meshtastic-firmware/Dockerfile

# trunk-ignore-all(trivy/DS002): We must run as root for this container
# trunk-ignore-all(hadolint/DL3002): We must run as root for this container
# trunk-ignore-all(hadolint/DL3008): Do not pin apt package versions
# trunk-ignore-all(hadolint/DL3013): Do not pin pip package versions

FROM python:3.13-bookworm AS builder
ARG PIO_ENV=native
ENV DEBIAN_FRONTEND=noninteractive
ENV TZ=Etc/UTC

# Install Dependencies
ENV PIP_ROOT_USER_ACTION=ignore
RUN apt-get update && apt-get install --no-install-recommends -y \
        curl wget g++ zip git ca-certificates pkg-config \
        libgpiod-dev libyaml-cpp-dev libbluetooth-dev libi2c-dev libuv1-dev \
        libusb-1.0-0-dev libulfius-dev liborcania-dev libssl-dev \
        libx11-dev libinput-dev libxkbcommon-x11-dev \
    && apt-get clean && rm -rf /var/lib/apt/lists/* \
    && pip install --no-cache-dir -U platformio \
    && mkdir /tmp/firmware

# Copy source code
WORKDIR /tmp/firmware
COPY . /tmp/firmware

# Build
RUN bash ./bin/build-native.sh "$PIO_ENV" && \
    cp "/tmp/firmware/release/meshtasticd_linux_$(uname -m)" "/tmp/firmware/release/meshtasticd"

# Fetch web assets
RUN curl -L "https://github.com/meshtastic/web/releases/download/v$(cat /tmp/firmware/bin/web.version)/build.tar" -o /tmp/web.tar \
    && mkdir -p /tmp/web \
    && tar -xf /tmp/web.tar -C /tmp/web/ \
    && gzip -dr /tmp/web \
    && rm /tmp/web.tar

##### PRODUCTION BUILD #############

FROM debian:bookworm-slim
LABEL org.opencontainers.image.title="Meshtastic" \
      org.opencontainers.image.description="Debian Meshtastic daemon and web interface" \
      org.opencontainers.image.url="https://meshtastic.org" \
      org.opencontainers.image.documentation="https://meshtastic.org/docs/" \
      org.opencontainers.image.authors="Meshtastic" \
      org.opencontainers.image.licenses="GPL-3.0-or-later" \
      org.opencontainers.image.source="https://github.com/meshtastic/firmware/"
ENV DEBIAN_FRONTEND=noninteractive
ENV TZ=Etc/UTC

# nosemgrep: dockerfile.security.last-user-is-root.last-user-is-root
USER root

RUN apt-get update && apt-get --no-install-recommends -y install \
        libc-bin libc6 libgpiod2 libyaml-cpp0.7 libi2c0 libuv1 libusb-1.0-0-dev \
        liborcania2.3 libulfius2.7 libssl3 \
        libx11-6 libinput10 libxkbcommon-x11-0 \
    && apt-get clean && rm -rf /var/lib/apt/lists/* \
    && mkdir -p /var/lib/meshtasticd \
    && mkdir -p /etc/meshtasticd/config.d \
    && mkdir -p /etc/meshtasticd/ssl

# Fetch compiled binary from the builder
COPY --from=builder /tmp/firmware/release/meshtasticd /usr/bin/
COPY --from=builder /tmp/web /usr/share/meshtasticd/
# Copy config templates
COPY ./bin/config.d /etc/meshtasticd/available.d

WORKDIR /var/lib/meshtasticd
VOLUME /var/lib/meshtasticd

# Expose Meshtastic TCP API port from the host
EXPOSE 4403
# Expose Meshtastic Web UI port from the host
EXPOSE 9443

CMD [ "sh", "-cx", "meshtasticd --fsdir=/var/lib/meshtasticd" ]

HEALTHCHECK NONE
meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`# trunk-ignore-all(trivy/DS002): We must run as root for this container`
			`# trunk-ignore-all(hadolint/DL3002): We must run as root for this container`
junk in the Trunk (#6149) 2025-02-25 08:41:45 +00:00			`# trunk-ignore-all(hadolint/DL3008): Do not pin apt package versions`
			`# trunk-ignore-all(hadolint/DL3013): Do not pin pip package versions`
Fix for Dockerfile-related security defects and rewrite to follow best practices 2022-11-20 11:57:55 +00:00
Bump python from 3.12-alpine3.21 to 3.13-alpine3.21 (#6142) Bumps python from 3.12-alpine3.21 to 3.13-alpine3.21. --- updated-dependencies: - dependency-name: python dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2025-02-25 12:53:33 +00:00			`FROM python:3.13-bookworm AS builder`
Docker is fun (#6623) 2025-04-18 14:29:39 +00:00			`ARG PIO_ENV=native`
Fix for Dockerfile-related security defects and rewrite to follow best practices 2022-11-20 11:57:55 +00:00			`ENV DEBIAN_FRONTEND=noninteractive`
			`ENV TZ=Etc/UTC`

meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`# Install Dependencies`
			`ENV PIP_ROOT_USER_ACTION=ignore`
junk in the Trunk (#6149) 2025-02-25 08:41:45 +00:00			`RUN apt-get update && apt-get install --no-install-recommends -y \`
Add TFT docker builds (for CI) (#6614) 2025-04-18 12:27:38 +00:00			`curl wget g++ zip git ca-certificates pkg-config \`
Add UDP multicast support on linux. (#6342) * Add UDP multicast support on linux. Closes #6326 We tested it an it works. This is really hacky to say the least. * Add libuv to Linux packaging * Trunkadunk * Correct ref * Add libuv1-dev to setup-native --------- Co-authored-by: vidplace7 <vidplace7@gmail.com> Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2025-03-20 13:47:39 +00:00			`libgpiod-dev libyaml-cpp-dev libbluetooth-dev libi2c-dev libuv1-dev \`
Add TFT docker builds (for CI) (#6614) 2025-04-18 12:27:38 +00:00			`libusb-1.0-0-dev libulfius-dev liborcania-dev libssl-dev \`
			`libx11-dev libinput-dev libxkbcommon-x11-dev \`
junk in the Trunk (#6149) 2025-02-25 08:41:45 +00:00			`&& apt-get clean && rm -rf /var/lib/apt/lists/* \`
			`&& pip install --no-cache-dir -U platformio \`
			`&& mkdir /tmp/firmware`
Docker is back 2022-11-06 02:08:29 +00:00
meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`# Copy source code`
Native Linux Build (ARM support and webserver deps) (#3506) * Added webserver libraries to build libs * Revert "Added webserver libraries to build libs" This reverts commit bcc72a06b9e1d26f57f46089ab96f502703bff3c. * Added piwebserver library dependencies to native build * Add webserver libraries to apt install for native build * Revert additional libraries added by mistake * Address trunk check issues on Dockerfile * Ignore linter checks for pinning build packages and apt-get --------- Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz> Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2024-04-06 15:32:15 +00:00			`WORKDIR /tmp/firmware`
meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`COPY . /tmp/firmware`

			`# Build`
Add TFT docker builds (for CI) (#6614) 2025-04-18 12:27:38 +00:00			`RUN bash ./bin/build-native.sh "$PIO_ENV" && \`
meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`cp "/tmp/firmware/release/meshtasticd_linux_$(uname -m)" "/tmp/firmware/release/meshtasticd"`
Fix for Dockerfile-related security defects and rewrite to follow best practices 2022-11-20 11:57:55 +00:00
meshtasticd docker: Support webui (#6482) 2025-04-08 21:14:39 +00:00			`# Fetch web assets`
			`RUN curl -L "https://github.com/meshtastic/web/releases/download/v$(cat /tmp/firmware/bin/web.version)/build.tar" -o /tmp/web.tar \`
			`&& mkdir -p /tmp/web \`
			`&& tar -xf /tmp/web.tar -C /tmp/web/ \`
			`&& gzip -dr /tmp/web \`
			`&& rm /tmp/web.tar`
Fix for Dockerfile-related security defects and rewrite to follow best practices 2022-11-20 11:57:55 +00:00
Native Linux Build (ARM support and webserver deps) (#3506) * Added webserver libraries to build libs * Revert "Added webserver libraries to build libs" This reverts commit bcc72a06b9e1d26f57f46089ab96f502703bff3c. * Added piwebserver library dependencies to native build * Add webserver libraries to apt install for native build * Revert additional libraries added by mistake * Address trunk check issues on Dockerfile * Ignore linter checks for pinning build packages and apt-get --------- Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz> Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2024-04-06 15:32:15 +00:00			`##### PRODUCTION BUILD #############`

			`FROM debian:bookworm-slim`
Stop the madness! Run as a user (not root) (#6718) * Stop the madness! Run as a user (not root) * Trigger fsdir migration for < 2.6.9 --------- Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2025-05-15 11:40:46 +00:00			`LABEL org.opencontainers.image.title="Meshtastic" \`
			`org.opencontainers.image.description="Debian Meshtastic daemon and web interface" \`
			`org.opencontainers.image.url="https://meshtastic.org" \`
			`org.opencontainers.image.documentation="https://meshtastic.org/docs/" \`
			`org.opencontainers.image.authors="Meshtastic" \`
			`org.opencontainers.image.licenses="GPL-3.0-or-later" \`
			`org.opencontainers.image.source="https://github.com/meshtastic/firmware/"`
Native Linux Build (ARM support and webserver deps) (#3506) * Added webserver libraries to build libs * Revert "Added webserver libraries to build libs" This reverts commit bcc72a06b9e1d26f57f46089ab96f502703bff3c. * Added piwebserver library dependencies to native build * Add webserver libraries to apt install for native build * Revert additional libraries added by mistake * Address trunk check issues on Dockerfile * Ignore linter checks for pinning build packages and apt-get --------- Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz> Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2024-04-06 15:32:15 +00:00			`ENV DEBIAN_FRONTEND=noninteractive`
			`ENV TZ=Etc/UTC`
Fix for Dockerfile-related security defects and rewrite to follow best practices 2022-11-20 11:57:55 +00:00
meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`# nosemgrep: dockerfile.security.last-user-is-root.last-user-is-root`
			`USER root`

