wip

lukedirtwalker · Dec 30, 2024 · 3a197a8 · 3a197a8
1 parent 05dfe81
commit 3a197a8
Show file tree

Hide file tree

Showing 8 changed files with 4,335 additions and 1,998 deletions.
diff --git a/WORKSPACE b/WORKSPACE
@@ -185,28 +185,27 @@ oci_pull(
 
 # Debian packaging
 http_archive(
-    name = "rules_debian_packages",
-    sha256 = "0ae3b332f9d894e57693ce900769d2bd1b693e1f5ea1d9cdd82fa4479c93bcc8",
-    strip_prefix = "rules_debian_packages-0.2.0",
-    url = "https://github.com/bazel-contrib/rules_debian_packages/releases/download/v0.2.0/rules_debian_packages-v0.2.0.tar.gz",
+    name = "rules_distroless",
+    sha256 = "6d1d739617e48fc3579781e694d3fabb08fc6c9300510982c01882732c775b8e",
+    strip_prefix = "rules_distroless-0.3.8",
+    url = "https://github.com/GoogleContainerTools/rules_distroless/releases/download/v0.3.8/rules_distroless-v0.3.8.tar.gz",
 )
 
-load("@rules_debian_packages//debian_packages:repositories.bzl", "rules_debian_packages_dependencies")
+load("@rules_distroless//distroless:dependencies.bzl", "distroless_dependencies")
 
-rules_debian_packages_dependencies(python_interpreter_target = python_interpreter)
+distroless_dependencies()
 
-load("@rules_debian_packages//debian_packages:defs.bzl", "debian_packages_repository")
+load("@rules_distroless//distroless:toolchains.bzl", "distroless_register_toolchains")
 
-debian_packages_repository(
-    name = "tester_debian10_packages",
-    default_arch = "amd64",
-    default_distro = "debian10",
-    lock_file = "//docker:tester_packages.lock",
-)
+distroless_register_toolchains()
+
+load("//docker:tester.bzl", "declare_tester_deb")
+
+declare_tester_deb()
 
-load("@tester_debian10_packages//:packages.bzl", tester_debian_packages_install_deps = "install_deps")
+load("@tester_deb//:packages.bzl", "tester_deb_packages")
 
-tester_debian_packages_install_deps()
+tester_deb_packages()
 
 # RPM packaging
 load("@rules_pkg//toolchains/rpm:rpmbuild_configure.bzl", "find_system_rpmbuild")

diff --git a/docker/BUILD.bazel b/docker/BUILD.bazel
@@ -77,20 +77,4 @@ scion_app_image(
     entrypoint = ["/app/gateway"],
 )
 
-### Tester image with more tools for scripting in integration tests
-# This is a debian image with additional packages installed. The
-# packages are added to the image as layers created with
-# rules_debian_packages.
-#
-# Generate lockfile with:
-# bazel run //docker:tester_debian_packages.generate
-# Update snapshots with:
-# bazel run //docker:tester_debian_packages.update
-debian_packages_lockfile(
-    name = "tester_debian10_packages",
-    lock_file = "tester_packages.lock",
-    packages_file = "tester_packages.yaml",
-    snapshots_file = "tester_snapshots.yaml",
-)
-
 scion_tester_image()
diff --git a/docker/tester.bzl b/docker/tester.bzl
@@ -1,25 +1,47 @@
 load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file")
+load("@rules_distroless//apt:index.bzl", "deb_index")
 load("@rules_oci//oci:defs.bzl", "oci_image", "oci_tarball")
 load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
-load("@tester_debian10_packages//:packages.bzl", "debian_package_layer")
+
+# NOTE: This list needs to be in-sync with tester_deb.yaml
+# We could potentially generate this with a buildozer rule if it becomes
+# too cumbersome to maintain.
+PACKAGES = [
+    "@tester_deb//bridge-utils",
+    "@tester_deb//iperf3",
+    "@tester_deb//iptables",
+    "@tester_deb//netcat-openbsd",
+    "@tester_deb//openssh-server",
+    "@tester_deb//openssh-client",
+    "@tester_deb//procps",
+    "@tester_deb//telnet",
+    "@tester_deb//tshark",
+    "@tester_deb//wget",
+]
+
+def declare_tester_deb():
+    deb_index(
+        name = "tester_deb",
+        lock = "//docker:tester_deb.lock.json",
+        manifest = "//docker:tester_deb.yaml",
+    )
 
