From b0c84b33e372de6e5d29e227ba7c917fc5dea214 Mon Sep 17 00:00:00 2001 From: thesayyn Date: Thu, 7 Mar 2024 10:26:15 -0800 Subject: [PATCH] chore: minimize diff --- .bazelrc | 2 +- WORKSPACE | 6 ++-- base/base.bzl | 13 ++++---- base/tmp.tar | Bin 10240 -> 0 bytes common/BUILD.bazel | 56 ++++++++++++++++++++++++++-------- common/variables.bzl | 3 ++ examples/nonroot/BUILD | 2 +- private/tools/diff.bash | 2 +- private/util/deb.bzl | 8 +++-- private/util/java_cacerts.bzl | 2 ++ 10 files changed, 67 insertions(+), 27 deletions(-) delete mode 100644 base/tmp.tar diff --git a/.bazelrc b/.bazelrc index 0413b35d7..87d834bfe 100644 --- a/.bazelrc +++ b/.bazelrc @@ -8,4 +8,4 @@ test:release --workspace_status_command=./private/stamp.bash --stamp # Allow external dependencies to be retried. debian snapshot is unreliable and needs retries. common --experimental_repository_downloader_retries=20 -common --http_timeout_scaling=2.0 \ No newline at end of file +common --http_timeout_scaling=2.0 diff --git a/WORKSPACE b/WORKSPACE index fb7a02442..2a750b9af 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -5,9 +5,9 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") # rules_distroless setup http_archive( name = "rules_distroless", - sha256 = "4b6d6a4bd03431f4f680ff5f6feea0b8ccf52c0296a12818d2c9595392e45543", - strip_prefix = "rules_distroless-0.2.0", - url = "https://github.com/GoogleContainerTools/rules_distroless/releases/download/v0.2.0/rules_distroless-v0.2.0.tar.gz", + sha256 = "9306b5b8a296d95745d7b38be20c320db125f1b5f6fc3ad507de21c8d562b159", + strip_prefix = "rules_distroless-896a27f8aee503c6ea3eeae47b51a4fc84c8496a", + url = "https://github.com/GoogleContainerTools/rules_distroless/archive/896a27f8aee503c6ea3eeae47b51a4fc84c8496a.tar.gz", ) load("@rules_distroless//distroless:dependencies.bzl", "distroless_dependencies") diff --git a/base/base.bzl b/base/base.bzl index 479dd5f5f..1d656a4b7 100644 --- a/base/base.bzl +++ b/base/base.bzl @@ -1,8 +1,8 @@ "defines a function to replicate the container images for different distributions" load("@container_structure_test//:defs.bzl", "container_structure_test") -load("@rules_oci//oci:defs.bzl", "oci_image", "oci_image_index") load("@io_bazel_rules_go//go:def.bzl", "go_binary") +load("@rules_oci//oci:defs.bzl", "oci_image", "oci_image_index") load("@rules_pkg//:pkg.bzl", "pkg_tar") load("//:checksums.bzl", "ARCHITECTURES", "VARIANTS") load("//common:variables.bzl", "NONROOT") @@ -82,15 +82,14 @@ def base_images(distro): deb.package(arch, distro, "base-files"), deb.package(arch, distro, "netbase"), deb.package(arch, distro, "tzdata"), - # Create /tmp, too many things assume it exists. - # tmp.tar has a /tmp with the correct permissions 01777 - # A tar is needed because at the moment there is no way to create a - # directory with specific permissions. - ":tmp.tar", - ":nsswitch.tar", + "//common:rootfs", "//common:passwd", "//common:home", "//common:group", + # Create /tmp, too many things assume it exists. + # tmp.tar has a /tmp with the correct permissions 01777 + "//common:tmp", + ":nsswitch.tar", "//common:os_release_" + distro, "//common:cacerts_" + distro + "_" + arch, ], diff --git a/base/tmp.tar b/base/tmp.tar deleted file mode 100644 index ee83747f6d085188eba2d5164c43f22b52571059..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10240 zcmeIuI}XAy3;@s^B{#rnXmTD7P!