junk in the Trunk (#6149) 2025-02-25 08:41:45 +00:00			`RUN apt-get update && apt-get --no-install-recommends -y install \`
Add TFT docker builds (for CI) (#6614) 2025-04-18 12:27:38 +00:00			`libc-bin libc6 libgpiod2 libyaml-cpp0.7 libi2c0 libuv1 libusb-1.0-0-dev \`
			`liborcania2.3 libulfius2.7 libssl3 \`
			`libx11-6 libinput10 libxkbcommon-x11-0 \`
junk in the Trunk (#6149) 2025-02-25 08:41:45 +00:00			`&& apt-get clean && rm -rf /var/lib/apt/lists/* \`
meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`&& mkdir -p /var/lib/meshtasticd \`
Portduino: Set Web SSL Cert / Key paths from yaml (#5961) 2025-02-01 08:58:58 +00:00			`&& mkdir -p /etc/meshtasticd/config.d \`
			`&& mkdir -p /etc/meshtasticd/ssl`
Native Linux Build (ARM support and webserver deps) (#3506) * Added webserver libraries to build libs * Revert "Added webserver libraries to build libs" This reverts commit bcc72a06b9e1d26f57f46089ab96f502703bff3c. * Added piwebserver library dependencies to native build * Add webserver libraries to apt install for native build * Revert additional libraries added by mistake * Address trunk check issues on Dockerfile * Ignore linter checks for pinning build packages and apt-get --------- Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz> Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2024-04-06 15:32:15 +00:00
meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`# Fetch compiled binary from the builder`
Stop the madness! Run as a user (not root) (#6718) * Stop the madness! Run as a user (not root) * Trigger fsdir migration for < 2.6.9 --------- Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2025-05-15 11:40:46 +00:00			`COPY --from=builder /tmp/firmware/release/meshtasticd /usr/bin/`
meshtasticd docker: Support webui (#6482) 2025-04-08 21:14:39 +00:00			`COPY --from=builder /tmp/web /usr/share/meshtasticd/`
meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`# Copy config templates`
			`COPY ./bin/config.d /etc/meshtasticd/available.d`
Native Linux Build (ARM support and webserver deps) (#3506) * Added webserver libraries to build libs * Revert "Added webserver libraries to build libs" This reverts commit bcc72a06b9e1d26f57f46089ab96f502703bff3c. * Added piwebserver library dependencies to native build * Add webserver libraries to apt install for native build * Revert additional libraries added by mistake * Address trunk check issues on Dockerfile * Ignore linter checks for pinning build packages and apt-get --------- Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz> Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2024-04-06 15:32:15 +00:00
meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`WORKDIR /var/lib/meshtasticd`
			`VOLUME /var/lib/meshtasticd`
Native Linux Build (ARM support and webserver deps) (#3506) * Added webserver libraries to build libs * Revert "Added webserver libraries to build libs" This reverts commit bcc72a06b9e1d26f57f46089ab96f502703bff3c. * Added piwebserver library dependencies to native build * Add webserver libraries to apt install for native build * Revert additional libraries added by mistake * Address trunk check issues on Dockerfile * Ignore linter checks for pinning build packages and apt-get --------- Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz> Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2024-04-06 15:32:15 +00:00
meshtasticd-docker: simplify, add USB compose (#5662) 2024-12-26 18:59:26 +00:00			`# Expose Meshtastic TCP API port from the host`
			`EXPOSE 4403`
meshtasticd docker: Support webui (#6482) 2025-04-08 21:14:39 +00:00			`# Expose Meshtastic Web UI port from the host`
Stop the madness! Run as a user (not root) (#6718) * Stop the madness! Run as a user (not root) * Trigger fsdir migration for < 2.6.9 --------- Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2025-05-15 11:40:46 +00:00			`EXPOSE 9443`
Native Linux Build (ARM support and webserver deps) (#3506) * Added webserver libraries to build libs * Revert "Added webserver libraries to build libs" This reverts commit bcc72a06b9e1d26f57f46089ab96f502703bff3c. * Added piwebserver library dependencies to native build * Add webserver libraries to apt install for native build * Revert additional libraries added by mistake * Address trunk check issues on Dockerfile * Ignore linter checks for pinning build packages and apt-get --------- Co-authored-by: Jonathan Bennett <jbennett@incomsystems.biz> Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2024-04-06 15:32:15 +00:00
Stop the madness! Run as a user (not root) (#6718) * Stop the madness! Run as a user (not root) * Trigger fsdir migration for < 2.6.9 --------- Co-authored-by: Ben Meadors <benmmeadors@gmail.com> 2025-05-15 11:40:46 +00:00			`CMD [ "sh", "-cx", "meshtasticd --fsdir=/var/lib/meshtasticd" ]`
Fix for Dockerfile-related security defects and rewrite to follow best practices 2022-11-20 11:57:55 +00:00
meshtasticd docker: Support webui (#6482) 2025-04-08 21:14:39 +00:00			`HEALTHCHECK NONE`