load("@io_bazel_rules_docker//container:container.bzl", "container_image") load("@io_bazel_rules_docker//contrib:group.bzl", "group_entry", "group_file") load("@io_bazel_rules_docker//contrib:passwd.bzl", "passwd_entry", "passwd_tar") load("@io_bazel_rules_docker//contrib:test.bzl", "container_test") load("@io_bazel_rules_docker//docker/package_managers:apt_key.bzl", "add_apt_key") load("@io_bazel_rules_docker//docker/package_managers:download_pkgs.bzl", "download_pkgs") load("@io_bazel_rules_docker//docker/package_managers:install_pkgs.bzl", "install_pkgs") load("@io_bazel_rules_docker//docker/util:run.bzl", "container_run_and_commit") load("@rules_pkg//:pkg.bzl", "pkg_tar") load("//hack/build/rules/container:index.bzl", "container_push") package(default_visibility = ["//visibility:public"]) ################################################################################ # USERS & GROUPS ################################################################################ BUILD = 21700 NOBODY = 65534 # inspired by distroless set up of root user: https://github.com/GoogleContainerTools/distroless/blob/9e2d716dbb86a5cee3ea2fffd90e3f5a036d95a9/base/BUILD#L12 passwd_entry( name = "root_user", gid = 0, home = "/root", info = "root", shell = "/sbin/nologin", tags = ["manual"], uid = 0, username = "root", ) passwd_entry( name = "build_user", gid = BUILD, home = "/home/build", info = "build", shell = "/bin/bash", tags = ["manual"], uid = BUILD, username = "build", ) passwd_entry( name = "nobody_user", create_home = False, gid = NOBODY, home = "/nonexistent", info = "nobody", shell = "/sbin/nologin", tags = ["manual"], uid = NOBODY, username = "nobody", ) passwd_tar( name = "passwd", entries = [ ":root_user", ":build_user", ":nobody_user", ], passwd_file_pkg_dir = "etc", tags = ["manual"], ) # GROUPS group_entry( name = "root_group", gid = 0, groupname = "root", tags = ["manual"], ) group_entry( name = "build_group", gid = BUILD, groupname = "build", tags = ["manual"], ) group_entry( name = "nobody_group", gid = NOBODY, groupname = "nobody", tags = ["manual"], ) group_entry( name = "tty_group", gid = 5, groupname = "tty", tags = ["manual"], ) group_entry( name = "staff_group", gid = 50, groupname = "staff", tags = ["manual"], ) group_file( name = "group", entries = [ ":root_group", ":nobody_group", ":tty_group", ":staff_group", ":build_group", ], tags = ["manual"], ) pkg_tar( name = "group_tar", srcs = [":group"], mode = "0644", package_dir = "etc", tags = ["manual"], ) ################################################################################ # PACKAGE MANAGEMENT ################################################################################ # this rule produces a tarball that can be used when building layers or images # see below download_pkgs( name = "download_base_pkgs", image_tar = "@ubuntu//image", packages = [ "apt-transport-https", "bc", "build-essential", "ca-certificates", "curl", "git", "gnupg", "jq", "libasound2", "libgbm-dev", "libgconf-2-4", "libgtk-3-0", "libgtk2.0-0", "libnotify-dev", "libnss3", "libxss1", "libxtst6", "make", "openjdk-11-jre-headless", "python", "python3", "rsync", "ruby", "xauth", "xvfb", ], tags = ["manual"], ) install_pkgs( name = "install_base_pkgs", image_tar = "@ubuntu//image", installables_tar = "download_base_pkgs.tar", installation_cleanup_commands = "rm -rf /var/lib/apt/lists/*", output_image_name = "install_base_pkgs", tags = ["manual"], ) # now that we have ca-certificates, we can add keys for extra packages # and download them # add apt keys and specify installation of packages add_apt_key( name = "add_apt_keys", image = ":install_base_pkgs.tar", keys = [ "cloud.google.gpg", "nodesource.gpg", ], tags = ["manual"], ) # download extra packages download_pkgs( name = "download_extra_pkgs", # additional repos for the extra apt keys we added above additional_repos = [ "deb http://packages.cloud.google.com/apt