1load("@io_bazel_rules_docker//container:container.bzl", "container_image")
2load("@io_bazel_rules_docker//contrib:group.bzl", "group_entry", "group_file")
3load("@io_bazel_rules_docker//contrib:passwd.bzl", "passwd_entry", "passwd_tar")
4load("@io_bazel_rules_docker//contrib:test.bzl", "container_test")
5load("@io_bazel_rules_docker//docker/package_managers:apt_key.bzl", "add_apt_key")
6load("@io_bazel_rules_docker//docker/package_managers:download_pkgs.bzl", "download_pkgs")
7load("@io_bazel_rules_docker//docker/package_managers:install_pkgs.bzl", "install_pkgs")
8load("@io_bazel_rules_docker//docker/util:run.bzl", "container_run_and_commit")
9load("@rules_pkg//:pkg.bzl", "pkg_tar")
10load("//hack/build/rules/container:index.bzl", "container_push")
11
12package(default_visibility = ["//visibility:public"])
13
14################################################################################
15# USERS & GROUPS
16################################################################################
17
18BUILD = 21700
19
20NOBODY = 65534
21
22# inspired by distroless set up of root user: https://github.com/GoogleContainerTools/distroless/blob/9e2d716dbb86a5cee3ea2fffd90e3f5a036d95a9/base/BUILD#L12
23passwd_entry(
24 name = "root_user",
25 gid = 0,
26 home = "/root",
27 info = "root",
28 shell = "/sbin/nologin",
29 tags = ["manual"],
30 uid = 0,
31 username = "root",
32)
33
34passwd_entry(
35 name = "build_user",
36 gid = BUILD,
37 home = "/home/build",
38 info = "build",
39 shell = "/bin/bash",
40 tags = ["manual"],
41 uid = BUILD,
42 username = "build",
43)
44
45passwd_entry(
46 name = "nobody_user",
47 create_home = False,
48 gid = NOBODY,
49 home = "/nonexistent",
50 info = "nobody",
51 shell = "/sbin/nologin",
52 tags = ["manual"],
53 uid = NOBODY,
54 username = "nobody",
55)
56
57passwd_tar(
58 name = "passwd",
59 entries = [
60 ":root_user",
61 ":build_user",
62 ":nobody_user",
63 ],
64 passwd_file_pkg_dir = "etc",
65 tags = ["manual"],
66)
67
68# GROUPS
69
70group_entry(
71 name = "root_group",
72 gid = 0,
73 groupname = "root",
74 tags = ["manual"],
75)
76
77group_entry(
78 name = "build_group",
79 gid = BUILD,
80 groupname = "build",
81 tags = ["manual"],
82)
83
84group_entry(
85 name = "nobody_group",
86 gid = NOBODY,
87 groupname = "nobody",
88 tags = ["manual"],
89)
90
91group_entry(
92 name = "tty_group",
93 gid = 5,
94 groupname = "tty",
95 tags = ["manual"],
96)
97
98group_entry(
99 name = "staff_group",
100 gid = 50,
101 groupname = "staff",
102 tags = ["manual"],
103)
104
105group_file(
106 name = "group",
107 entries = [
108 ":root_group",
109 ":nobody_group",
110 ":tty_group",
111 ":staff_group",
112 ":build_group",
113 ],
114 tags = ["manual"],
115)
116
117pkg_tar(
118 name = "group_tar",
119 srcs = [":group"],
120 mode = "0644",
121 package_dir = "etc",
122 tags = ["manual"],
123)
124
125################################################################################
126# PACKAGE MANAGEMENT
127################################################################################
128
129# this rule produces a tarball that can be used when building layers or images
130# see below
131download_pkgs(
132 name = "download_base_pkgs",
133 image_tar = "@ubuntu//image",
134 packages = [
135 "apt-transport-https",
136 "bc",
137 "build-essential",
138 "ca-certificates",
139 "curl",
140 "git",
141 "gnupg",
142 "jq",
143 "libasound2",
144 "libgbm-dev",
145 "libgconf-2-4",
146 "libgtk-3-0",
147 "libgtk2.0-0",
148 "libnotify-dev",
149 "libnss3",
150 "libxss1",
151 "libxtst6",
152 "make",
153 "openjdk-11-jre-headless",
154 "python",
155 "python3",
156 "rsync",
157 "ruby",
158 "xauth",
159 "xvfb",
160 ],
161 tags = ["manual"],
162)
163
164install_pkgs(
165 name = "install_base_pkgs",
166 image_tar = "@ubuntu//image",
167 installables_tar = "download_base_pkgs.tar",
168 installation_cleanup_commands = "rm -rf /var/lib/apt/lists/*",
169 output_image_name = "install_base_pkgs",
170 tags = ["manual"],
171)
172
173# now that we have ca-certificates, we can add keys for extra packages
174# and download them
175# add apt keys and specify installation of packages
176add_apt_key(
177 name = "add_apt_keys",
178 image = ":install_base_pkgs.tar",
179 keys = [
180 "cloud.google.gpg",
181 "nodesource.gpg",
182 ],
183 tags = ["manual"],
184)
185
186# download extra packages
187download_pkgs(
188 name = "download_extra_pkgs",
189 # additional repos for the extra apt keys we added above
190 additional_repos = [
191 "deb http://packages.cloud.google.com/apt cloud-sdk main",
