Build your Rust image
Prerequisites
- You have installed the latest version of Docker Desktop.
- You have a git client. The examples in this section use a command-line based git client, but you can use any client.
Overview
This guide walks you through building your first Rust image. An image includes everything needed to run an application - the code or binary, runtime, dependencies, and any other file system objects required.
Get the sample application
Clone the sample application to use with this guide. Open a terminal, change directory to a directory that you want to work in, and run the following command to clone the repository:
$ git clone https://github.com/docker/docker-rust-hello && cd docker-rust-hello
Create a Dockerfile for Rust
Now that you have an application, you can use docker init to create a
Dockerfile for it. Inside the docker-rust-hello directory, run the docker init command. docker init provides some default configuration, but you'll
need to answer a few questions about your application. Refer to the following
example to answer the prompts from docker init and use the same answers for
your prompts.
$ docker init
Welcome to the Docker Init CLI!
This utility will walk you through creating the following files with sensible defaults for your project:
- .dockerignore
- Dockerfile
- compose.yaml
- README.Docker.md
Let's get started!
? What application platform does your project use? Rust
? What version of Rust do you want to use? 1.92.0
? What port does your server listen on? 8000
You should now have the following new files in your docker-rust-hello
directory:
- Dockerfile
- .dockerignore
- compose.yaml
- README.Docker.md
Choose a base image
Before editing your Dockerfile, you need to choose a base image. You can use the Rust Docker Official Image,
or a Docker Hardened Image (DHI).
Docker Hardened Images (DHIs) are minimal, secure, and production-ready base images maintained by Docker.
They help reduce vulnerabilities and simplify compliance. For more details, see
Docker Hardened Images.
Docker Hardened Images (DHIs) are publicly available and can be used directly as base images. To pull Docker Hardened Images, authenticate once with Docker:
docker login dhi.ioUse DHIs from the dhi.io registry, for example:
FROM dhi.io/rust:${RUST_VERSION}-alpine3.22-dev AS buildThe following Dockerfile is equivalent to the one generated by docker init, but it uses a Rust DHI as the build base image:
# Make sure RUST_VERSION matches the Rust version
ARG RUST_VERSION=1.92
ARG APP_NAME=docker-rust-hello
################################################################################
# Create a stage for building the application.
################################################################################
FROM dhi.io/rust:${RUST_VERSION}-alpine3.22-dev AS build
ARG APP_NAME
WORKDIR /app
# Install host build dependencies.
RUN apk add --no-cache clang lld musl-dev git
# Build the application.
RUN --mount=type=bind,source=src,target=src \
--mount=type=bind,source=Cargo.toml,target=Cargo.toml \
--mount=type=bind,source=Cargo.lock,target=Cargo.lock \
--mount=type=cache,target=/app/target/ \
--mount=type=cache,target=/usr/local/cargo/git/db \
--mount=type=cache,target=/usr/local/cargo/registry/ \
cargo build --locked --release && \
cp ./target/release/$APP_NAME /bin/server
################################################################################
# Create a new stage for running the application that contains the minimal
# We use dhi.io/static for the final stage because it’s a minimal Docker Hardened Image runtime (basically “just # enough OS to run the binary”), which helps keep the image small and with a lower attack surface compared to a # # full Alpine/Debian runtime.
################################################################################
FROM dhi.io/static:20250419 AS final
# Create a non-privileged user that the app will run under.
ARG UID=10001
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
appuser
USER appuser
# Copy the executable from the "build" stage.
COPY --from=build /bin/server /bin/
# Configure rocket to listen on all interfaces.
ENV ROCKET_ADDRESS=0.0.0.0
# Expose the port that the application listens on.
EXPOSE 8000
# What the container should run when it is started.
CMD ["/bin/server"]# Pin the Rust toolchain version used in the build stage.