 def scion_tester_image():
+    # Required to avoid https://github.com/GoogleContainerTools/rules_distroless/issues/36
     pkg_tar(
-        name = "tester_layer_packages",
+        name = "tester_layer_deb",
         deps = [
-            debian_package_layer("bridge-utils"),
-            debian_package_layer("iperf3"),
-            debian_package_layer("iptables"),
-            debian_package_layer("netcat-openbsd"),
-            debian_package_layer("openssh-server"),
-            debian_package_layer("openssh-client"),
-            debian_package_layer("procps"),
-            debian_package_layer("telnet"),
-            debian_package_layer("tshark"),
-            debian_package_layer("wget"),
+            "%s/amd64" % package
+            for package in PACKAGES
         ],
     )
 
+    remap_deb_tars(
+        name = "tester_layer_deb_remapped",
+        src = "tester_layer_deb",
+        out = "tester_layer_deb_remapped.tar",
+    )
+
     pkg_tar(
         name = "tester_layer_bin",
         srcs = [
@@ -54,7 +76,7 @@ def scion_tester_image():
         workdir = "/share",
         cmd = ["tail", "-f", "/dev/null"],
         tars = [
-            ":tester_layer_packages",
+            ":tester_layer_deb_remapped",
             ":tester_layer_share",
             ":tester_layer_tools_integration",
             ":tester_layer_bin",
@@ -76,3 +98,33 @@ def scion_tester_image():
         out = "tester.tar",
         visibility = ["//visibility:public"],
     )
+
+def remap_deb_tars(name, src, out):
+    # The tars created by rules_distroless have proper directories instead of symlinks
+    # which overwrite the symlinks in the base image. This will result in a broken image.
+    # To counter this, we move the contents of the supposedly symlinke sources to the
+    # symlink target directories, remove the source directories and create symlinks to the
+    # target directories.
+    #
+    # See: https://github.com/GoogleContainerTools/rules_distroless/issues/53
+    native.genrule(
+        name = name,
+        srcs = [src],
+        outs = [out],
+        cmd = " ; ".join([
+            "SCRATCH=$$(mktemp -d )",
+            "REALOUT=$$(realpath $@)",
+            "mkdir -p $$SCRATCH/bundle",
+            "echo $$SCRATCH/bundle",
+            "tar -xf $(location " + src + ") -C $$SCRATCH/bundle",
+            "cd $$SCRATCH/bundle",
+            "[ -e bin ] && rsync -av bin/ usr/bin/ && rm -rf bin && ln -s /usr/bin bin || true",
+            "[ -e sbin ] && rsync -av sbin/ usr/sbin/ && rm -rf sbin && ln -s /usr/sbin sbin || true",
+            "[ -e lib ] && rsync -av lib/ usr/lib/ && rm -rf lib && ln -s /usr/lib lib || true",
+            "[ -e lib64 ] && rsync -av lib64/ usr/lib64/ && rm -rf lib64 && ln -s /usr/lib64 lib64 || true",
+            "[ -e var/run ] && rsync -av var/run/ run/ && rm -rf var/run && ln -s /run var/run || true",
+            "[ -e var/lock ] && rsync -av var/lock/ run/lock/ && rm -rf var/lock && ln -s /run/lock var/lock || true",
+            "tar --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01' -cf $$REALOUT .",
+            "rm -rf $$SCRATCH",
+        ]),
+    )