cloud-sdk main", "deb https://deb.nodesource.com/node_20.x nodistro main", ], image_tar = ":add_apt_keys.tar", packages = [ "google-cloud-sdk", "nodejs", ], tags = ["manual"], ) # install them install_pkgs( name = "install_extra_pkgs", image_tar = ":install_base_pkgs.tar", installables_tar = ":download_extra_pkgs.tar", installation_cleanup_commands = "rm -rf /var/lib/apt/lists/*", output_image_name = "install_extra_pkgs", tags = ["manual"], ) ################################################################################ # CREATE INSTALLATION TARS FOR TOOLS WE WANT TO INSTALL FROM THIS REPO ################################################################################ pkg_tar( name = "repo_tools", extension = "tgz", files = { "//cmd/tools/bzl-cache-rc-gen:bzl-cache-rc-gen_linux": "bzl-cache-rc-gen", "//cmd/edge/edgeadmin:edge_linux": "edgeadmin", "//third_party/gopherage:gopherage_linux": "gopherage", "@kpt_linux//:file": "kpt", "@yq_linux//file": "yq", "@bazelisk_linux//file": "bazel", "@helm_linux//:file": "helm", "//cmd/tools/art:art_linux": "art", ":go-shim.sh": "go", "//hack/tools/fmt-manifests:fmt-manifests_linux": "fmt-manifests", "@com_github_drone_envsubst_v2//cmd/envsubst": "envsubst", "@wss_unified_agent//file": "wss-unified-agent.jar", }, mode = "755", package_dir = "/usr/local/bin", tags = ["manual"], ) # CI/build scripts pkg_tar( name = "scripts", extension = "tgz", files = { "//hack/build/ci:github-actions-clone-repo.sh": "github-actions-clone-repo.sh", "//hack/build/ci:delete-repo.sh": "delete-repo.sh", "//hack/build/ci:collect-bazel-test-reports.sh": "collect-bazel-test-reports.sh", "//hack/build/ci:docker-build-push.sh": "docker-build-push.sh", "//hack/build/ci:coverage-rpt.sh": "coverage-rpt", "//hack/build/ci:container-registry-auth.sh": "container-registry-auth.sh", "//hack/build/ci:gcloud-activate.sh": "gcloud-activate.sh", "//hack/build/ci:update-manifests.sh": "update-manifests.sh", }, mode = "755", package_dir = "/usr/local/bin", strip_prefix = "/hack/build/ci/", tags = ["manual"], ) pkg_tar( name = "utility_files", extension = "tgz", files = { "//:.bazelversion": ".bazelversion", }, mode = "644", package_dir = "/usr/local/lib/edge-infra", tags = ["manual"], ) ################################################################################ # CREATE IMAGE, TEST IT, AND PUSH IT ################################################################################ container_image( name = "build-image-base", base = ":install_extra_pkgs.tar", entrypoint = None, env = { "PATH": "/usr/local/go/bin:$$PATH", "GOBIN": "/usr/local/go/bin", }, layers = [ "//hack/containers/layers:go", ], tags = ["manual"], tars = [ "@just_linux//:tar", "@docker//:tar", ":scripts", ":repo_tools", ":utility_files", ], ) container_run_and_commit( name = "setup-bazelrc", # set up a system wide remote cache configuration for our remote CI cache commands = [ "bzl-cache-rc-gen -enable-cache=true -upload-results=true > /etc/bazel.bazelrc", ], image = ":build-image-base.tar", tags = ["manual"], ) container_image( name = "build-image", base = ":setup-bazelrc_commit.tar", tags = ["manual"], tars = [ ":passwd.tar", ":group_tar", ], user = "build", ) # declare a test that ensures all of our build tools are where they should # be, and they have the correct permissions container_test( name = "test", configs = [ ":test.yaml", "//hack/containers/layers:go-test.yaml", ], driver = "docker", image = ":build-image", tags = ["manual"], ) # variant of our build image specialized for GitHub Actions container_image( name = "actions", base = ":build-image", env = { "BAZELISK_HOME": "/__w/_tool/.cache/bazelisk", "GOLANGCI_LINT_CACHE": "/__w/_tool/.cache/golangci-lint", }, tags = ["manual"], ) container_push( image = ":actions", image_name = "build-fractions", repository_file = "//hack/build/rules/container:workloads-repo", rules_docker = True, tags = ["manual"], )