diff options
Diffstat (limited to 'images')
| -rw-r--r-- | images/BUILD | 10 | ||||
| -rw-r--r-- | images/Makefile | 107 | ||||
| -rw-r--r-- | images/README.md | 6 | ||||
| -rw-r--r-- | images/agent/Dockerfile | 12 | ||||
| -rw-r--r-- | images/agent/README.md | 7 | ||||
| -rw-r--r-- | images/basic/ping4test/Dockerfile | 7 | ||||
| -rw-r--r-- | images/basic/ping4test/ping4.sh | 25 | ||||
| -rw-r--r-- | images/basic/ping6test/Dockerfile | 7 | ||||
| -rw-r--r-- | images/basic/ping6test/ping6.sh | 32 | ||||
| -rw-r--r-- | images/benchmarks/absl/Dockerfile.x86_64 (renamed from images/benchmarks/absl/Dockerfile) | 1 | ||||
| -rw-r--r-- | images/benchmarks/hey/Dockerfile | 13 | ||||
| -rw-r--r-- | images/benchmarks/runsc/Dockerfile.x86_64 (renamed from images/benchmarks/runsc/Dockerfile) | 1 | ||||
| -rw-r--r-- | images/default/Dockerfile | 8 | ||||
| -rw-r--r-- | images/defs.bzl | 17 | ||||
| -rw-r--r-- | images/runtimes/go1.12/Dockerfile.x86_64 (renamed from images/runtimes/go1.12/Dockerfile) | 0 |
15 files changed, 118 insertions, 135 deletions
diff --git a/images/BUILD b/images/BUILD index a50f388e9..34b950644 100644 --- a/images/BUILD +++ b/images/BUILD @@ -1,11 +1 @@ package(licenses = ["notice"]) - -# The images filegroup is definitely not a hermetic target, and requires Make -# to do anything meaningful with. However, this will be slurped up and used by -# the tools/installer/images.sh installer, which will ensure that all required -# images are available locally when running vm_tests. -filegroup( - name = "images", - srcs = glob(["**"]), - visibility = ["//tools/installers:__pkg__"], -) diff --git a/images/Makefile b/images/Makefile deleted file mode 100644 index 12927c509..000000000 --- a/images/Makefile +++ /dev/null @@ -1,107 +0,0 @@ -#!/usr/bin/make -f - -# Copyright 2018 The gVisor Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# ARCH is the architecture used for the build. This may be overriden at the -# command line in order to perform a cross-build (in a limited capacity). -ARCH := $(shell uname -m) - -# Note that the image prefixes used here must match the image mangling in -# runsc/testutil.MangleImage. Names are mangled in this way to ensure that all -# tests are using locally-defined images (that are consistent and idempotent). -REMOTE_IMAGE_PREFIX ?= gcr.io/gvisor-presubmit -LOCAL_IMAGE_PREFIX ?= gvisor.dev/images -ALL_IMAGES := $(subst /,_,$(subst ./,,$(shell find . -name Dockerfile -o -name Dockerfile.$(ARCH) | xargs -n 1 dirname | uniq))) -ifneq ($(ARCH),$(shell uname -m)) -DOCKER_PLATFORM_ARGS := --platform=$(ARCH) -else -DOCKER_PLATFORM_ARGS := -endif - -list-all-images: - @for image in $(ALL_IMAGES); do echo $${image}; done -.PHONY: list-build-images - -# Handy wrapper to allow load-all-images, push-all-images, etc. -%-all-images: - @$(MAKE) $(patsubst %,$*-%,$(ALL_IMAGES)) -load-all-images: - @$(MAKE) $(patsubst %,load-%,$(ALL_IMAGES)) - -# Handy wrapper to load specified "groups", e.g. load-basic-images, etc. -load-%-images: - @$(MAKE) $(patsubst %,load-%,$(subst /,_,$(subst ./,,$(shell find ./$* -name Dockerfile -exec dirname {} \;)))) - -# tag is a function that returns the tag name, given an image. -# -# The tag constructed is used to memoize the image generated (see README.md). -# This scheme is used to enable aggressive caching in a central repository, but -# ensuring that images will always be sourced using the local files if there -# are changes. -path = $(subst _,/,$(1)) -dockerfile = $$(if [ -f "$(call path,$(1))/Dockerfile.$(ARCH)" ]; then echo Dockerfile.