Skip to content

docs: Add a section in the Rust guide to use DHI #23728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
edithturn wants to merge 6 commits into
base: main
Choose a base branch
from
+133 −28
Open

docs: Add a section in the Rust guide to use DHI #23728

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9ca5425
Add a DHI section to the Rust guide with DHI-based Dockerfile example
edithturn Nov 16, 2025
62a3794
Updated Rust Version from 1.71.1 to the latest 1.91.1
edithturn Nov 22, 2025
b772b34
Update build output
edithturn Nov 22, 2025
21f4de5
Merge branch 'docker:main' into rust-dhi
edithturn Jan 2, 2026
8caefe4
docs: update Rust build guide for public Docker Hardened Images
edithturn Jan 2, 2026
175dd2f
Update content/guides/rust/build-images.md
edithturn Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
161 changes: 133 additions & 28 deletions content/guides/rust/build-images.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ This utility will walk you through creating the following files with sensible de
Let's get started!

? What application platform does your project use? Rust
? What version of Rust do you want to use? 1.70.0
? What version of Rust do you want to use? 1.92.0
? What port does your server listen on? 8000
```

Expand All @@ -62,6 +62,92 @@ directory:
- compose.yaml
- README.Docker.md

## Choose a base image

Before editing your Dockerfile, you need to choose a base image. You can use the [Rust Docker Official Image](https://hub.docker.com/_/rust),
or a [Docker Hardened Image (DHI)](https://hub.docker.com/hardened-images/catalog/dhi/rust).

Docker Hardened Images (DHIs) are minimal, secure, and production-ready base images maintained by Docker.
They help reduce vulnerabilities and simplify compliance. For more details, see [Docker Hardened Images](/dhi/).

{{< tabs >}}
Copy link
Contributor

@craig-osterhout craig-osterhout Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like there's only one tab. Suggest using 2 tabs, one for doi/docker init, and one for dhi. For example, see the bun guide at https://raw.githubusercontent.com/docker/docs/refs/heads/main/content/guides/bun/containerize.md

{{< tab name="Using Docker Hardened Images" >}}

Docker Hardened Images (DHIs) are publicly available and can be used directly as base images.
To pull Docker Hardened Images, authenticate once with Docker:

```bash
docker login dhi.io
```

Use DHIs from the dhi.io registry, for example:

```bash
FROM dhi.io/rust:${RUST_VERSION}-alpine AS build
Copy link
Contributor

@craig-osterhout craig-osterhout Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an example, so not critical, but no tag with -alpine exists. Suggest:

FROM dhi.io/rust:${RUST_VERSION}-alpine3.22-dev AS build

```

The following Dockerfile is equivalent to the one generated by `docker init`, but it uses a Rust DHI as the build base image:

```dockerfile {title=Dockerfile}
# Make sure RUST_VERSION matches the Rust version
ARG RUST_VERSION=1.92
ARG APP_NAME=docker-rust-hello

################################################################################
# Create a stage for building the application.

FROM rust:${RUST_VERSION}-alpine AS build
Copy link
Contributor

@craig-osterhout craig-osterhout Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works, but it looks like this should be the dhi example.

FROM dhi.io/rust:${RUST_VERSION}-alpine3.22-dev AS build

ARG APP_NAME
WORKDIR /app

# Install host build dependencies.
RUN apk add --no-cache clang lld musl-dev git

# Build the application.
RUN --mount=type=bind,source=src,target=src \
--mount=type=bind,source=Cargo.toml,target=Cargo.toml \
--mount=type=bind,source=Cargo.lock,target=Cargo.lock \
--mount=type=cache,target=/app/target/ \
--mount=type=cache,target=/usr/local/cargo/git/db \
--mount=type=cache,target=/usr/local/cargo/registry/ \
cargo build --locked --release && \
cp ./target/release/$APP_NAME /bin/server

################################################################################
# Create a new stage for running the application that contains the minimal
FROM alpine:3.18 AS final
Copy link
Contributor

@craig-osterhout craig-osterhout Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works, but suggest using a dhi as the runtime also.

FROM dhi.io/alpine-base:3.22 AS final

Could probably also use static dhi with the compiled binary for even less attack surface.


