studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

docker: Simplify build/install; dedup cargo commands; enable gc.

Browse Source 
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
2025-06-03 19:00:00 +00:00
parent 71748c3db9
commit 55c35fc840
17 changed files with 66 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/README.md vendored
View File

@@ -3,7 +3,7 @@
The release pipeline `Main` (main.yml) and its subroutines defined in the other yamls form a high-level The release pipeline `Main` (main.yml) and its subroutines defined in the other yamls form a high-level
description for the underlying self-hosted build system in `/docker`. In other words, this is a sort of description for the underlying self-hosted build system in `/docker`. In other words, this is a sort of
terminal, a "thin-client" with a display and a keyboard for our docker mainframe. We minimize terminal, a "thin-client" with a display and a keyboard for our docker mainframe. We minimize
vendor-lockin and duplication with other frameworks by limiting everything here to only what is vendor-lockin and duplication with other services by limiting everything here to only what is
essential for driving the docker builder. essential for driving the docker builder.
Though we slightly relax the above by specifying details of the actual CI pipeline, the Though we slightly relax the above by specifying details of the actual CI pipeline, the

4
.github/workflows/bake.yml vendored
View File

@@ -121,7 +121,7 @@ jobs:
docker/bake.sh "${{matrix.bake_target}}" docker/bake.sh "${{matrix.bake_target}}"
# Optionally extract an inner artifact # Optionally extract an inner artifact
- name: Extract Artifact - name: Extract Inner Artifact
if: > if: >
!failure() && !cancelled() !failure() && !cancelled()
&& fromJSON(inputs.artifact)[matrix.bake_target].dst && fromJSON(inputs.artifact)[matrix.bake_target].dst
@@ -139,7 +139,7 @@ jobs:
docker cp "$cid:$src" "_artifact/$dst" docker cp "$cid:$src" "_artifact/$dst"
# Optionally extract the image itself as an artifact. # Optionally extract the image itself as an artifact.
- name: Extract Image - name: Extract Image Artifact
if: > if: >
!failure() && !cancelled() !failure() && !cancelled()
&& fromJSON(inputs.artifact)[matrix.bake_target].dst && fromJSON(inputs.artifact)[matrix.bake_target].dst

20
.github/workflows/main.yml vendored
View File

@@ -30,7 +30,8 @@ jobs:
[ [
{"cargo_profile": "release-debuginfo", "rust_toolchain": "nightly"}, {"cargo_profile": "release-debuginfo", "rust_toolchain": "nightly"},
{"cargo_profile": "release-max-perf", "rust_toolchain": "stable"}, {"cargo_profile": "release-max-perf", "rust_toolchain": "stable"},
{"cargo_profile": "release-max-perf", "feat_set": "none"} {"cargo_profile": "release-max-perf", "feat_set": "none"},
{"cargo_profile": "test", "rust_toolchain": "stable", "feat_set": "none"}
] ]
outputs: outputs:
@@ -56,12 +57,17 @@ jobs:
set -e set -e
cat <<EOF > ./buildkitd.toml cat <<EOF > ./buildkitd.toml
[system] [system]
platformsCacheMaxAge = "504h" platformsCacheMaxAge = "504h"
[worker.oci] [worker.oci]
enabled = true enabled = true
rootless = true rootless = true
gc = false gc = true
[[worker.oci.gcpolicy]]
reservedSpace = "384GB"
maxUsedSpace = "768GB"
keepDuration = "504h"
filters = ["label!=cache==pin"]
all = true
EOF EOF
docker buildx create \ docker buildx create \
@@ -160,7 +166,7 @@ jobs:
!failure() && !cancelled() !failure() && !cancelled()
name: Publish name: Publish
needs: [init, test, package] needs: [package, test]
uses: ./.github/workflows/publish.yml uses: ./.github/workflows/publish.yml
with: with:
docker_repo: ${{vars.DOCKER_REPO}} docker_repo: ${{vars.DOCKER_REPO}}

8
docker/Dockerfile.cargo
View File

@@ -7,9 +7,6 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TARGET
ARG CARGO_TARGET_DIR ARG CARGO_TARGET_DIR
ARG cargo_tgt_dst
ARG cargo_tgt_sub
ARG cargo_tgt_cache
ARG cargo_profile ARG cargo_profile
ARG cargo_features ARG cargo_features
ARG cargo_spec_features ARG cargo_spec_features
@@ -27,11 +24,6 @@ RUN \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst},sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
<<EOF <<EOF
set -eux set -eux
rustup run ${rust_toolchain} \ rustup run ${rust_toolchain} \

9
docker/Dockerfile.cargo.deb
View File

@@ -7,9 +7,6 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TARGET
ARG CARGO_TARGET_DIR ARG CARGO_TARGET_DIR
ARG cargo_tgt_dst
ARG cargo_tgt_sub
ARG cargo_tgt_cache
ARG cargo_profile ARG cargo_profile
ARG cargo_features ARG cargo_features
ARG cargo_spec_features ARG cargo_spec_features
@@ -24,12 +21,6 @@ RUN \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst},sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/debian,id=${cargo_tgt_dst}/debian,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
<<EOF <<EOF
set -eux set -eux
mkdir -p "${pkg_dir}" mkdir -p "${pkg_dir}"

12
docker/Dockerfile.cargo.deps
View File

@@ -7,9 +7,6 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TARGET
ARG CARGO_TARGET_DIR ARG CARGO_TARGET_DIR
ARG cargo_tgt_dst
ARG cargo_tgt_sub
ARG cargo_tgt_cache
ARG CARGO_BUILD_RUSTFLAGS ARG CARGO_BUILD_RUSTFLAGS
ARG CARGO_PROFILE_TEST_DEBUG ARG CARGO_PROFILE_TEST_DEBUG
ARG CARGO_PROFILE_TEST_BUILD_OVERRIDE_DEBUG ARG CARGO_PROFILE_TEST_BUILD_OVERRIDE_DEBUG
@@ -34,8 +31,6 @@ COPY --link --from=rocksdb . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
COPY --link --from=recipe recipe.json . COPY --link --from=recipe recipe.json .
ENV CARGO_TARGET_DIR="${CARGO_TARGET_DIR}"
ENV CARGO_BUILD_RUSTFLAGS="${CARGO_BUILD_RUSTFLAGS}"
ENV CARGO_PROFILE_TEST_DEBUG="${CARGO_PROFILE_TEST_DEBUG}" ENV CARGO_PROFILE_TEST_DEBUG="${CARGO_PROFILE_TEST_DEBUG}"
ENV CARGO_PROFILE_TEST_BUILD_OVERRIDE_DEBUG="${CARGO_PROFILE_TEST_BUILD_OVERRIDE_DEBUG}" ENV CARGO_PROFILE_TEST_BUILD_OVERRIDE_DEBUG="${CARGO_PROFILE_TEST_BUILD_OVERRIDE_DEBUG}"
ENV CARGO_PROFILE_TEST_INCREMENTAL="${CARGO_PROFILE_TEST_INCREMENTAL}" ENV CARGO_PROFILE_TEST_INCREMENTAL="${CARGO_PROFILE_TEST_INCREMENTAL}"
@@ -44,15 +39,12 @@ ENV CARGO_PROFILE_BENCH_BUILD_OVERRIDE_DEBUG="${CARGO_PROFILE_BENCH_BUILD_OVERRI
ENV CARGO_PROFILE_BENCH_LTO="${CARGO_PROFILE_BENCH_LTO}" ENV CARGO_PROFILE_BENCH_LTO="${CARGO_PROFILE_BENCH_LTO}"
ENV CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG="${CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG}" ENV CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG="${CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG}"
ENV CARGO_PROFILE_RELEASE_LTO="${CARGO_PROFILE_RELEASE_LTO}" ENV CARGO_PROFILE_RELEASE_LTO="${CARGO_PROFILE_RELEASE_LTO}"
ENV CARGO_BUILD_RUSTFLAGS="${CARGO_BUILD_RUSTFLAGS}"
ENV CARGO_TARGET_DIR="${CARGO_TARGET_DIR}"
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst},sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
<<EOF <<EOF
set -eux set -eux
rustup run ${rust_toolchain} \ rustup run ${rust_toolchain} \

