Bazel: Provide minimal CI and developer docker image

sea-snake · Sep 27, 2022 · d0705a6 · d0705a6
1 parent f6a3f5e
commit d0705a6
Show file tree

Hide file tree

Showing 11 changed files with 124 additions and 13 deletions.
diff --git a/gitlab-ci/config/00--child-pipeline-root-protected.yml b/gitlab-ci/config/00--child-pipeline-root-protected.yml
@@ -4,7 +4,7 @@ include:
 .ubuntu-docker-protected:
   image:
     # Use the docker image without nix-shell
-    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1"
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   extends:
     - .ubuntu-nix-docker
   tags:

diff --git a/gitlab-ci/config/00--child-pipeline-root-unprotected.yml b/gitlab-ci/config/00--child-pipeline-root-unprotected.yml
@@ -4,13 +4,13 @@ include:
 .ubuntu-docker-protected:
   image:
     # Use the docker image without nix-shell
-    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1"
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   extends:
     - .ubuntu-nix-docker-pinned-dc
 
 .ubuntu-docker-k8s-protected:
   image:
     # Use the docker image without nix-shell
-    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1"
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   extends:
     - .ubuntu-nix-docker-k8s-pinned-dc
diff --git a/gitlab-ci/config/00--common.yml b/gitlab-ci/config/00--common.yml
@@ -235,7 +235,7 @@ after_script:
 .ubuntu-docker:
   extends: .build-env-base
   image:
-    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1"
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   tags:
     - dfinity
     - docker
@@ -244,7 +244,7 @@ after_script:
 .ubuntu-docker-k8s:
   extends: .build-env-base
   image:
-    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1"
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   tags:
     # distribute jobs between docker and k8s runners
     - dfinity
@@ -260,7 +260,7 @@ after_script:
   # - Build results are stored in non-persisted /cargo_target
   # - The container is destroyed and all non-persisted data is dropped, including /cargo_target
   image:
-    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build-nix:392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1"
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build-nix:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   variables:
     SCCACHE_DIR: /cache/sccache
     RUSTC_WRAPPER: "/usr/bin/sccache-run"

diff --git a/gitlab-ci/config/20--test--bazel-pipeline.yml b/gitlab-ci/config/20--test--bazel-pipeline.yml
@@ -1,6 +1,8 @@
 .bazel-test-all:
   extends:
     - .bazel-rules-pipeline
+  image:
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build-bazel:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   stage: test
   needs: []
   artifacts:
@@ -86,6 +88,8 @@ bazel-cargo-test-parity:
   extends:
     - .ubuntu-docker-k8s
     - .bazel-test-all
+  image:
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   artifacts:
     when: always
     paths:

diff --git a/gitlab-ci/config/20--test--docker-autobuild.yml b/gitlab-ci/config/20--test--docker-autobuild.yml
@@ -42,6 +42,8 @@ docker-autobuild-protected:
         docker push dfinity/ic-build:latest
         docker push dfinity/ic-build-nix:"$TAG"
         docker push dfinity/ic-build-nix:latest
+        docker push dfinity/ic-build-bazel:"$TAG"
+        docker push dfinity/ic-build-bazel:latest
         PUSHED=true
       fi 
 
@@ -50,6 +52,7 @@ docker-autobuild-protected:
         docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD"
         docker push dfinity/ic-build:"$TAG"
         docker push dfinity/ic-build-nix:"$TAG"
+        docker push dfinity/ic-build-bazel:"$TAG"
       fi
 
       echo -e "\e[0Ksection_start:$(date +%s):sys_info[collapsed=true]\r\e[0KClick here to see system info"
@@ -80,7 +83,8 @@ docker-autobuild:
       set -euo pipefail
 
       # safeguard for feedback loop [this CI job pushes commits]
-      COMMIT_COUNT=$(git rev-list --count "$(git merge-base HEAD master)"..HEAD)
+      git fetch origin master
+      COMMIT_COUNT=$(git rev-list --count "$(git merge-base HEAD origin/master)"..HEAD)
       if [ "$COMMIT_COUNT" -gt 256 ]; then
           echo "Reached hard safeguard limit of commits"
           exit 1
@@ -93,8 +97,10 @@ docker-autobuild:
       # names must match with names in docker-build-image.sh!
       IMG_NAME="registry.gitlab.com/dfinity-lab/core/docker/ic-build"
       IMG_NIX_NAME="registry.gitlab.com/dfinity-lab/core/docker/ic-build-nix"
+      IMG_BAZEL_NAME="registry.gitlab.com/dfinity-lab/core/docker/ic-build-bazel"
       IMG_NAME_FULL="$IMG_NAME:$TAG"
       IMG_NIX_NAME_FULL="$IMG_NIX_NAME:$TAG"
+      IMG_BAZEL_NAME_FULL="$IMG_BAZEL_NAME:$TAG"
       # return if no changes
       if grep -q "$IMG_NAME_FULL" -- *; then
           echo "No changes required to build a new docker ic-build image"
@@ -109,11 +115,13 @@ docker-autobuild:
       docker login -u gitlab-ci-token -p "$GITLAB_API_TOKEN" registry.gitlab.com
       docker push "$IMG_NAME_FULL"
       docker push "$IMG_NIX_NAME_FULL"
+      docker push "$IMG_BAZEL_NAME_FULL"
 
       # update gitlab's docker image tags
       pushd gitlab-ci/config
       sed -i -E "s|$IMG_NAME:[^\"]{5,}|$IMG_NAME_FULL|g" -- *
       sed -i -E "s|$IMG_NIX_NAME:[^\"]{5,}|$IMG_NIX_NAME_FULL|g" -- *
+      sed -i -E "s|$IMG_BAZEL_NAME:[^\"]{5,}|$IMG_BAZEL_NAME_FULL|g" -- *
       cd ../docker
       echo "$TAG" > TAG
       popd

diff --git a/gitlab-ci/config/30--cargo-build--child-pipeline.yml b/gitlab-ci/config/30--cargo-build--child-pipeline.yml
@@ -40,7 +40,7 @@ cargo-build-release-linux-native:
     - .rules-parent-pipeline-autorun-on-trigger
   image:
     # Use the docker image without nix-shell
-    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1"
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   variables:
     ARTIFACT_EXT: ""
   artifacts:
@@ -69,7 +69,7 @@ cargo-build-canisters:
     ARTIFACT_EXT: ""
   image:
     # Use the docker image without nix-shell
-    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1"
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   artifacts:
     paths:
       - "artifacts/canisters${ARTIFACT_EXT}/*"
@@ -99,7 +99,7 @@ dfx-build-release-linux:
       - artifacts/sdk-release/*
   image:
     # Use the docker image without nix-shell
-    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1"
+    name: "registry.gitlab.com/dfinity-lab/core/docker/ic-build:7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd"
   variables:
     BUILD_COMMAND: ""
     CARGO_BUILD_TARGET: x86_64-unknown-linux-gnu

diff --git a/gitlab-ci/docker/Dockerfile.bazel b/gitlab-ci/docker/Dockerfile.bazel
@@ -0,0 +1,60 @@
+FROM ubuntu@sha256:a0a45bd8c6c4acd6967396366f01f2a68f73406327285edc5b7b07cb1cf073db
+
+ARG USER=ubuntu
+ARG UID=1000
+
+ENV TZ=UTC
+
+RUN export DEBIAN_FRONTEND=noninteractive && ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \ 
+    apt -yq update && apt -yqq install  \
+    curl build-essential git gnupg \ 
+    # GitLab CI \
+    sudo gosu \
+    # RUST \
+    gcc lld pkg-config libssl-dev libunwind-dev libsqlite3-dev zlib1g-dev libclang-10-dev \
+    # IC-OS \
+    python3 fakeroot android-sdk-ext4-utils cryptsetup-bin zstd lsb-release grub-efi-amd64-bin libsystemd-dev faketime dosfstools libselinux-dev mtools
+
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg && \
+    echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
+    curl -L "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/Release.key" |  apt-key add - && \
+    echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/ /" | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list && \
+    apt -yq update && \
+    apt -yqq install --no-install-recommends docker-ce-cli podman buildah
+
+
+ARG bazelisk_sha=8b739ac23a189b70d51a98041e90ba16f6559d5f991d83bbc031c740f8796310
+RUN curl -fsSL https://github.com/bazelbuild/bazelisk/releases/download/v1.12.2/bazelisk-linux-amd64 -o /usr/bin/bazel && \
+    echo "$bazelisk_sha /usr/bin/bazel" | sha256sum --check && \
+    chmod 777 /usr/bin/bazel
+
+RUN useradd -ms /bin/bash -u ${UID} ${USER} && \
+    mkdir -p /home/${USER} && \
+    chown -R ${UID}.${UID} /home/${USER}
+
+# CI before script requires sudo
+RUN usermod -a -G sudo ${USER} && echo "${USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+
+# Init for reaping zombies and performing signal forwarding (https://github.com/krallin/tini)
+ARG tini_version=0.19.0
+RUN curl -fsSL https://github.com/krallin/tini/releases/download/v${tini_version}/tini -o /tini && \
+    curl -fsSL https://github.com/krallin/tini/releases/download/v${tini_version}/tini.asc -o /tini.asc && \
+    chmod +x /tini
+RUN gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 && \
+    gpg --batch --verify /tini.asc /tini && chmod +x /tini
+
+USER ${USER}
+# Pre-populate the Bazel installation.
+RUN USE_BAZEL_VERSION=5.3.0 bazel version
+
+COPY entrypoint.sh /entrypoint.sh
+WORKDIR /
+USER 0
+
+RUN mv /usr/bin/docker /usr/bin/docker-bin
+COPY containers.conf /etc/containers/containers.conf
+COPY docker.sh /usr/bin/docker
+
+RUN echo "USER=${USER}" > /entrypoint_user
+
+ENTRYPOINT ["/tini", "--", "/entrypoint.sh"]
diff --git a/gitlab-ci/docker/TAG b/gitlab-ci/docker/TAG
@@ -1 +1 @@
-392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1
+7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd
diff --git a/gitlab-ci/docker/docker-build-image.sh b/gitlab-ci/docker/docker-build-image.sh
@@ -7,6 +7,7 @@ usage() {
     echo " "
     echo "Options:"
     echo "-h, --help   show brief help"
+    echo "-b, --bazel  only build bazel image"
     echo "-n, --nix    also build the nix-supported Docker image"
     exit 0
 }
@@ -19,6 +20,10 @@ while test $# -gt 0; do
             BUILD_NIX=true
             shift
             ;;
+        -b* | --bazel*)
+            ONLY_BAZEL=true
+            shift
+            ;;
     esac
 done
 
@@ -46,6 +51,20 @@ pushd "$REPO_ROOT/gitlab-ci/docker"
 # we can pass '--no-cache' from env
 build_args=("${DOCKER_BUILD_ARGS:---rm=true}")
 
+DOCKER_BUILDKIT=1 docker build "${build_args[@]}" \
+    -t ic-build-bazel:"$DOCKER_IMG_TAG" \
+    -t dfinity/ic-build-bazel:"$DOCKER_IMG_TAG" \
+    -t dfinity/ic-build-bazel:"$LATEST" \
+    -t registry.gitlab.com/dfinity-lab/core/docker/ic-build-bazel:"$DOCKER_IMG_TAG" \
+    --build-arg USER="${USER}" \
+    --build-arg UID="${SET_UID}" \
+    -f Dockerfile.bazel .
+
+if [ "${ONLY_BAZEL:-false}" == "true" ]; then
+    popd
+    exit 0
+fi
+
 # build the dependencies image
 DOCKER_BUILDKIT=1 docker build "${build_args[@]}" \
     -t ic-build-src:"$DOCKER_IMG_TAG" \

diff --git a/gitlab-ci/docker/docker-run-include b/gitlab-ci/docker/docker-run-include
@@ -8,7 +8,8 @@ REPO_ROOT="$(
     git rev-parse --show-toplevel
 )"
 
-IMAGE_TAG=${IMAGE_TAG:-$(cat "$REPO_ROOT/gitlab-ci/docker/TAG")}
+IMAGE_TAG=${IMAGE_TAG:-$($REPO_ROOT/gitlab-ci/docker/docker-get-image-tag.sh)}
+
 
 USER=$(whoami)
 if [ $USER == ubuntu ]; then
@@ -19,6 +20,7 @@ else
 fi
 
 IMAGE="${IMAGE:-dfinity/ic-build:$PREFIX$IMAGE_TAG}"
+BAZEL_IMAGE="dfinity/ic-build-bazel:$PREFIX$IMAGE_TAG"
 WORKDIR="/ic"
 
 DOCKER_RUN_ARGS=(

diff --git a/gitlab-ci/tools/docker-run b/gitlab-ci/tools/docker-run
@@ -7,6 +7,16 @@
 
 set -eEuo pipefail
 
+while test $# -gt 0; do
+    case "$1" in
+        -b* | --bazel*)
+            BAZEL_MODE=true
+            shift
+            ;;
+        *) break ;;
+    esac
+done
+
 if [ -n "${DEBUG:-}" ]; then
     set -x
 fi
@@ -17,11 +27,19 @@ REPO_ROOT="$(
 )"
 
 if [ -z "${IMAGE:-}" ]; then
-    "$REPO_ROOT"/gitlab-ci/docker/docker-build-image.sh
+    if [ "${BAZEL_MODE:-false}" == "true" ]; then
+        "$REPO_ROOT"/gitlab-ci/docker/docker-build-image.sh --bazel
+    else
+        "$REPO_ROOT"/gitlab-ci/docker/docker-build-image.sh
+    fi
 fi
 
 source "$REPO_ROOT/gitlab-ci/docker/docker-run-include"
 
+if [ "${BAZEL_MODE:-false}" == "true" ]; then
+    IMAGE="$BAZEL_IMAGE"
+fi
+
 wdir="/ic/$(git rev-parse --show-prefix)"
 if [[ -z "${@:-}" ]]; then
     set -x
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		392b3d6501244d8e8fb8e8626894fce0418cc834d505f0571e142d4bbb8dc8c1
		7249151494ab726f8e5c049c6d6aac39749f9cb8f277db296f1daf85b07fe7fd