192 "deb https://deb.nodesource.com/node_20.x nodistro main",
193 ],
194 image_tar = ":add_apt_keys.tar",
195 packages = [
196 "google-cloud-sdk",
197 "nodejs",
198 ],
199 tags = ["manual"],
200)
201
202# install them
203install_pkgs(
204 name = "install_extra_pkgs",
205 image_tar = ":install_base_pkgs.tar",
206 installables_tar = ":download_extra_pkgs.tar",
207 installation_cleanup_commands = "rm -rf /var/lib/apt/lists/*",
208 output_image_name = "install_extra_pkgs",
209 tags = ["manual"],
210)
211
212################################################################################
213# CREATE INSTALLATION TARS FOR TOOLS WE WANT TO INSTALL FROM THIS REPO
214################################################################################
215
216pkg_tar(
217 name = "repo_tools",
218 extension = "tgz",
219 files = {
220 "//cmd/tools/bzl-cache-rc-gen:bzl-cache-rc-gen_linux": "bzl-cache-rc-gen",
221 "//cmd/edge/edgeadmin:edge_linux": "edgeadmin",
222 "//third_party/gopherage:gopherage_linux": "gopherage",
223 "@kpt_linux//:file": "kpt",
224 "@yq_linux//file": "yq",
225 "@bazelisk_linux//file": "bazel",
226 "@helm_linux//:file": "helm",
227 "//cmd/tools/art:art_linux": "art",
228 ":go-shim.sh": "go",
229 "//hack/tools/fmt-manifests:fmt-manifests_linux": "fmt-manifests",
230 "@com_github_drone_envsubst_v2//cmd/envsubst": "envsubst",
231 "@wss_unified_agent//file": "wss-unified-agent.jar",
232 },
233 mode = "755",
234 package_dir = "/usr/local/bin",
235 tags = ["manual"],
236)
237
238# CI/build scripts
239pkg_tar(
240 name = "scripts",
241 extension = "tgz",
242 files = {
243 "//hack/build/ci:github-actions-clone-repo.sh": "github-actions-clone-repo.sh",
244 "//hack/build/ci:delete-repo.sh": "delete-repo.sh",
245 "//hack/build/ci:collect-bazel-test-reports.sh": "collect-bazel-test-reports.sh",
246 "//hack/build/ci:docker-build-push.sh": "docker-build-push.sh",
247 "//hack/build/ci:coverage-rpt.sh": "coverage-rpt",
248 "//hack/build/ci:container-registry-auth.sh": "container-registry-auth.sh",
249 "//hack/build/ci:gcloud-activate.sh": "gcloud-activate.sh",
250 "//hack/build/ci:update-manifests.sh": "update-manifests.sh",
251 },
252 mode = "755",
253 package_dir = "/usr/local/bin",
254 strip_prefix = "/hack/build/ci/",
255 tags = ["manual"],
256)
257
258pkg_tar(
259 name = "utility_files",
260 extension = "tgz",
261 files = {
262 "//:.bazelversion": ".bazelversion",
263 },
264 mode = "644",
265 package_dir = "/usr/local/lib/edge-infra",
266 tags = ["manual"],
267)
268
269################################################################################
270# CREATE IMAGE, TEST IT, AND PUSH IT
271################################################################################
272
273container_image(
274 name = "build-image-base",
275 base = ":install_extra_pkgs.tar",
276 entrypoint = None,
277 env = {
278 "PATH": "/usr/local/go/bin:$$PATH",
279 "GOBIN": "/usr/local/go/bin",
280 },
281 layers = [
282 "//hack/containers/layers:go",
283 ],
284 tags = ["manual"],
285 tars = [
286 "@just_linux//:tar",
287 "@docker//:tar",
288 ":scripts",
289 ":repo_tools",
290 ":utility_files",
291 ],
292)
293
294container_run_and_commit(
295 name = "setup-bazelrc",
296 # set up a system wide remote cache configuration for our remote CI cache
297 commands = [
298 "bzl-cache-rc-gen -enable-cache=true -upload-results=true > /etc/bazel.bazelrc",
299 ],
300 image = ":build-image-base.tar",
301 tags = ["manual"],
302)
303
304container_image(
305 name = "build-image",
306 base = ":setup-bazelrc_commit.tar",
307 tags = ["manual"],
308 tars = [
309 ":passwd.tar",
310 ":group_tar",
311 ],
312 user = "build",
313)
314
315# declare a test that ensures all of our build tools are where they should
316# be, and they have the correct permissions
317container_test(
318 name = "test",
319 configs = [
320 ":test.yaml",
321 "//hack/containers/layers:go-test.yaml",
322 ],
323 driver = "docker",
324 image = ":build-image",
325 tags = ["manual"],
326)
327
328# variant of our build image specialized for GitHub Actions
329container_image(
330 name = "actions",
331 base = ":build-image",
332 env = {
333 "BAZELISK_HOME": "/__w/_tool/.cache/bazelisk",
334 "GOLANGCI_LINT_CACHE": "/__w/_tool/.cache/golangci-lint",
335 },
336 tags = ["manual"],
337)
338
339container_push(
340 image = ":actions",
341 image_name = "build-fractions",
342 repository_file = "//hack/build/rules/container:workloads-repo",
343 rules_docker = True,
344 tags = ["manual"],
345)
View as plain text