81
docker/Dockerfile.cargo.install
View File

@@ -1,81 +0,0 @@
# syntax = docker/dockerfile:1.11-labs
FROM input AS installer
ARG sys_target
ARG rust_toolchain
ARG RUSTUP_HOME
ARG CARGO_HOME
ARG CARGO_TARGET
ARG CARGO_TARGET_DIR
ARG cargo_tgt_dst
ARG cargo_tgt_sub
ARG cargo_tgt_cache
ARG cargo_profile
ARG cargo_features
ARG cargo_spec_features
ARG cargo_args=""
ARG crate_path="src/main"
ARG crate_ident=""
ARG install_temp="/usr/src/tuwunel/install"
WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/lib/${sys_target}
COPY --link --from=rocksdb . .
WORKDIR /usr/src/tuwunel
RUN \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst},sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
<<EOF
set -eux
case "$cargo_profile" in
"dev") profile_dir="debug";;
"test") profile_dir="debug";;
"release") profile_dir="release";;
"bench") profile_dir="release";;
*) profile_dir="$cargo_profile";;
esac
rustup run ${rust_toolchain} \
cargo install \
--frozen \
--no-track \
"${cargo_spec_features}" \
--features "${cargo_features}" \
--profile "${cargo_profile}" \
--target "${CARGO_TARGET}" \
--target-dir "${CARGO_TARGET_DIR}" \
--root "${install_temp}" \
--path "${crate_path}" \
${cargo_args} \
${crate_ident}
EOF
RUN [ -f "${install_temp}/bin/tuwunel" ]
FROM input AS install
ARG sys_target
ARG CARGO_INSTALL_ROOT
ARG install_temp="/usr/src/tuwunel/install"
RUN \
--mount=type=bind,from=output,src=${install_temp},dst=/mnt/install \
<<EOF
set -eux
cp -ndR --preserve=all -t ${CARGO_INSTALL_ROOT} /mnt/install/*
EOF
ENV bin_path="${CARGO_INSTALL_ROOT}/bin/tuwunel"
RUN <<EOF
set -eux
ldd -v ${bin_path} || echo "static"
du -h ${bin_path}
sha1sum ${bin_path}
EOF

9
docker/Dockerfile.cargo.rpm
View File

@@ -2,14 +2,12 @@
FROM input AS rpm FROM input AS rpm
ARG sys_target ARG sys_target
ARG rust_target
ARG rust_toolchain ARG rust_toolchain
ARG RUSTUP_HOME ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TARGET
ARG CARGO_TARGET_DIR ARG CARGO_TARGET_DIR
ARG cargo_tgt_dst
ARG cargo_tgt_sub
ARG cargo_tgt_cache
ARG cargo_profile ARG cargo_profile
ARG cargo_features ARG cargo_features
ARG cargo_spec_features ARG cargo_spec_features
@@ -24,11 +22,6 @@ RUN \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst},sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
<<EOF <<EOF
set -eux set -eux
mkdir -p "${pkg_dir}" mkdir -p "${pkg_dir}"

2
docker/Dockerfile.complement
View File

@@ -8,7 +8,6 @@ WORKDIR /
COPY --link --from=input . . COPY --link --from=input . .
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${var_cache},sharing=locked \ --mount=type=cache,dst=${var_cache},sharing=locked \
--mount=type=cache,dst=${var_lib_apt},sharing=locked \ --mount=type=cache,dst=${var_lib_apt},sharing=locked \
<<EOF <<EOF
@@ -157,7 +156,6 @@ ARG complement_run=".*"
WORKDIR / WORKDIR /
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${var_cache},sharing=locked \ --mount=type=cache,dst=${var_cache},sharing=locked \
--mount=type=cache,dst=${var_lib_apt},sharing=locked \ --mount=type=cache,dst=${var_lib_apt},sharing=locked \
--mount=type=cache,dst=/go/pkg/mod/cache,sharing=locked \ --mount=type=cache,dst=/go/pkg/mod/cache,sharing=locked \

7
docker/Dockerfile.cookware
View File

@@ -13,9 +13,7 @@ COPY --link --from=input . .
ENV CARGO_TARGET="${rust_target}" ENV CARGO_TARGET="${rust_target}"
WORKDIR /opt WORKDIR /opt
RUN \ RUN <<EOF
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
<<EOF
set -eux set -eux
url="https://static.rust-lang.org/rustup/archive/${rustup_version}/${rust_target}/rustup-init" url="https://static.rust-lang.org/rustup/archive/${rustup_version}/${rust_target}/rustup-init"
@@ -26,7 +24,6 @@ EOF
ENV RUSTUP_HOME="${RUSTUP_HOME}" ENV RUSTUP_HOME="${RUSTUP_HOME}"
ENV CARGO_HOME="${CARGO_HOME}" ENV CARGO_HOME="${CARGO_HOME}"
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
@@ -59,7 +56,6 @@ WORKDIR /
COPY --link --from=input . . COPY --link --from=input . .
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
@@ -73,7 +69,6 @@ RUN \
EOF EOF
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \

3
docker/Dockerfile.diner
View File

@@ -16,7 +16,6 @@ COPY --link --from=input . .
ENV packages="ca-certificates ${packages}" ENV packages="ca-certificates ${packages}"
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${var_cache},sharing=locked \ --mount=type=cache,dst=${var_cache},sharing=locked \
--mount=type=cache,dst=${var_lib_apt},sharing=locked \ --mount=type=cache,dst=${var_lib_apt},sharing=locked \
<<EOF <<EOF
@@ -39,7 +38,6 @@ WORKDIR /
COPY --link --from=input . . COPY --link --from=input . .
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${var_cache},sharing=locked \ --mount=type=cache,dst=${var_cache},sharing=locked \
--mount=type=cache,dst=${var_lib_apt},sharing=locked \ --mount=type=cache,dst=${var_lib_apt},sharing=locked \
<<EOF <<EOF
@@ -56,7 +54,6 @@ WORKDIR /
COPY --link --from=input . . COPY --link --from=input . .
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${var_cache},sharing=locked \ --mount=type=cache,dst=${var_cache},sharing=locked \
--mount=type=cache,dst=${var_lib_apt},sharing=locked \ --mount=type=cache,dst=${var_lib_apt},sharing=locked \
<<EOF <<EOF

8
docker/Dockerfile.ingredients
View File

@@ -8,9 +8,7 @@ COPY --link --from=input . .
ADD --link --keep-git-dir . /usr/src/tuwunel ADD --link --keep-git-dir . /usr/src/tuwunel
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN \ RUN <<EOF
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
<<EOF
set -eux set -eux
git reset \ git reset \
--hard \ --hard \
@@ -43,7 +41,6 @@ ENV JEMALLOC_OVERRIDE="${JEMALLOC_OVERRIDE}"
#ENV ZSTD_SYS_USE_PKG_CONFIG="${ZSTD_SYS_USE_PKG_CONFIG}" #ENV ZSTD_SYS_USE_PKG_CONFIG="${ZSTD_SYS_USE_PKG_CONFIG}"
ENV ROCKSDB_LIB_DIR="${ROCKSDB_LIB_DIR}" ENV ROCKSDB_LIB_DIR="${ROCKSDB_LIB_DIR}"
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
@@ -69,10 +66,11 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TARGET
WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \

21
docker/Dockerfile.install Normal file
View File

@@ -0,0 +1,21 @@
# syntax = docker/dockerfile:1.11-labs
FROM input AS install
ARG rust_target
ARG CARGO_TARGET_DIR
ARG cargo_target_profile
ARG install_prefix
WORKDIR /
COPY --link --from=input . .
WORKDIR ${install_prefix}
ENV src_path="${CARGO_TARGET_DIR}/${rust_target}/${cargo_target_profile}/tuwunel"
ENV dst_path="${install_prefix}/bin/tuwunel"
COPY --from=bins $src_path $dst_path
RUN <<EOF
set -eux
ldd -v ${dst_path} || true
du -h ${dst_path}
sha1sum ${dst_path}
EOF

1
docker/Dockerfile.kitchen
View File

@@ -25,7 +25,6 @@ ${packages} \
" "
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=${var_cache},sharing=locked \ --mount=type=cache,dst=${var_cache},sharing=locked \
--mount=type=cache,dst=${var_lib_apt},sharing=locked \ --mount=type=cache,dst=${var_lib_apt},sharing=locked \
<<EOF <<EOF