ARG RUST_VERSION=1.92
# Name of the compiled binary produced by Cargo (must match Cargo.toml package name).
ARG APP_NAME=docker-rust-hello
################################################################################
# Build stage (DOI Rust image)
# This stage compiles the application.
################################################################################
FROM docker.io/library/rust:${RUST_VERSION}-alpine AS build
# Re-declare args inside the stage if you want to use them here.
ARG APP_NAME
# All build steps happen inside /app.
WORKDIR /app
# Install build dependencies needed to compile Rust crates on Alpine
RUN apk add --no-cache clang lld musl-dev git
# Build the application
RUN --mount=type=bind,source=src,target=src \
--mount=type=bind,source=Cargo.toml,target=Cargo.toml \
--mount=type=bind,source=Cargo.lock,target=Cargo.lock \
--mount=type=cache,target=/app/target/ \
--mount=type=cache,target=/usr/local/cargo/git/db \
--mount=type=cache,target=/usr/local/cargo/registry/ \
cargo build --locked --release && \
cp ./target/release/$APP_NAME /bin/server
################################################################################
# Runtime stage (DOI Alpine image)
# This stage runs the already-compiled binary with minimal dependencies.
################################################################################
FROM docker.io/library/alpine:3.18 AS final
# Create a non-privileged user (recommended best practice)
ARG UID=10001
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
appuser
# Drop privileges for runtime.
USER appuser
# Copy only the compiled binary from the build stage.
COPY --from=build /bin/server /bin/
# Rocket: listen on all interfaces inside the container.
ENV ROCKET_ADDRESS=0.0.0.0
# Document the port your app listens on.
EXPOSE 8000
# Start the application.
CMD ["/bin/server"]For building an image, only the Dockerfile is necessary. Open the Dockerfile in your favorite IDE or text editor and see what it contains. To learn more about Dockerfiles, see the Dockerfile reference.
.dockerignore file
When you run docker init, it also creates a
.dockerignore file. Use the .dockerignore file to specify patterns and paths that you don't want copied into the image in order to keep the image as small as possible. Open up the .dockerignore file in your favorite IDE or text editor and see what's inside already.
Build an image
Now that you’ve created the Dockerfile, you can build the image. To do this, use
the docker build command. The docker build command builds Docker images from
a Dockerfile and a context. A build's context is the set of files located in
the specified PATH or URL. The Docker build process can access any of the files
located in this context.
The build command optionally takes a --tag flag. The tag sets the name of the
image and an optional tag in the format name:tag. If you don't pass a tag,
Docker uses "latest" as its default tag.
Build the Docker image.
$ docker build --tag docker-rust-image-dhi .
You should see output like the following.
[+] Building 1.4s (13/13) FINISHED docker:desktop-linux
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 1.67kB 0.0s
=> [internal] load metadata for dhi.io/static:20250419 1.1s
=> [internal] load metadata for dhi.io/rust:1.92-alpine3.22-dev 1.2s
=> [auth] static:pull token for dhi.io 0.0s
=> [auth] rust:pull token for dhi.io 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 646B 0.0s
=> [build 1/3] FROM dhi.io/rust:1.92-alpine3.22-dev@sha256:49eb72825a9e15fe48f2c4875a63c7e7f52a5b430bb52b8254b91d132aa5bf38 0.0s
=> => resolve dhi.io/rust:1.92-alpine3.22-dev@sha256:49eb72825a9e15fe48f2c4875a63c7e7f52a5b430bb52b8254b91d132aa5bf38 0.0s
=> [final 1/2] FROM dhi.io/static:20250419@sha256:74fc43fa240887b8159970e434244039aab0c6efaaa9cf044004cdc22aa2a34d 0.0s
=> => resolve dhi.io/static:20250419@sha256:74fc43fa240887b8159970e434244039aab0c6efaaa9cf044004cdc22aa2a34d 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 117B 0.0s
