add docker container

.dockerignore

@@ -0,0 +1,39 @@
+# Build artifacts
+/target/
+Cargo.lock
+
+# Git
+.git/
+.gitignore
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Logs
+logs/
+*.log
+
+# Documentation and non-essential files
+README.md
+CHANGELOG.md
+ROADMAP.md
+LICENSE
+reddit_rust_post.md
+RELEASE.md
+rustnet-0.1.0.tar.gz
+
+# Assets we don't need in container
+assets/rustnet.gif
+
+# Claude Code
+.claude/
+CLAUDE.md
+
+# Scripts (not needed in container)
+scripts/
+
+# CI/CD (already in repo context)
+.github/

.github/workflows/docker.yml

@@ -0,0 +1,69 @@
+name: Docker Build and Publish
+
+on:
+  push:
+    branches: [ "main" ]
+    tags: [ "v*.*.*" ]
+  pull_request:
+    branches: [ "main" ]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Generate artifact attestation
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true

Dockerfile

@@ -0,0 +1,67 @@
+# Multi-stage Docker build for RustNet
+FROM rust:1.82-slim AS builder
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y \
+    libpcap-dev \
+    pkg-config \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set working directory
+WORKDIR /app
+
+# Copy Cargo files first for better caching
+COPY Cargo.toml Cargo.lock ./
+
+# Copy source code
+COPY src ./src
+COPY assets/services ./assets/services
+
+# Build the application in release mode
+RUN cargo build --release
+
+# Runtime stage - use debian-slim for smaller size and better compatibility
+FROM debian:bookworm-slim
+
+# Install runtime dependencies
+RUN apt-get update && apt-get install -y \
+    libpcap0.8 \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create a non-root user for general security practices
+# Note: While this follows Docker security best practices, RustNet requires elevated
+# privileges for packet capture (NET_RAW/NET_ADMIN capabilities or root access).
+# The container will need to be run with --cap-add=NET_RAW --cap-add=NET_ADMIN
+# or --privileged flag to function properly for network monitoring.
+RUN useradd -r -s /bin/false rustnet
+
+# Set working directory
+WORKDIR /app
+
+# Copy the binary from builder stage
+COPY --from=builder /app/target/release/rustnet /usr/local/bin/rustnet
+
+# Copy assets/services only
+COPY --from=builder /app/assets/services ./assets/services
+
+# Create logs directory
+RUN mkdir -p /app/logs && chown rustnet:rustnet /app/logs
+
+# Set executable permissions
+RUN chmod +x /usr/local/bin/rustnet
+
+# Expose no ports by default (rustnet is for monitoring, not serving)
+# Network access is handled via host networking or packet capture capabilities
+
+# Add labels for better image metadata
+LABEL org.opencontainers.image.title="RustNet"
+LABEL org.opencontainers.image.description="A cross-platform network monitoring tool with deep packet inspection"
+LABEL org.opencontainers.image.source="https://github.com/domcyrus/rustnet"
+LABEL org.opencontainers.image.licenses="MIT"
+
+# Important: RustNet requires elevated privileges for packet capture functionality
+# Run with: docker run --cap-add=NET_RAW --cap-add=NET_ADMIN rustnet
+# Or with:  docker run --privileged rustnet
+ENTRYPOINT ["rustnet"]
+CMD ["--help"]

README.md

@@ -56,6 +56,32 @@ cargo build --release
 # The executable will be in target/release/rustnet
 ```
 
+### Using Docker
+
+RustNet is available as a Docker container from GitHub Container Registry:
+
+```bash
+# Pull the latest image
+docker pull ghcr.io/domcyrus/rustnet:latest
+
+# Run with required network capabilities
+docker run --rm -it --cap-add=NET_RAW --cap-add=NET_ADMIN --net=host \
+  ghcr.io/domcyrus/rustnet:latest
+
+# Run with specific interface
+docker run --rm -it --cap-add=NET_RAW --cap-add=NET_ADMIN --net=host \
+  ghcr.io/domcyrus/rustnet:latest -i eth0
+
+# Alternative: Run with privileged mode (less secure but simpler)
+docker run --rm -it --privileged --net=host \
+  ghcr.io/domcyrus/rustnet:latest
+
+# View available options
+docker run --rm ghcr.io/domcyrus/rustnet:latest --help
+```
+
+**Note:** The container requires network capabilities (`NET_RAW` and `NET_ADMIN`) or privileged mode for packet capture. Host networking (`--net=host`) is recommended for monitoring all network interfaces.
+
 ### Running RustNet
 
 On Unix-like systems (Linux/macOS), packet capture typically requires elevated privileges: