Skip to content

ref(build): Use DHI static base image and statically link libstdc++ #6131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
oioki wants to merge 2 commits into
base: master
Choose a base branch
from
+43 −13
Draft

ref(build): Use DHI static base image and statically link libstdc++ #6131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
efa1f4f
ref(build): Use DHI static base image and statically link libstdc++
oioki Jun 24, 2026
23422ba
meta(changelog): Add entry for DHI static base image
oioki Jun 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build_binary.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
- name: Install dependencies
run: |
apt-get update
apt-get install -y --no-install-recommends git ca-certificates gcc libc6-dev curl make zip
apt-get install -y --no-install-recommends git ca-certificates gcc g++ libc6-dev curl make zip

- uses: actions/checkout@v7.0.0
with:
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
- Upgrade release image to Debian 13. ([#6110](https://github.com/getsentry/relay/pull/6110))
- Prefix upload location query params for forward compatibility. ([#6076](https://github.com/getsentry/relay/pull/6076))
- Use upstream descriptor in upload requests. ([#6128](https://github.com/getsentry/relay/pull/6128))
- Use a hardened static base image for the release container and statically link `libstdc++`. ([#6131](https://github.com/getsentry/relay/pull/6131))

## 26.6.0

Expand Down
14 changes: 7 additions & 7 deletions Dockerfile.release
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
FROM gcr.io/distroless/cc-debian13:debug AS builder
FROM us-docker.pkg.dev/sentryio/dhi-mirror/static:20250419-glibc-debian13 AS base

RUN ["/busybox/busybox", "mkdir", "/work", "/etc/relay"]


FROM gcr.io/distroless/cc-debian13:nonroot
FROM us-docker.pkg.dev/sentryio/dhi-mirror/static:20250419-glibc-debian13

ARG TARGETPLATFORM

EXPOSE 3000

COPY --from=builder --chown=nonroot:nonroot /etc/relay /etc/relay
COPY --from=builder --chown=nonroot:nonroot /work /work
# The static base image has no shell, so we can't `mkdir` the volume dirs.
# Instead seed them from the image's own pre-existing, empty `/home/nonroot`
# directory, which is already owned by the nonroot user (uid/gid 65532).
COPY --from=base --chown=nonroot:nonroot /home/nonroot /etc/relay
COPY --from=base --chown=nonroot:nonroot /home/nonroot /work

VOLUME ["/etc/relay", "/work"]
WORKDIR /work
Expand Down
39 changes: 34 additions & 5 deletions relay-crash/build.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,10 @@ use std::path::{Path, PathBuf};
use std::process::Command;

fn main() {
// sentry-native dependencies
match std::env::var("CARGO_CFG_TARGET_OS").unwrap().as_str() {
"macos" => println!("cargo:rustc-link-lib=dylib=c++"),
"linux" => println!("cargo:rustc-link-lib=dylib=stdc++"),
_ => return, // allow building with --all-features, fail during runtime
// sentry-native is only built on macOS and Linux.
let target_os = std::env::var("CARGO_CFG_TARGET_OS").unwrap();
if !matches!(target_os.as_str(), "macos" | "linux") {
return; // allow building with --all-features, fail during runtime
}

if !Path::new("sentry-native/.git").exists() {
Expand Down Expand Up @@ -39,6 +38,36 @@ fn main() {
println!("cargo:rustc-link-lib=static=breakpad_client");
println!("cargo:rustc-link-lib=static=sentry");

// Link the C++ standard library that breakpad/sentry-native depend on. This must come *after*
// the static libs above so the linker can resolve their symbols (static archive linking is
// order-sensitive). On Linux we link it statically so the binary runs on minimal base images
// that don't ship `libstdc++.so.6` (e.g. the distroless `static` image).
match target_os.as_str() {
"macos" => println!("cargo:rustc-link-lib=dylib=c++"),
"linux" => {
// `static=stdc++` makes rustc resolve `libstdc++.a` itself, but it lives in a
// gcc-internal, arch/version-specific directory that is not on rustc's default link
// search path (only the `cc` driver knows it). Ask the compiler where it is.
let cc = std::env::var("CC").unwrap_or_else(|_| "cc".to_string());
let path = Command::new(&cc)
.arg("-print-file-name=libstdc++.a")
.output()
.ok()
.and_then(|o| String::from_utf8(o.stdout).ok());
// `-print-file-name` echoes the bare filename back when it can't resolve it.
if let Some(dir) = path
.as_deref()
.map(str::trim)
.filter(|p| *p != "libstdc++.a")
.and_then(|p| Path::new(p).parent())
{
println!("cargo:rustc-link-search=native={}", dir.display());
}
println!("cargo:rustc-link-lib=static=stdc++");
}
_ => unreachable!(),
}

let bindings = bindgen::Builder::default()
.header("sentry-native/include/sentry.h")
.parse_callbacks(Box::new(bindgen::CargoCallbacks::new()))
Expand Down
Loading