sbstjn.com

Multiarch Docker Containers with Rust

December 5th, 2025 395 Words

This guide shows how to build multiarch Docker containers for Rust applications using cargo zigbuild for cross-compilation and Docker build commands for architecture-specific or multiarch container images. Based on the example for Building a Rust API with Rocket and JWT Authentication, this guide provides the next steps.

Cross-Compiling with Zigbuild

Install cross-compilation targets for ARM64 and x86_64:

# Install rustup targets for arm and x86
$ > rustup target add aarch64-unknown-linux-gnu
$ > rustup target add x86_64-unknown-linux-gnu

Build release binaries for both architectures using cargo zigbuild:

# Build architecture binaries for linux
$ > cargo zigbuild --release --target x86_64-unknown-linux-gnu
$ > cargo zigbuild --release --target aarch64-unknown-linux-gnu

The zigbuild command handles cross-compilation toolchain setup automatically. Binaries are created in target/x86_64-unknown-linux-gnu/release/ and target/aarch64-unknown-linux-gnu/release/ respectively.

Dockerfile for Multiarch Builds

Use a single Dockerfile that selects the appropriate pre-built binary based on the target architecture:

FROM amazonlinux:2023 AS base

ARG TARGETARCH

RUN --mount=type=bind,source=./target/aarch64-unknown-linux-gnu/release,target=/mnt/arm \
    --mount=type=bind,source=./target/x86_64-unknown-linux-gnu/release,target=/mnt/x86 \
    if [ "$TARGETARCH" = "arm64" ] && [ -f /mnt/arm/rocket-example ]; then \
      cp /mnt/arm/rocket-example /usr/local/bin/rocket-example; \
    elif [ "$TARGETARCH" != "arm64" ] && [ -f /mnt/x86/rocket-example ]; then \
      cp /mnt/x86/rocket-example /usr/local/bin/rocket-example; \
    else \
      echo "Error: No service binary found for architecture!" >&2; \
      exit 1; \
    fi && \
    chmod +x /usr/local/bin/rocket-example

# Default version
FROM base AS default

ENV ROCKET_LOG_LEVEL=debug
ENV ROCKET_ADDRESS=0.0.0.0
ENV ROCKET_PORT=3000

CMD ["rocket-example"]

The Dockerfile uses Docker’s ARG TARGETARCH to detect the target architecture at build time. Bind mounts access the pre-built binaries from the local target/ directory and copy the appropriate binary based on the architecture. This ensures each container only contains the binary for its architecture, avoiding bloated container sizes.

Building Architecture-Specific Containers

Build containers for specific architectures using the --platform flag:

# Build Docker for ARM64
$ > docker build \
    --platform linux/arm64 \
    -f Dockerfile . \
    -t rocket-example:latest-arm64

# Build Docker for x86_64
$ > docker build \
    --platform linux/amd64 \
    -f Dockerfile . \
    -t rocket-example:latest-amd64

Using architecture-specific tags like latest-arm64 and latest-amd64 ensures each container only contains the binary for its architecture, avoiding bloated container sizes.

Building Multiarch Containers with Buildx

Build for multiple architectures in a single command using Docker Buildx:

$ > docker buildx build --platform linux/amd64,linux/arm64 . \
    -t rocket-example:latest

This creates a generic latest tag with a manifest list that includes both architectures. Docker automatically selects the correct architecture when pulling or running the container.

  • Building a Rust API with Rocket and JWT Authentication

    December 5 th, 2025 1868 Words

    When building backend APIs, JWT authentication is a common requirement. In Rust, you’ve got several web frameworks to choose from, and Rocket is one that makes request handling feel natural with its request guard system. Combining Rocket with JWTiny for JWT validation and JWKServe as a local identity provider gives you a complete setup for development and testing without external dependencies.

  • JWTiny: Minimal JWT Validation for Rust

    December 4 th, 2025 1340 Words

    I was learning Rust with an example project that needed JWT validation. The popular jsonwebtoken crate depends on serde, but I wanted miniserde instead. That constraint led me to build my own validator — handling signature verification, claims validation, and remote key fetching, designed for reuse across requests. JWTiny is the result.

  • JWKServe: A Fake JWT Authentication Service for Local Development

    December 4 th, 2025 990 Words

    When writing backend services that validate JWT access tokens, you run into a frustrating problem: you need a real identity provider just to test your authentication logic. With Cognito, Auth0, or other OpenID Connect providers, spinning up an authentication service for local development or CI pipelines adds unnecessary complexity. You need valid signatures and correct claims, not the provider itself. That’s where JWKServe comes in.

  • Static Website Hosting in Europe with Free Services

    June 10 th, 2025 303 Words

    The AWS European Sovereign Cloud is maybe the most interesting developments of the current cloud computing era; having AWS create a dedicated branch for european workloads is the next big move. But, how do you run a static website without using US vendors at all?

  • AWS CDK: Serverless WebService Blueprints

    January 19 th, 2025 113 Words

    The past days have been full of content about serverless workloads with AWS AppSync, Amazon Cognito, and AWS Fargate. This guide wraps up all scenarios and is your starting point if you want to build modern serverless applications with AWS using the Cloud Development Kit (CDK).

  • AWS CDK: AppSync Events API with Cognito for WebSockets and React

    January 19 th, 2025 944 Words

    The Amazon AppSync Events API was recently announced and is a new feature to use a WebSocket API for real-time communication. Based on the Amazon Cognito User Pool with Managed Login and guide for GraphQL Data API in Amazon AppSync, this guide shows you how to add real-time communication to your React application using WebSockets and the Amazon AppSync Events API with Amazon Cognito.

  • AWS CDK: AppSync GraphQL API with Cognito and Apollo Client in React

    January 19 th, 2025 878 Words

    The Amazon Cognito User Pool with Managed Login is a great baseline to start a new project. This guide adds an AWS AppSync GraphQL Data API to the project and shows you how to use the Amazon Cognito Access Token to authenticate against the GraphQL API using the Apollo Client in React.