl libc) # # PAM: linux-pam-dev (Linux-PAM, not OpenPAM) # SELinux: not available (Alpine doesn't ship SELinux) # Default shell: /bin/ash (busybox) # Shadow-utils package: shadow # Note: musl libc — different from glibc. Tests NSS/getpwent differences. # No SELinux. Busybox shadow-utils may differ from GNU shadow-utils. FROM rust:alpine RUN apk add --no-cache \ musl-dev \ linux-pam-dev \ linux-headers \ pkgconf \ shadow \ bash \ curl RUN rustup component add clippy rustfmt \ && curl -LsSf https://get.nexte.st/latest/linux-musl | tar zxf - -C /usr/local/cargo/bin # cargo-deny: pinned, checksum-verified prebuilt binary. The static musl build # runs on glibc too, so every image shares one asset. Installing the binary # (instead of `cargo install cargo-deny`) skips a multi-minute source compile. ARG CARGO_DENY_VERSION=0.19.8 ARG CARGO_DENY_SHA256=70e769ae3872e34d45132b17040859175e11401dc12dddb0303e0b8c7d088f3f RUN curl -LsSf "https://github.com/EmbarkStudios/cargo-deny/releases/download/${CARGO_DENY_VERSION}/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl.tar.gz" -o /tmp/cargo-deny.tar.gz \ && echo "${CARGO_DENY_SHA256} /tmp/cargo-deny.tar.gz" | sha256sum -c - \ && tar zxf /tmp/cargo-deny.tar.gz -C /tmp \ && install -m 0755 "/tmp/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl/cargo-deny" /usr/local/cargo/bin/cargo-deny \ && rm -rf /tmp/cargo-deny.tar.gz "/tmp/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl" \ && cargo-deny --version RUN adduser -D -s /bin/bash testuser \ && adduser -D -s /bin/sh testuser2 \ && addgroup testgroup \ && addgroup testuser testgroup WORKDIR /workspace CMD ["/bin/bash"]