diff options
Diffstat (limited to 'images')
| -rw-r--r-- | images/BUILD | 10 | ||||
| -rw-r--r-- | images/Makefile | 107 | ||||
| -rw-r--r-- | images/agent/Dockerfile | 12 | ||||
| -rw-r--r-- | images/agent/README.md | 7 | ||||
| -rw-r--r-- | images/arm-qemu/Dockerfile.x86_64 | 12 | ||||
| -rwxr-xr-x | images/arm-qemu/initramfs/init | 39 | ||||
| -rwxr-xr-x | images/arm-qemu/test.sh | 28 | ||||
| -rw-r--r-- | images/basic/ping4test/Dockerfile | 7 | ||||
| -rw-r--r-- | images/basic/ping4test/ping4.sh | 25 | ||||
| -rw-r--r-- | images/basic/ping6test/Dockerfile | 7 | ||||
| -rw-r--r-- | images/basic/ping6test/ping6.sh | 32 | ||||
| -rw-r--r-- | images/benchmarks/absl/Dockerfile.x86_64 (renamed from images/benchmarks/absl/Dockerfile) | 1 | ||||
| -rw-r--r-- | images/benchmarks/hey/Dockerfile | 13 | ||||
| -rw-r--r-- | images/benchmarks/runsc/Dockerfile.x86_64 (renamed from images/benchmarks/runsc/Dockerfile) | 1 | ||||
| -rw-r--r-- | images/default/Dockerfile | 37 | ||||
| -rw-r--r-- | images/runtimes/go1.12/Dockerfile.x86_64 (renamed from images/runtimes/go1.12/Dockerfile) | 0 |
16 files changed, 203 insertions, 135 deletions
diff --git a/images/BUILD b/images/BUILD index a50f388e9..34b950644 100644 --- a/images/BUILD +++ b/images/BUILD @@ -1,11 +1 @@ package(licenses = ["notice"]) - -# The images filegroup is definitely not a hermetic target, and requires Make -# to do anything meaningful with. However, this will be slurped up and used by -# the tools/installer/images.sh installer, which will ensure that all required -# images are available locally when running vm_tests. -filegroup( - name = "images", - srcs = glob(["**"]), - visibility = ["//tools/installers:__pkg__"], -) diff --git a/images/Makefile b/images/Makefile deleted file mode 100644 index 12927c509..000000000 --- a/images/Makefile +++ /dev/null @@ -1,107 +0,0 @@ -#!/usr/bin/make -f - -# Copyright 2018 The gVisor Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# ARCH is the architecture used for the build. This may be overriden at the -# command line in order to perform a cross-build (in a limited capacity). -ARCH := $(shell uname -m) - -# Note that the image prefixes used here must match the image mangling in -# runsc/testutil.MangleImage. Names are mangled in this way to ensure that all -# tests are using locally-defined images (that are consistent and idempotent). -REMOTE_IMAGE_PREFIX ?= gcr.io/gvisor-presubmit -LOCAL_IMAGE_PREFIX ?= gvisor.dev/images -ALL_IMAGES := $(subst /,_,$(subst ./,,$(shell find . -name Dockerfile -o -name Dockerfile.$(ARCH) | xargs -n 1 dirname | uniq))) -ifneq ($(ARCH),$(shell uname -m)) -DOCKER_PLATFORM_ARGS := --platform=$(ARCH) -else -DOCKER_PLATFORM_ARGS := -endif - -list-all-images: - @for image in $(ALL_IMAGES); do echo $${image}; done -.PHONY: list-build-images - -# Handy wrapper to allow load-all-images, push-all-images, etc. -%-all-images: - @$(MAKE) $(patsubst %,$*-%,$(ALL_IMAGES)) -load-all-images: - @$(MAKE) $(patsubst %,load-%,$(ALL_IMAGES)) - -# Handy wrapper to load specified "groups", e.g. load-basic-images, etc. -load-%-images: - @$(MAKE) $(patsubst %,load-%,$(subst /,_,$(subst ./,,$(shell find ./$* -name Dockerfile -exec dirname {} \;)))) - -# tag is a function that returns the tag name, given an image. -# -# The tag constructed is used to memoize the image generated (see README.md). -# This scheme is used to enable aggressive caching in a central repository, but -# ensuring that images will always be sourced using the local files if there -# are changes. -path = $(subst _,/,$(1)) -dockerfile = $$(if [ -f "$(call path,$(1))/Dockerfile.$(ARCH)" ]; then echo Dockerfile.