*MMf1o2nS?Kn>ShD4h-dOIJbaF&Q>Ak0S{=|3Q zYo(TJv^KRmrzlZdPkBE1uYLXVF>YJVX debian/rules: rename the C.UTF-8 locale into C.utf8 to match upstream # > naming. charset = "C.UTF-8" if distro == "debian11" else "C.utf8", - package = "@%s_%s_libc-bin//:data" % (arch, distro), + package = deb.data(arch, distro, "libc-bin"), + time = MTIME, ) for arch in ARCHITECTURES for distro in DISTROS @@ -37,7 +64,8 @@ package(default_visibility = ["//visibility:public"]) [ cacerts( name = "cacerts_%s_%s" % (distro, arch), - package = "@%s_%s_ca-certificates//:data" % (arch, distro), + package = deb.data(arch, distro, "ca-certificates"), + time = MTIME, ) for arch in ARCHITECTURES for distro in DISTROS @@ -46,43 +74,39 @@ package(default_visibility = ["//visibility:public"]) # create /etc/group with the root, tty, and staff groups group( name = "group", - groups = [ + entries = [ { "name": "root", # root_group "gid": ROOT, "password": "x", - "users": [], }, { "name": "nobody", # nobody_group "gid": NOBODY, "password": "x", - "users": [], }, { "name": "tty", # tty_group "gid": 5, "password": "x", - "users": [], }, { "name": "staff", # staff_group "gid": 50, "password": "x", - "users": [], }, { "name": "nonroot", # nonroot_group "gid": NONROOT, "password": "x", - "users": [], }, ], + time = MTIME, ) passwd( name = "passwd", - passwds = [ + entries = [ { "gecos": ["root"], "gid": ROOT, @@ -117,14 +141,22 @@ home( name = "home", dirs = [ { - "home": "./root", + "home": "/root", "uid": ROOT, "gid": ROOT, + "mode": 700, + }, + { + "home": "/home", + "uid": NONROOT, + "gid": NONROOT, + "mode": 755, }, { - "home": "./home/nonroot", + "home": "/home/nonroot", "uid": NONROOT, "gid": NONROOT, + "mode": 700, }, ], ) diff --git a/common/variables.bzl b/common/variables.bzl index c0faa050c..767bd8a1f 100644 --- a/common/variables.bzl +++ b/common/variables.bzl @@ -17,3 +17,6 @@ OS_RELEASE = dict( NOBODY = 65534 NONROOT = 65532 ROOT = 0 + +# TODO: this should be 0, but for now we'll use this to minimize diff. +MTIME = "946684800" diff --git a/examples/nonroot/BUILD b/examples/nonroot/BUILD index 16624a926..cf1f76798 100644 --- a/examples/nonroot/BUILD +++ b/examples/nonroot/BUILD @@ -11,7 +11,7 @@ load("//base:distro.bzl", "DISTROS") # Create a passwd file and home directory with a nonroot user and uid. passwd( name = "passwd", - passwds = [ + entries = [ { "gecos": ["nonroot"], "gid": 1000, diff --git a/private/tools/diff.bash b/private/tools/diff.bash index 851b1770d..bf963870f 100755 --- a/private/tools/diff.bash +++ b/private/tools/diff.bash @@ -235,4 +235,4 @@ if [[ "${SET_GITHUB_OUTPUT}" == "1" ]]; then echo "changed_targets<> "$GITHUB_OUTPUT" cat "$CHANGED_IMAGES_FILE" >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" -fi \ No newline at end of file +fi diff --git a/private/util/deb.bzl b/private/util/deb.bzl index a21c70932..8b2896281 100644 --- a/private/util/deb.bzl +++ b/private/util/deb.bzl @@ -1,8 +1,12 @@ "utility functions for constructing debian package labels" -def deb_package(arch, dist, package): +def _package(arch, dist, package): return "@{arch}_{dist}_{package}".format(arch = arch, dist = dist, package = package) +def _data(arch, dist, package): + return "@{}//:data".format(_package(arch = arch, dist = dist, package = package)) + deb = struct( - package = deb_package, + package = _package, + data = _data, ) diff --git a/private/util/java_cacerts.bzl b/private/util/java_cacerts.bzl index c5495c614..d88cb5496 100644 --- a/private/util/java_cacerts.bzl +++ b/private/util/java_cacerts.bzl @@ -1,6 +1,7 @@ "java ca certificates" load("@rules_distroless//distroless:defs.bzl", "java_keystore") +load("//common:variables.bzl", "MTIME") load(":extract.bzl", "tar_extract_file") def java_cacerts(name, archive): @@ -15,4 +16,5 @@ def java_cacerts(name, archive): certificates = [ ":" + name + "_extract", ], + time = MTIME, )