Improve Docker Image and related Docs and CI

.dockerignore

@@ -0,0 +1,11 @@
+/.idea/
+/.vscode/
+
+/.git/
+/.github/
+/README.md
+/License
+
+/Dockerfile
+
+/conf/

.github/workflows/build.yaml

@@ -109,8 +109,17 @@ jobs:
         run: |
           make
   docker:
-    name: Docker
-    runs-on: ubuntu-20.04
+    name: Build Docker Image
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/386
+          - linux/arm64/v8
+          - linux/arm/v7
+          - linux/arm/v6
+          - linux/riscv64
     permissions:
       packages: write
       contents: read
@@ -124,6 +133,68 @@ jobs:
         uses: docker/setup-qemu-action@v3
       - name: Prepare Buildx
         uses: docker/setup-buildx-action@v3
+      - name: Prepare Repo Name
+        id: repo
+        run: |
+          echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT
+      - name: Prepare Digest
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+      - name: Login GitHub Packages Docker Image Repository
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and Push Docker Image
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: ${{ matrix.platform }}
+          provenance: false
+          outputs: type=image,name=ghcr.io/${{ steps.repo.outputs.repository }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
+          cache-from: type=gha,scope=${{ matrix.platform }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.platform }}
+      - name: Export Digest
+        if: github.event_name != 'pull_request'
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+      - name: Upload Digest
+        uses: actions/upload-artifact@v4
+        if: github.event_name != 'pull_request'
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  docker-merge:
+    name: Merge Docker Image Tags
+    runs-on: ubuntu-22.04
+    if: github.event_name != 'pull_request'
+    needs:
+      - docker
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Download Digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+      - name: Prepare Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Prepare Repo Name
+        id: repo
+        run: |
+          echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT
       - name: Login GitHub Packages Docker Image Repository
         uses: docker/login-action@v3
         with:
@@ -134,20 +205,18 @@ jobs:
         uses: docker/metadata-action@v5
         id: docker_meta
         with:
-          images: ghcr.io/${{ github.repository }}
+          images: ghcr.io/${{ steps.repo.outputs.repository }}
           tags: |
             type=ref,event=branch
             type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=raw,value=nightly,enable={{is_default_branch}}
-      - name: Build and Push Docker Image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/386,linux/arm64/v8,linux/arm/v7,linux/arm/v6,linux/riscv64
-          push: ${{ github.event_name != 'pull_request' }}
-          provenance: false
-          tags: ${{ steps.docker_meta.outputs.tags }}
-          labels: ${{ steps.docker_meta.outputs.labels }}
+      - name: Create Manifest List and Push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'ghcr.io/${{ steps.repo.outputs.repository }}@sha256:%s ' *)
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ghcr.io/${{ steps.repo.outputs.repository }}:${{ steps.docker_meta.outputs.version }}

Dockerfile

@@ -1,27 +1,35 @@
 FROM alpine:latest AS builder
 
+RUN apk add --update --no-cache \
+    make \
+    git \
+    gcc \
+    linux-headers \
+    musl-dev
+
 WORKDIR /src
 COPY . /src
 
-RUN apk add --update --no-cache make git gcc linux-headers musl-dev \
-    && make
+RUN make
 
 FROM alpine:latest
 LABEL org.opencontainers.image.source="https://github.com/heiher/hev-socks5-tunnel"
 
-COPY docker/entrypoint.sh /entrypoint.sh
-COPY --from=builder /src/bin/hev-socks5-tunnel /usr/bin/hev-socks5-tunnel
+RUN apk add --update --no-cache \
+    iproute2
+
+ENV TUN=tun0 \
+    MTU=8500 \
+    IPV4=198.18.0.1 \
+    SOCKS5_ADDR=172.17.0.1 \
+    SOCKS5_PORT=1080 \
+    SOCKS5_UDP_MODE=udp \
+    IPV4_INCLUDED_ROUTES=0.0.0.0/0 \
+    IPV4_EXCLUDED_ROUTES=172.17.0.0/16
 
-RUN apk add --update --no-cache iproute2 \
-    && chmod +x /entrypoint.sh
-
-ENV TUN=tun0
-ENV MTU=8500
-ENV IPV4=198.18.0.1
-ENV SOCKS5_ADDR=172.17.0.1
-ENV SOCKS5_PORT=1080
-ENV SOCKS5_UDP_MODE=udp
-ENV IPV4_INCLUDED_ROUTES=0.0.0.0/0
-ENV IPV4_EXCLUDED_ROUTES=172.17.0.0/16
+HEALTHCHECK --start-period=5s --interval=5s --timeout=2s --retries=3 CMD ["test", "-f", "/success"]
+
+COPY --chmod=755 docker/entrypoint.sh /entrypoint.sh
+COPY --from=builder /src/bin/hev-socks5-tunnel /usr/bin/hev-socks5-tunnel
 
 ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -169,6 +169,54 @@ sudo route change -inet default -interface utun99
 sudo route change -inet6 default -interface utun99
 ```
 
+#### Docker Compose
+
+```yaml
+version: "3.9"
+
+services:
+  client:
+    image: alpine:latest # just for network testing
+    tty: true # you can test network in terminal
+    depends_on:
+      tun:
+        condition: service_healthy
+    network_mode: "service:tun"
+
+  tun:
+    image: ghcr.io/heiher/hev-socks5-tunnel:latest # `latest` for the latest published version; `nightly` for the latest source build; `vX.Y.Z` for the specific version 
+    cap_add:
+      - NET_ADMIN # needed
+    devices:
+      - /dev/net/tun:/dev/net/tun # needed
+    environment:
+      TUN: tun0 # optional, tun interface name, default `tun0`
+      MTU: 8500 # optional, MTU is MTU, default `8500`
+      IPV4: 198.18.0.1 # optional, tun interface ip, default `198.18.0.1`
+      TABLE: 20 # optional, ip route table id, default `20`
+      MARK: 438 # optional, ip route rule mark, hex format, default `438`
+      SOCKS5_ADDR: a.b.c.d # socks5 proxy server address
+      SOCKS5_PORT: 1080 # socks5 proxy server port
+      SOCKS5_USERNAME: user # optional, socks5 proxy username, only set when need to auth
+      SOCKS5_PASSWORD: pass # optional, socks5 proxy password, only set when need to auth
+      SOCKS5_UDP_MODE: udp # optional, UDP relay mode, default `udp`, other option `tcp`
+      IPV4_INCLUDED_ROUTES: 0.0.0.0/0 # optional, demo means proxy all traffic. for multiple network segments, join with `,` or `\n`
+      IPV4_EXCLUDED_ROUTES: a.b.c.d # optional, demo means exclude traffic from the proxy itself. for multiple network segments, join with `,` or `\n`
+      LOG_LEVEL: warn # optional, default `warn`, other option `debug`/`info`/`error`
+    dns:
+      - 8.8.8.8
+```
+
+You can also set the route rules with multiple network segments like:
+
+```yaml
+    environment:
+      IPV4_INCLUDED_ROUTES: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+      IPV4_EXCLUDED_ROUTES: |-
+        a.b.c.d/24
+        a.b.c.f/24
+```
+
 ## API
 
 ```c

docker/entrypoint.sh

@@ -10,8 +10,12 @@ SOCKS5_UDP_MODE="${SOCKS5_UDP_MODE:-udp}"
 TABLE="${TABLE:-20}"
 MARK="${MARK:-438}"
 
+LOG_LEVEL="${LOG_LEVEL:-warn}"
+
 config_file() {
   cat > /hs5t.yml << EOF
+misc:
+  log-level: '${LOG_LEVEL}'
 tunnel:
   name: '${TUN}'
   mtu: ${MTU}
@@ -54,6 +58,7 @@ config_route() {
 run() {
   config_file
   config_route
+  echo "echo 1 > /success" >> /route.sh
   hev-socks5-tunnel /hs5t.yml
 }