$(ARCH); else echo Dockerfile; fi) -tag = $(shell find $(call path,$(1)) -type f -print | sort | xargs -n 1 sha256sum | sha256sum - | cut -c 1-16) -remote_image = $(REMOTE_IMAGE_PREFIX)/$(subst _,/,$(1))_$(ARCH):$(call tag,$(1)) -local_image = $(LOCAL_IMAGE_PREFIX)/$(subst _,/,$(1)) - -# rebuild builds the image locally. Only the "remote" tag will be applied. Note -# we need to explicitly repull the base layer in order to ensure that the -# architecture is correct. Note that we use the term "rebuild" here to avoid -# conflicting with the bazel "build" terminology, which is used elsewhere. -rebuild-%: FROM=$(shell grep FROM "$(call path,$*)/$(call dockerfile,$*)" | cut -d' ' -f2) -rebuild-%: register-cross - @if ! [ -f "$(call path,$*)/$(call dockerfile,$*)" ]; then \ - (echo "ERROR: Dockerfile for $* not found (is it available for $(ARCH)?)." >&2 && exit 1); \ - fi - $(foreach IMAGE,$(FROM),docker pull $(DOCKER_PLATFORM_ARGS) $(IMAGE) &&) \ - T=$$(mktemp -d) && cp -a $(call path,$*)/* $$T && \ - docker build $(DOCKER_PLATFORM_ARGS) \ - -f "$$T/$(call dockerfile,$*)" \ - -t "$(call remote_image,$*)" \ - $$T && \ - rm -rf $$T - -# pull will check the "remote" image and pull if necessary. If the remote image -# must be pulled, then it will tag with the latest local target. Note that pull -# may fail if the remote image is not available. -pull-%: - docker pull $(DOCKER_PLATFORM_ARGS) $(call remote_image,$*) - -# load will either pull the "remote" or build it locally. This is the preferred -# entrypoint, as it should never fail. The local tag should always be set after -# this returns (either by the pull or the build). -load-%: - $(MAKE) pull-$* || $(MAKE) rebuild-$* - docker tag $(call remote_image,$*) $(call local_image,$*) - -# push pushes the remote image, after either pulling (to validate that the tag -# already exists) or building manually. -push-%: load-% - docker push $(call remote_image,$*) - -# register-cross registers the necessary qemu binaries for cross-compilation. -# This may be used by any target that may execute containers that are not the -# native format. -register-cross: -ifneq ($(ARCH),$(shell uname -m)) -ifeq (,$(wildcard /proc/sys/fs/binfmt_misc/qemu-*)) - docker run --rm --privileged multiarch/qemu-user-static --reset --persistent yes -else - @true # Already registered. -endif -else - @true # No cross required. -endif -.PHONY: register-cross diff --git a/images/agent/Dockerfile b/images/agent/Dockerfile new file mode 100644 index 000000000..1d8979390 --- /dev/null +++ b/images/agent/Dockerfile @@ -0,0 +1,12 @@ +FROM golang:1.15 as build-agent +RUN git clone --depth=1 --branch=v3.25.0 https://github.com/buildkite/agent +RUN cd agent && go build -i -o /buildkite-agent . + +FROM golang:1.15 as build-agent-metrics +RUN git clone --depth=1 --branch=v5.2.0 https://github.com/buildkite/buildkite-agent-metrics +RUN cd buildkite-agent-metrics && go build -i -o /buildkite-agent-metrics . + +FROM gcr.io/distroless/base-debian10 +COPY --from=build-agent /buildkite-agent / +COPY --from=build-agent-metrics /buildkite-agent-metrics / +CMD ["/buildkite-agent"] diff --git a/images/agent/README.md b/images/agent/README.md new file mode 100644 index 000000000..acb57bd2f --- /dev/null +++ b/images/agent/README.md @@ -0,0 +1,7 @@ +# Build Agent + +This is the image used by the build agent. It is built and bundled via a +separate packaging mechanism in order to provide local caching and to ensure +that there is better build provenance. Note that continuous integration system +will generally deploy new agents from the primary branch, and will only deploy +as instances are recycled. Updates to this image should be made carefully. diff --git a/images/arm-qemu/Dockerfile.x86_64 b/images/arm-qemu/Dockerfile.x86_64 new file mode 100644 index 000000000..1a2ecaf42 --- /dev/null +++ b/images/arm-qemu/Dockerfile.x86_64 @@ -0,0 +1,12 @@ +FROM fedora:33 + +RUN dnf install -y qemu-system-aarch64 gzip cpio wget + +WORKDIR /workdir +RUN wget -4 http://dl-cdn.alpinelinux.org/alpine/edge/releases/aarch64/netboot/vmlinuz-lts +RUN wget -4 http://dl-cdn.alpinelinux.org/alpine/edge/releases/aarch64/netboot/initramfs-lts + +COPY initramfs /workdir/initramfs +COPY test.sh /workdir/ + +CMD ./test.sh diff --git a/images/arm-qemu/initramfs/init b/images/arm-qemu/initramfs/init new file mode 100755 index 000000000..b355daadd --- /dev/null +++ b/images/arm-qemu/initramfs/init @@ -0,0 +1,39 @@ +#!