10
docker/Dockerfile.rocksdb
View File

@@ -8,10 +8,7 @@ COPY --link --from=input . .
WORKDIR /usr/src WORKDIR /usr/src
COPY --link --from=recipe rocksdb.url . COPY --link --from=recipe rocksdb.url .
RUN \ RUN <<EOF
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=/var/lock/uwu/rocksdb,sharing=locked \
<<EOF
set -eux set -eux
submodule="librocksdb-sys/rocksdb" submodule="librocksdb-sys/rocksdb"
url="$(cat rocksdb.url)" url="$(cat rocksdb.url)"
@@ -47,10 +44,7 @@ WORKDIR /usr/src/rocksdb/librocksdb-sys/rocksdb
ENV CC="clang" ENV CC="clang"
ENV CXX="clang++" ENV CXX="clang++"
ENV nprocs=${nprocs} ENV nprocs=${nprocs}
RUN \ RUN <<EOF
--mount=type=cache,dst=/var/lock/uwu/local,sharing=locked \
--mount=type=cache,dst=/var/lock/uwu/rocksdb,sharing=locked \
<<EOF
set -eux set -eux
cmake -H. -Bbuild \ cmake -H. -Bbuild \

48
docker/README.md
View File

@@ -36,21 +36,7 @@ this step.
2. You will need to create a builder. There are a few complications that must be explained here 2. You will need to create a builder. There are a few complications that must be explained here
so please be patient. so please be patient.
1. Caches are being evicted in ways that I didn't expect, for example, rust is installed in a - Some unsavory options are required for some targets. It might be possible to omit these if
cache mount which might have been a bad idea. I have disabled GC because an unlucky eviction
has massive repercussions. This is my buildkitd config in `~/.config/buildkit/buildkitd.toml`
```
[worker.oci]
enabled = true
rootless = true
gc = false
[system]
platformsCacheMaxAge = "504h"
```
2. Some unsavory options are required for some targets. It might be possible to omit these if
you're not building the full tree. Otherwise I've included them in the create command below. you're not building the full tree. Otherwise I've included them in the create command below.
- To run the complement compliance suite we need the `--allow-insecure-entitlement network.host`. - To run the complement compliance suite we need the `--allow-insecure-entitlement network.host`.
@@ -64,7 +50,6 @@ so please be patient.
--name owo \ --name owo \
--bootstrap \ --bootstrap \
--driver docker-container \ --driver docker-container \
--buildkitd-config ~/.config/buildkit/buildkitd.toml \
--buildkitd-flags "$BKD_FLAGS" --buildkitd-flags "$BKD_FLAGS"
``` ```
@@ -96,34 +81,3 @@ choose `actor/repo/branch` with the expectation of one build at a time under tho
constraints. Some external caching might need to be contrived between builders for constraints. Some external caching might need to be contrived between builders for
deduplication but with care such that malicious actors cannot poison data used deduplication but with care such that malicious actors cannot poison data used
by other actors, otherwise it defeats the purpose of builder isolation. by other actors, otherwise it defeats the purpose of builder isolation.
#### On Target Caches
The challenge here is to get all aspects of the target directory perfectly optimal
within the many constraints including cargo issues and our goals. This is highly complex
because we have to provide each image being built with a safe environment yet share as
much as possible between builds. This includes maximum reuse of prior builds but without
unnecessary dirtying or more serious unexpected conflicts.
We first create a hausdorff space based on builds which could never benefit from sharing
and would always be unsound (even silently) if they came into contact; so all cache id's
are prefixed by the matrix components:
`${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}`. This is
important because we can simplify the mount path inside the image which is important for
the absolute paths generated by fingerprints and dependency files. We need to keep those
the same if any builds expect to share them.
The top-level of target directory is immediately partitioned by cargo into different
profiles. Note that we already imposed separation based on profile but we still have to
deal with that subdirectory in the mount, which has special-cases for the dev, test, and
bench profiles. These directories at their top-level are the final artifact area which is
not concurrency safe and there are open issues in cargo for explicit artifact directories.
Within these unsafe directories are sub-directories which contain hash-sharded components
making them safe again for shared caching, so long as the path to them remains consistent
for all images mounting.
As you can see this is already getting very complicated. If this is done wrong lots of
different bad things can happen such as broken builds from bad conflicts, constant
rebuilds from modest conflicts, or over-use of resources from too much separation.
TODO

48
docker/bake.hcl
View File

@@ -2,8 +2,10 @@ variable "CI" {}
variable "GITHUB_ACTOR" {} variable "GITHUB_ACTOR" {}