=> CACHED [build 2/3] WORKDIR /build 0.0s
=> CACHED [build 3/3] RUN --mount=type=bind,source=src,target=src --mount=type=bind,source=Cargo.toml,target=Cargo.toml --mount=type=bind,source=Cargo.lock,target=Cargo 0.0s
=> CACHED [final 2/2] COPY --from=build /build/target/release/docker-rust-hello /server 0.0s
=> exporting to image 0.1s
=> => exporting layers 0.0s
=> => exporting manifest sha256:cc937bbdd712ef6e5445501f77e02ef8455ef64c567598786d46b7b21a4d4fa8 0.0s
=> => exporting config sha256:077507b483af4b5e1a928e527e4bb3a4aaf0557e1eea81cd39465f564c187669 0.0s
=> => exporting attestation manifest sha256:11b60e7608170493da1fdd88c120e2d2957f2a72a22edbc9cfbdd0dd37d21f89 0.0s
=> => exporting manifest list sha256:99a1b925a8d6ebf80e376b8a1e50cd806ec42d194479a3375e1cd9d2911b4db9 0.0s
=> => naming to docker.io/library/docker-rust-image-dhi:latest 0.0s
=> => unpacking to docker.io/library/docker-rust-image-dhi:latest 0.0s
View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/yczk0ijw8kc5g20e8nbc8r6lj
View local images
To see a list of images you have on your local machine, you have two options. One is to use the Docker CLI and the other is to use Docker Desktop. As you are working in the terminal already, take a look at listing images using the CLI.
To list images, run the docker images command.
$ docker images
IMAGE ID DISK USAGE CONTENT SIZE EXTRA
docker-rust-image-dhi:latest 99a1b925a8d6 11.6MB 2.45MB U
You should see at least one image listed, including the image you just built docker-rust-image-dhi:latest.
Tag images
As mentioned earlier, an image name is made up of slash-separated name components. Name components may contain lowercase letters, digits, and separators. A separator can include a period, one or two underscores, or one or more dashes. A name component may not start or end with a separator.
An image is made up of a manifest and a list of layers. Don't worry too much about manifests and layers at this point other than a "tag" points to a combination of these artifacts. You can have multiple tags for an image. Create a second tag for the image you built and take a look at its layers.
To create a new tag for the image you built, run the following command.
$ docker tag docker-rust-image-dhi:latest docker-rust-image-dhi:v1.0.0
The docker tag command creates a new tag for an image. It doesn't create a new image. The tag points to the same image and is just another way to reference the image.
Now, run the docker images command to see a list of the local images.
$ docker images
IMAGE ID DISK USAGE CONTENT SIZE EXTRA
docker-rust-image-dhi:latest 99a1b925a8d6 11.6MB 2.45MB U
docker-rust-image-dhi:v1.0.0 99a1b925a8d6 11.6MB 2.45MB U
You can see that two images start with docker-rust-image-dhi. You know they're the same image because if you take a look at the IMAGE ID column, you can see that the values are the same for the two images.
Remove the tag you just created. To do this, use the rmi command. The rmi command stands for remove image.
$ docker rmi docker-rust-image-dhi:v1.0.0
Untagged: docker-rust-image-dhi:v1.0.0
Note that the response from Docker tells you that Docker didn't remove the image, but only "untagged" it. You can check this by running the docker images command.
$ docker images
IMAGE ID DISK USAGE CONTENT SIZE EXTRA
docker-rust-image-dhi:latest 99a1b925a8d6 11.6MB 2.45MB U
Docker removed the image tagged with :v1.0.0, but the docker-rust-image-dhi:latest tag is available on your machine.
Summary
This section showed how you can use docker init to create a Dockerfile and .dockerignore file for a Rust application. It then showed you how to build an image. And finally, it showed you how to tag an image and list all images.
Related information:
- Dockerfile reference
- .dockerignore file
- docker init CLI reference
- docker build CLI reference
- Docker Hardened Images
Next steps
In the next section learn how to run your image as a container.