# Create a non-privileged user that the app will run under.
ARG UID=10001
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
appuser
USER appuser

# Copy the executable from the "build" stage.
COPY --from=build /bin/server /bin/

# Configure rocket to listen on all interfaces.
ENV ROCKET_ADDRESS=0.0.0.0

# Expose the port that the application listens on.
EXPOSE 8000

# What the container should run when it is started.
CMD ["/bin/server"]

```

{{< /tab >}}
{{< /tabs >}}



For building an image, only the Dockerfile is necessary. Open the Dockerfile
in your favorite IDE or text editor and see what it contains. To learn more
about Dockerfiles, see the [Dockerfile reference](/reference/dockerfile.md).
Expand Down Expand Up @@ -91,27 +177,47 @@ $ docker build --tag docker-rust-image .
You should see output like the following.

```console
[+] Building 62.6s (14/14) FINISHED
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 2.70kB 0.0s
=> resolve image config for docker.io/docker/dockerfile:1 2.3s
=> CACHED docker-image://docker.io/docker/dockerfile:1@sha256:39b85bbfa7536a5feceb7372a0817649ecb2724562a38360f4d6a7782a409b14 0.0s
=> [internal] load metadata for docker.io/library/debian:bullseye-slim 1.9s
=> [internal] load metadata for docker.io/library/rust:1.70.0-slim-bullseye 1.7s
=> [build 1/3] FROM docker.io/library/rust:1.70.0-slim-bullseye@sha256:585eeddab1ec712dade54381e115f676bba239b1c79198832ddda397c1f 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 35.29kB 0.0s
=> [final 1/3] FROM docker.io/library/debian:bullseye-slim@sha256:7606bef5684b393434f06a50a3d1a09808fee5a0240d37da5d181b1b121e7637 0.0s
=> CACHED [build 2/3] WORKDIR /app 0.0s
=> [build 3/3] RUN --mount=type=bind,source=src,target=src --mount=type=bind,source=Cargo.toml,target=Cargo.toml --mount= 57.7s
=> CACHED [final 2/3] RUN adduser --disabled-password --gecos "" --home "/nonexistent" --shell "/sbin/nologin" 0.0s
=> CACHED [final 3/3] COPY --from=build /bin/server /bin/ 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:f1aa4a9f58d2ecf73b0c2b7f28a6646d9849b32c3921e42adc3ab75e12a3de14 0.0s
=> => naming to docker.io/library/docker-rust-image
[+] Building 85.0s (18/18) FINISHED docker:desktop-linux
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 2.88kB 0.0s
=> resolve image config for docker-image://docker.io/docker/dockerfile:1 0.8s
=> [auth] docker/dockerfile:pull token for registry-1.docker.io 0.0s
=> CACHED docker-image://docker.io/docker/dockerfile:1@sha256:b6afd42430b15f2d2a4c5a02b919e98a525b785b1aaff16747d2f623364e39b6 0.0s
=> => resolve docker.io/docker/dockerfile:1@sha256:b6afd42430b15f2d2a4c5a02b919e98a525b785b1aaff16747d2f623364e39b6 0.0s
=> [internal] load metadata for docker.io/library/rust:1.92-alpine 1.3s
=> [internal] load metadata for docker.io/library/alpine:3.18 0.5s
=> [auth] library/rust:pull token for registry-1.docker.io 0.0s
=> [auth] library/alpine:pull token for registry-1.docker.io 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 646B 0.0s
=> [build 1/4] FROM docker.io/library/rust:1.92-alpine@sha256:f6c22e0a256c05d44fca23bf530120b5d4a6249a393734884281ca80782329bc 9.0s
=> => resolve docker.io/library/rust:1.92-alpine@sha256:f6c22e0a256c05d44fca23bf530120b5d4a6249a393734884281ca80782329bc 0.1s
=> => sha256:4150afa531694b681cd299599f1d2391c5f4a409844096124ffc475e4eb1ea2f 268.07MB / 268.07MB 6.6s
=> => sha256:1074353eec0db2c1d81d5af2671e56e00cf5738486f5762609ea33d606f88612 3.86MB / 3.86MB 0.4s
=> => sha256:14182cde8de9d61826651827a8dd082edaa51d4a5a8e9567c2a1e416e32c75e8 75.12MB / 75.12MB 1.9s
=> => extracting sha256:1074353eec0db2c1d81d5af2671e56e00cf5738486f5762609ea33d606f88612 0.1s
=> => extracting sha256:14182cde8de9d61826651827a8dd082edaa51d4a5a8e9567c2a1e416e32c75e8 0.8s
=> => extracting sha256:4150afa531694b681cd299599f1d2391c5f4a409844096124ffc475e4eb1ea2f 1.9s
=> [final 1/3] FROM docker.io/library/alpine:3.18@sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f 0.1s
=> => resolve docker.io/library/alpine:3.18@sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f 0.1s
=> [internal] load build context 0.1s
=> => transferring context: 41.56kB 0.0s
=> CACHED [final 2/3] RUN adduser --disabled-password --gecos "" --home "/nonexistent" --shell "/sbin/nologin" --no-create-home --uid "10001" appuse 0.0s
=> [build 2/4] WORKDIR /app 0.4s
=> [build 3/4] RUN apk add --no-cache clang lld musl-dev git 2.8s
=> [build 4/4] RUN --mount=type=bind,source=src,target=src --mount=type=bind,source=Cargo.toml,target=Cargo.toml --mount=type=bind,source=Cargo.lock,target=Cargo.lock 69.9s
=> [final 3/3] COPY --from=build /bin/server /bin/ 0.1s
=> exporting to image 0.4s
=> => exporting layers 0.3s
=> => exporting manifest sha256:46028e22a9d976f062b51b2444bf0ccaf3930637e70fe576c8185029e2d91927 0.0s
=> => exporting config sha256:948f75c524906ae8444ec8fc8b95b9e773878b5b5123586391f54e34aad4c493 0.0s
=> => exporting attestation manifest sha256:71e9aac25186f83b404bd91433d72a5a764a378c6f5ef75098da92a9990483f7 0.0s
=> => exporting manifest list sha256:c713a4f71c510999215a4a3e7f225fea7c9a26df118504906486a6e934f0beb0 0.0s
=> => naming to docker.io/library/docker-rust-image:latest 0.0s
=> => unpacking to docker.io/library/docker-rust-image:latest 0.0s