/bin/sh + +# Copyright 2020 The gVisor Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script is started as the init process in a test virtual machine, +# it does all required initialization steps and run a test command inside a +# gVisor instance. + +set -x -e + +/bin/busybox mkdir -p /usr/bin /usr/sbin /proc /sys /dev /tmp + +/bin/busybox --install -s +export PATH=/usr/bin:/bin:/usr/sbin:/sbin + +mount -t proc -o noexec,nosuid,nodev proc /proc +mount -t sysfs -o noexec,nosuid,nodev sysfs /sys +mount -t devtmpfs -o exec,nosuid,mode=0755,size=2M devtmpfs /dev + +uname -a +/runsc --TESTONLY-unsafe-nonroot --rootless --network none --debug --alsologtostderr do uname -a +echo "runsc exited with code $?" + +# Shutdown the VM. poweroff and halt doesn't work for unknown reasons. +# qemu is started with the -no-reboot flag, so the VM will be terminated. +reboot -f +exit 1 diff --git a/images/arm-qemu/test.sh b/images/arm-qemu/test.sh new file mode 100755 index 000000000..2c9336015 --- /dev/null +++ b/images/arm-qemu/test.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# Copyright 2020 The gVisor Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -xeuo pipefail -m + +cd initramfs +find . | cpio -v -o -c -R root:root | gzip -9 >> ../initramfs-lts +cd .. + +qemu-system-aarch64 -M virt -m 512M -cpu cortex-a57 \ + -kernel vmlinuz-lts -initrd initramfs-lts \ + -append "console=ttyAMA0 panic=-1" -nographic -no-reboot \ + | tee /dev/stderr | grep "runsc exited with code 0" + +echo "PASS" diff --git a/images/basic/ping4test/Dockerfile b/images/basic/ping4test/Dockerfile new file mode 100644 index 000000000..1536be376 --- /dev/null +++ b/images/basic/ping4test/Dockerfile @@ -0,0 +1,7 @@ +FROM ubuntu:bionic + +WORKDIR /root +COPY ping4.sh . +RUN chmod +x ping4.sh + +RUN apt-get update && apt-get install -y iputils-ping diff --git a/images/basic/ping4test/ping4.sh b/images/basic/ping4test/ping4.sh new file mode 100644 index 000000000..2a343712a --- /dev/null +++ b/images/basic/ping4test/ping4.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +# Copyright 2020 The gVisor Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +# The docker API doesn't provide for starting a container, running a command, +# and getting the exit status of the command in one go. The most straightforward +# way to do this is to verify the output of the command, so we output nothing on +# success and an error message on failure. +if ! out=$(ping -c 10 127.0.0.1); then + echo "$out" +fi diff --git a/images/basic/ping6test/Dockerfile b/images/basic/ping6test/Dockerfile new file mode 100644 index 000000000..cb740bd60 --- /dev/null +++ b/images/basic/ping6test/Dockerfile @@ -0,0 +1,7 @@ +FROM ubuntu:bionic + +WORKDIR /root +COPY ping6.sh . +RUN chmod +x ping6.sh + +RUN apt-get update && apt-get install -y iputils-ping iproute2 diff --git a/images/basic/ping6test/ping6.sh b/images/basic/ping6test/ping6.sh new file mode 100644 index 000000000..4268951d0 --- /dev/null +++ b/images/basic/ping6test/ping6.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +# Copyright 2020 The gVisor Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +# Enable ipv6 on loopback if it's not already enabled. Runsc doesn't enable ipv6 +# loopback unless an ipv6 address was assigned to the container, which docker +# does not do by default. +if ! [[ $(ip -6 addr show dev lo) ]]; then + ip addr add ::1 dev lo +fi + +# The docker API doesn't provide for starting a container, running a command, +# and getting the exit status of the command in one go. The most straightforward +# way to do this is to verify the output of the command, so we output nothing on +# success and an error message on failure. +if ! out=$(/bin/ping6 -c 10 ::1); then + echo "$out" +fi diff --git a/images/benchmarks/absl/Dockerfile b/images/benchmarks/absl/Dockerfile.x86_64 index b0dd97695..810c9ef5e 100644 --- a/images/benchmarks/absl/Dockerfile +++ b/images/benchmarks/absl/Dockerfile.x86_64 @@ -12,6 +12,7 @@ RUN set -x \ unzip \ python3 \ && rm -rf /var/lib/apt/lists/* + RUN wget https://github.com/bazelbuild/bazel/releases/download/0.27.0/bazel-0.27.0-installer-linux-x86_64.sh RUN chmod +x bazel-0.27.0-installer-linux-x86_64.sh RUN ./bazel-0.27.0-installer-linux-x86_64.sh diff --git a/images/benchmarks/hey/Dockerfile b/images/benchmarks/hey/Dockerfile index f586978b6..4b6a0f849 100644 --- a/images/benchmarks/hey/Dockerfile +++ b/images/benchmarks/hey/Dockerfile @@ -1,12 +1,13 @@ -FROM ubuntu:18.04 +FROM golang:1.15 as build +RUN go get github.com/rakyll/hey +WORKDIR /go/src/github.com/rakyll/hey +RUN go mod download +RUN CGO_ENABLED=0 go build -o /hey hey.go +FROM ubuntu:18.04 RUN set -x \ && apt-get update \ && apt-get install -y \ wget \ && rm -rf /var/lib/apt/lists/* - -RUN wget https://storage.googleapis.com/hey-release/hey_linux_amd64 \ - && chmod 777 hey_linux_amd64 \ - && cp hey_linux_amd64 /bin/hey \ - && rm hey_linux_amd64 +COPY --from=build /hey /bin/hey diff --git a/images/benchmarks/runsc/Dockerfile b/images/benchmarks/runsc/Dockerfile.x86_64 index 6c3aafa57..28ae64816 100644 --- a/images/benchmarks/runsc/Dockerfile +++ b/images/benchmarks/runsc/Dockerfile.x86_64 @@ -14,6 +14,7 @@ RUN set -x \ python3 \ python3-pip \ && rm -rf /var/lib/apt/lists/* + RUN wget https://github.com/bazelbuild/bazel/releases/download/3.4.1/bazel-3.4.1-installer-linux-x86_64.sh RUN chmod +x bazel-3.4.1-installer-linux-x86_64.sh RUN ./bazel-3.4.1-installer-linux-x86_64.sh diff --git a/images/default/Dockerfile b/images/default/Dockerfile index d058b83cb..19b340237 100644 --- a/images/default/Dockerfile +++ b/images/default/Dockerfile @@ -1,16 +1,29 @@ -FROM fedora:31 -# Install bazel. -RUN dnf install -y dnf-plugins-core && dnf copr enable -y vbatts/bazel -RUN dnf install -y git gcc make golang gcc-c++ glibc-devel python3 which python3-pip python3-devel libffi-devel openssl-devel pkg-config glibc-static libstdc++-static patch diffutils -RUN pip install --no-cache-dir pycparser -RUN dnf install -y bazel3 +FROM ubuntu:focal + +ENV DEBIAN_FRONTEND="noninteractive" +RUN apt-get update && apt-get install -y curl gnupg2 git \ + python python3 python3-distutils python3-pip \ + build-essential crossbuild-essential-arm64 qemu-user-static \ + openjdk-11-jdk-headless zip unzip \ + apt-transport-https ca-certificates gnupg-agent \ + software-properties-common \ + pkg-config libffi-dev patch diffutils libssl-dev + +# Install Docker client for the website build. +RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - +RUN add-apt-repository \ + "deb https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" +RUN apt-get install docker-ce-cli + # Install gcloud. RUN curl https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-289.0.0-linux-x86_64.tar.gz | \ - tar zxvf - google-cloud-sdk && \ - google-cloud-sdk/install.sh && \ + tar zxf - google-cloud-sdk && \ + google-cloud-sdk/install.sh --quiet && \ ln -s /google-cloud-sdk/bin/gcloud /usr/bin/gcloud -# Install Docker client for the website build. -RUN dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo -RUN dnf install -y docker-ce-cli + +# Download the official bazel binary. The APT repository isn't used because there is not packages for arm64. +RUN sh -c 'curl -o /usr/local/bin/bazel https://releases.bazel.build/3.5.1/release/bazel-3.5.1-linux-$(uname -m | sed s/aarch64/arm64/) && chmod ugo+x /usr/local/bin/bazel' WORKDIR /workspace -ENTRYPOINT ["/usr/bin/bazel"] +ENTRYPOINT ["/usr/local/bin/bazel"] diff --git a/images/runtimes/go1.12/Dockerfile b/images/runtimes/go1.12/Dockerfile.x86_64 index cb2944062..cb2944062 100644 --- a/images/runtimes/go1.12/Dockerfile +++ b/images/runtimes/go1.12/Dockerfile.x86_64 |