$(ARCH); else echo Dockerfile; fi) -tag = $(shell find $(call path,$(1)) -type f -print | sort | xargs -n 1 sha256sum | sha256sum - | cut -c 1-16) -remote_image = $(REMOTE_IMAGE_PREFIX)/$(subst _,/,$(1))_$(ARCH):$(call tag,$(1)) -local_image = $(LOCAL_IMAGE_PREFIX)/$(subst _,/,$(1)) - -# rebuild builds the image locally. Only the "remote" tag will be applied. Note -# we need to explicitly repull the base layer in order to ensure that the -# architecture is correct. Note that we use the term "rebuild" here to avoid -# conflicting with the bazel "build" terminology, which is used elsewhere. -rebuild-%: FROM=$(shell grep FROM "$(call path,$*)/$(call dockerfile,$*)" | cut -d' ' -f2) -rebuild-%: register-cross - @if ! [ -f "$(call path,$*)/$(call dockerfile,$*)" ]; then \ - (echo "ERROR: Dockerfile for $* not found (is it available for $(ARCH)?)." >&2 && exit 1); \ - fi - $(foreach IMAGE,$(FROM),docker pull $(DOCKER_PLATFORM_ARGS) $(IMAGE) &&) \ - T=$$(mktemp -d) && cp -a $(call path,$*)/* $$T && \ - docker build $(DOCKER_PLATFORM_ARGS) \ - -f "$$T/$(call dockerfile,$*)" \ - -t "$(call remote_image,$*)" \ - $$T && \ - rm -rf $$T - -# pull will check the "remote" image and pull if necessary. If the remote image -# must be pulled, then it will tag with the latest local target. Note that pull -# may fail if the remote image is not available. -pull-%: - docker pull $(DOCKER_PLATFORM_ARGS) $(call remote_image,$*) - -# load will either pull the "remote" or build it locally. This is the preferred -# entrypoint, as it should never fail. The local tag should always be set after -# this returns (either by the pull or the build). -load-%: - $(MAKE) pull-$* || $(MAKE) rebuild-$* - docker tag $(call remote_image,$*) $(call local_image,$*) - -# push pushes the remote image, after either pulling (to validate that the tag -# already exists) or building manually. -push-%: load-% - docker push $(call remote_image,$*) - -# register-cross registers the necessary qemu binaries for cross-compilation. -# This may be used by any target that may execute containers that are not the -# native format. -register-cross: -ifneq ($(ARCH),$(shell uname -m)) -ifeq (,$(wildcard /proc/sys/fs/binfmt_misc/qemu-*)) - docker run --rm --privileged multiarch/qemu-user-static --reset --persistent yes -else - @true # Already registered. -endif -else - @true # No cross required. -endif -.PHONY: register-cross diff --git a/images/README.md b/images/README.md index 9880946a6..297c7c3f3 100644 --- a/images/README.md +++ b/images/README.md @@ -41,9 +41,9 @@ All images will be tagged and memoized using a hash of the directory contents. As a result, every image should be made completely reproducible if possible. This means using fixed tags and fixed versions whenever feasible. -Notes that images should also be made architecture-independent if possible. The -build scripts will handling loading the appropriate architecture onto the -machine and tagging it with the single canonical tag. +Note that images should also be made architecture-independent if possible. The +build scripts will handle loading the appropriate architecture onto the machine +and tagging it with the single canonical tag. Add a `load-<image>` dependency in the Makefile if the image is required for a particular set of tests. This target will pull the tag from the image repository diff --git a/images/agent/Dockerfile b/images/agent/Dockerfile new file mode 100644 index 000000000..1d8979390 --- /dev/null +++ b/images/agent/Dockerfile @@ -0,0 +1,12 @@ +FROM golang:1.15 as build-agent +RUN git clone --depth=1 --branch=v3.25.0 https://github.com/buildkite/agent +RUN cd agent && go build -i -o /buildkite-agent . + +FROM golang:1.15 as build-agent-metrics +RUN git clone --depth=1 --branch=v5.2.0 https://github.com/buildkite/buildkite-agent-metrics +RUN cd