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/zudqyd9mk3zaq1bl1h6q7vsiz

```

## View local images
Expand All @@ -123,7 +229,7 @@ To list images, run the `docker images` command.
```console
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker-rust-image latest 8cae92a8fbd6 3 minutes ago 123MB
docker-rust-image latest 41423bf3040a 3 minutes ago 5.33MB
```

You should see at least one image listed, including the image you just built `docker-rust-image:latest`.
Expand All @@ -147,9 +253,8 @@ Now, run the `docker images` command to see a list of the local images.
```console
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker-rust-image latest 8cae92a8fbd6 4 minutes ago 123MB
docker-rust-image v1.0.0 8cae92a8fbd6 4 minutes ago 123MB
rust latest be5d294735c6 4 minutes ago 113MB
docker-rust-image latest 41423bf3040a 4 minutes ago 5.33MB
docker-rust-image v1.0.0 41423bf3040a 4 minutes ago 5.33MB
```

You can see that two images start with `docker-rust-image`. You know they're the same image because if you take a look at the `IMAGE ID` column, you can see that the values are the same for the two images.
Expand All @@ -166,8 +271,7 @@ Note that the response from Docker tells you that Docker didn't remove the image
```console
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker-rust-image latest 8cae92a8fbd6 6 minutes ago 123MB
rust latest be5d294735c6 6 minutes ago 113MB
docker-rust-image latest 41423bf3040a 6 minutes ago 5.33MB
```

Docker removed the image tagged with `:v1.0.0`, but the `docker-rust-image:latest` tag is available on your machine.
Expand All @@ -182,6 +286,7 @@ Related information:
- [.dockerignore file](/reference/dockerfile.md#dockerignore-file)
- [docker init CLI reference](/reference/cli/docker/init.md)
- [docker build CLI reference](/reference/cli/docker/buildx/build.md)
- [Docker Hardened Images](/dhi/)

## Next steps

Expand Down