variable "GITHUB_REPOSITORY" {} variable "GITHUB_REPOSITORY" {}
variable "GITHUB_REF" {} variable "GITHUB_REF" {}
variable "GITHUB_REF_SHA" {}
variable "GITHUB_REF_NAME" {} variable "GITHUB_REF_NAME" {}
variable "GITHUB_REF_SHA" {
default = "HEAD"
}
variable "acct" { variable "acct" {
default = "${GITHUB_ACTOR}" default = "${GITHUB_ACTOR}"
@@ -41,7 +43,7 @@ variable "feat_sets" {
variable "cargo_profiles" { variable "cargo_profiles" {
default = "[\"test\", \"release\"]" default = "[\"test\", \"release\"]"
} }
variable "cargo_install_root" { variable "install_prefix" {
default = "/usr" default = "/usr"
} }
@@ -112,7 +114,7 @@ variable "image_compress_level" {
default = 11 default = 11
} }
variable "cache_compress_level" { variable "cache_compress_level" {
default = 6 default = 7
} }
# Use the cargo-chef layering strategy to separate and pre-build dependencies # Use the cargo-chef layering strategy to separate and pre-build dependencies
@@ -589,40 +591,23 @@ target "install" {
tags = [ tags = [
elem_tag("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"), elem_tag("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
] ]
target = "install"
labels = install_labels labels = install_labels
output = ["type=docker,compression=zstd,mode=min,compression-level=${image_compress_level}"] output = ["type=docker,compression=zstd,mode=min,compression-level=${cache_compress_level}"]
cache_to = ["type=local,compression=zstd,mode=min,compression-level=${cache_compress_level}"] cache_to = ["type=local,compression=zstd,mode=min,compression-level=${cache_compress_level}"]
dockerfile = "${docker_dir}/Dockerfile.install"
target = "install"
matrix = cargo_rust_feat_sys matrix = cargo_rust_feat_sys
inherits = [ inherits = [
elem("installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]), elem("build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
] ]
contexts = { contexts = {
input = elem("target:diner", [feat_set, sys_name, sys_version, sys_target]) input = elem("target:diner", [feat_set, sys_name, sys_version, sys_target])
output = elem("target:installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]) bins = elem("target:build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
#docs = elem("target:docs", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]) #docs = elem("target:docs", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
#book = elem("target:book", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]) #book = elem("target:book", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
} }
}
target "installer" {
name = elem("installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
tags = [
elem_tag("installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
]
target = "installer"
dockerfile = "${docker_dir}/Dockerfile.cargo.install"
matrix = cargo_rust_feat_sys
inherits = [
elem("deps-build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
elem("cargo", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
]
contexts = {
input = elem("target:deps-build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
}
args = { args = {
cargo_args = "--bins" install_prefix = install_prefix
CARGO_INSTALL_ROOT = cargo_install_root
} }
} }
@@ -1120,10 +1105,14 @@ target "deps-base" {
cargo_profile = cargo_profile cargo_profile = cargo_profile
cook_args = "--all-targets --no-build" cook_args = "--all-targets --no-build"
# Base path
CARGO_TARGET_DIR = "${cargo_tgt_dir_base}" CARGO_TARGET_DIR = "${cargo_tgt_dir_base}"
cargo_tgt_cache = "${cargo_tgt_dir_base}/${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}/_shared_cache" # cache key for unique artifact area
cargo_tgt_dst = "${cargo_tgt_dir_base}/${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}/${feat_set}" cargo_target_artifact = "${cargo_tgt_dir_base}/${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}/${feat_set}/${git_ref_sha}"
cargo_tgt_sub = ( # cache key for hashed subdirs
cargo_target_share = "${cargo_tgt_dir_base}/${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}/_shared_cache"
# cased name of profile subdir within target complex
cargo_target_profile = (
(cargo_profile == "dev" || cargo_profile == "test")? "debug": (cargo_profile == "dev" || cargo_profile == "test")? "debug":
(cargo_profile == "release" || cargo_profile == "bench")? "release": (cargo_profile == "release" || cargo_profile == "bench")? "release":
cargo_profile cargo_profile
@@ -1313,6 +1302,7 @@ target "ingredients" {
] ]
target = "ingredients" target = "ingredients"
dockerfile = "${docker_dir}/Dockerfile.ingredients" dockerfile = "${docker_dir}/Dockerfile.ingredients"
cache_to = ["type=local,compression=zstd,mode=min,compression-level=${cache_compress_level}"]
matrix = rust_feat_sys matrix = rust_feat_sys
inherits = [ inherits = [
elem("source", [feat_set, sys_name, sys_version, sys_target]), elem("source", [feat_set, sys_name, sys_version, sys_target]),