buildkite-agent-metrics && go build -i -o /buildkite-agent-metrics . + +FROM gcr.io/distroless/base-debian10 +COPY --from=build-agent /buildkite-agent / +COPY --from=build-agent-metrics /buildkite-agent-metrics / +CMD ["/buildkite-agent"] diff --git a/images/agent/README.md b/images/agent/README.md new file mode 100644 index 000000000..acb57bd2f --- /dev/null +++ b/images/agent/README.md @@ -0,0 +1,7 @@ +# Build Agent + +This is the image used by the build agent. It is built and bundled via a +separate packaging mechanism in order to provide local caching and to ensure +that there is better build provenance. Note that continuous integration system +will generally deploy new agents from the primary branch, and will only deploy +as instances are recycled. Updates to this image should be made carefully. diff --git a/images/basic/ping4test/Dockerfile b/images/basic/ping4test/Dockerfile new file mode 100644 index 000000000..1536be376 --- /dev/null +++ b/images/basic/ping4test/Dockerfile @@ -0,0 +1,7 @@ +FROM ubuntu:bionic + +WORKDIR /root +COPY ping4.sh . +RUN chmod +x ping4.sh + +RUN apt-get update && apt-get install -y iputils-ping diff --git a/images/basic/ping4test/ping4.sh b/images/basic/ping4test/ping4.sh new file mode 100644 index 000000000..2a343712a --- /dev/null +++ b/images/basic/ping4test/ping4.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +# Copyright 2020 The gVisor Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +# The docker API doesn't provide for starting a container, running a command, +# and getting the exit status of the command in one go. The most straightforward +# way to do this is to verify the output of the command, so we output nothing on +# success and an error message on failure. +if ! out=$(ping -c 10 127.0.0.1); then + echo "$out" +fi diff --git a/images/basic/ping6test/Dockerfile b/images/basic/ping6test/Dockerfile new file mode 100644 index 000000000..cb740bd60 --- /dev/null +++ b/images/basic/ping6test/Dockerfile @@ -0,0 +1,7 @@ +FROM ubuntu:bionic + +WORKDIR /root +COPY ping6.sh . +RUN chmod +x ping6.sh + +RUN apt-get update && apt-get install -y iputils-ping iproute2 diff --git a/images/basic/ping6test/ping6.sh b/images/basic/ping6test/ping6.sh new file mode 100644 index 000000000..4268951d0 --- /dev/null +++ b/images/basic/ping6test/ping6.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +# Copyright 2020 The gVisor Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +# Enable ipv6 on loopback if it's not already enabled. Runsc doesn't enable ipv6 +# loopback unless an ipv6 address was assigned to the container, which docker +# does not do by default. +if ! [[ $(ip -6 addr show dev lo) ]]; then + ip addr add ::1 dev lo +fi + +# The docker API doesn't provide for starting a container, running a command, +# and getting the exit status of the command in one go. The most straightforward +# way to do this is to verify the output of the command, so we output nothing on +# success and an error message on failure. +if ! out=$(/bin/ping6 -c 10 ::1); then + echo "$out" +fi diff --git a/images/benchmarks/absl/Dockerfile b/images/benchmarks/absl/Dockerfile.x86_64 index b0dd97695..810c9ef5e 100644 --- a/images/benchmarks/absl/Dockerfile +++ b/images/benchmarks/absl/Dockerfile.x86_64 @@ -12,6 +12,7 @@ RUN set -x \ unzip \ python3 \ && rm -rf /var/lib/apt/lists/* + RUN wget https://github.com/bazelbuild/bazel/releases/download/0.27.0/bazel-0.27.0-installer-linux-x86_64.sh RUN chmod +x bazel-0.27.0-installer-linux-x86_64.sh RUN ./bazel-0.27.0-installer-linux-x86_64.sh diff --git a/images/benchmarks/hey/Dockerfile b/images/benchmarks/hey/Dockerfile index f586978b6..4b6a0f849 100644 --- a/images/benchmarks/hey/Dockerfile +++ b/images/benchmarks/hey/Dockerfile @@ -1,12 +1,13 @@ -FROM ubuntu:18.04 +FROM golang:1.15 as build +RUN go get github.com/rakyll/hey +WORKDIR /go/src/github.com/rakyll/hey +RUN go mod download +RUN CGO_ENABLED=0 go build -o /hey hey.go +FROM ubuntu:18.04 RUN set -x \ && apt-get update \ && apt-get install -y \ wget \ && rm -rf /var/lib/apt/lists/* - -RUN wget https://storage.googleapis.com/hey-release/hey_linux_amd64 \ - && chmod 777 hey_linux_amd64 \ - && cp hey_linux_amd64 /bin/hey \ - && rm hey_linux_amd64 +COPY --from=build /hey /bin/hey diff --git a/images/benchmarks/runsc/Dockerfile b/images/benchmarks/runsc/Dockerfile.x86_64 index 6c3aafa57..28ae64816 100644 --- a/images/benchmarks/runsc/Dockerfile +++ b/images/benchmarks/runsc/Dockerfile.x86_64 @@ -14,6 +14,7 @@ RUN set -x \ python3 \ python3-pip \ && rm -rf /var/lib/apt/lists/* + RUN wget https://github.com/bazelbuild/bazel/releases/download/3.4.1/bazel-3.4.1-installer-linux-x86_64.sh RUN chmod +x bazel-3.4.1-installer-linux-x86_64.sh RUN ./bazel-3.4.1-installer-linux-x86_64.sh diff --git a/images/default/Dockerfile b/images/default/Dockerfile index d058b83cb..224469267 100644 --- a/images/default/Dockerfile +++ b/images/default/Dockerfile @@ -1,16 +1,20 @@ FROM fedora:31 + # Install bazel. RUN dnf install -y dnf-plugins-core && dnf copr enable -y vbatts/bazel RUN dnf install -y git gcc make golang gcc-c++ glibc-devel python3 which python3-pip python3-devel libffi-devel openssl-devel pkg-config glibc-static libstdc++-static patch diffutils RUN pip install --no-cache-dir pycparser RUN dnf install -y bazel3 -# Install gcloud. + +# Install gcloud. Note that while this is "x86_64", it doesn't actually matter. RUN curl https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-289.0.0-linux-x86_64.tar.gz | \ - tar zxvf - google-cloud-sdk && \ + tar zxf - google-cloud-sdk && \ google-cloud-sdk/install.sh && \ ln -s /google-cloud-sdk/bin/gcloud /usr/bin/gcloud + # Install Docker client for the website build. RUN dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo RUN dnf install -y docker-ce-cli + WORKDIR /workspace ENTRYPOINT ["/usr/bin/bazel"] diff --git a/images/defs.bzl b/images/defs.bzl index 61d7bbf73..c1f96e312 100644 --- a/images/defs.bzl +++ b/images/defs.bzl @@ -2,30 +2,33 @@ def _docker_image_impl(ctx): importer = ctx.actions.declare_file(ctx.label.name) + importer_content = [ "#!/bin/bash", "set -euo pipefail", + "source_file='%s'" % ctx.file.data.path, + "if [[ ! -f \"$source_file\" ]]; then", + " source_file='%s'" % ctx.file.data.short_path, + "fi", "exec docker import " + " ".join([ "-c '%s'" % attr for attr in ctx.attr.statements - ]) + " " + " ".join([ - "'%s'" % f.path - for f in ctx.files.data - ]) + " $1", + ]) + " \"$source_file\" $1", "", ] + ctx.actions.write(importer, "\n".join(importer_content), is_executable = True) return [DefaultInfo( - runfiles = ctx.runfiles(ctx.files.data), + runfiles = ctx.runfiles([ctx.file.data]), executable = importer, )] docker_image = rule( implementation = _docker_image_impl, - doc = "Tool to load a Docker image; takes a single parameter (image name).", + doc = "Tool to import a Docker image; takes a single parameter (image name).", attrs = { "statements": attr.string_list(doc = "Extra Dockerfile directives."), - "data": attr.label_list(doc = "All image data."), + "data": attr.label(doc = "Image filesystem tarball", allow_single_file = [".tgz", ".tar.gz"]), }, executable = True, ) diff --git a/images/runtimes/go1.12/Dockerfile b/images/runtimes/go1.12/Dockerfile.x86_64 index cb2944062..cb2944062 100644 --- a/images/runtimes/go1.12/Dockerfile +++ b/images/runtimes/go1.12/Dockerfile.x86_64 |