studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

docker: Fix target mount cache paths; relax locks on cargo home.

Browse Source 
docker: Persist lychee cache.

Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
2025-06-01 11:40:09 +00:00
parent 8d8fcb588b
commit 9507ce9d03
17 changed files with 270 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CONTRIBUTING.md
View File

@@ -122,4 +122,4 @@ policy.
[cargo-audit]: https://github.com/RustSec/rustsec/tree/main/cargo-audit [cargo-audit]: https://github.com/RustSec/rustsec/tree/main/cargo-audit
[direnv]: https://direnv.net/ [direnv]: https://direnv.net/
[mdbook]: https://rust-lang.github.io/mdBook/ [mdbook]: https://rust-lang.github.io/mdBook/
[documentation.yml]: https://github.com/matrix-construct/tuwunel/blob/main/.github/workflows/documentation.yml [documentation.yml]: https://github.com/matrix-construct/tuwunel/blob/main/.github/workflows/docs.yml

19
docker/Dockerfile.cargo
View File

@@ -7,7 +7,9 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TARGET
ARG CARGO_TARGET_DIR ARG CARGO_TARGET_DIR
ARG CARGO_TARGET_CACHE ARG cargo_tgt_dst
ARG cargo_tgt_sub
ARG cargo_tgt_cache
ARG cargo_profile ARG cargo_profile
ARG cargo_features ARG cargo_features
ARG cargo_spec_features ARG cargo_spec_features
@@ -22,13 +24,14 @@ COPY --link --from=rocksdb . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/deps,id=${CARGO_TARGET_CACHE}/deps,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst}/${cargo_tgt_sub},sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/build,id=${CARGO_TARGET_CACHE}/build,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/incremental,id=${CARGO_TARGET_CACHE}/incremental,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/.fingerprint,id=${CARGO_TARGET_CACHE}/fingerprint,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
<<EOF <<EOF
set -eux set -eux
rustup run ${rust_toolchain} \ rustup run ${rust_toolchain} \

8
docker/Dockerfile.cargo.audit
View File

@@ -7,10 +7,14 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG audit_args="" ARG audit_args=""
WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
<<EOF <<EOF
set -eux set -eux
rustup run ${rust_toolchain} \ rustup run ${rust_toolchain} \

20
docker/Dockerfile.cargo.deb
View File

@@ -7,7 +7,9 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TARGET
ARG CARGO_TARGET_DIR ARG CARGO_TARGET_DIR
ARG CARGO_TARGET_CACHE ARG cargo_tgt_dst
ARG cargo_tgt_sub
ARG cargo_tgt_cache
ARG cargo_profile ARG cargo_profile
ARG cargo_features ARG cargo_features
ARG cargo_spec_features ARG cargo_spec_features
@@ -19,13 +21,15 @@ COPY --link --from=input . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/deps,id=${CARGO_TARGET_CACHE}/deps,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst}/${cargo_tgt_sub},sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/build,id=${CARGO_TARGET_CACHE}/build,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/debian,id=${cargo_tgt_dst}/debian,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/incremental,id=${CARGO_TARGET_CACHE}/incremental,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/.fingerprint,id=${CARGO_TARGET_CACHE}/fingerprint,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
<<EOF <<EOF
set -eux set -eux
mkdir -p "${pkg_dir}" mkdir -p "${pkg_dir}"

44
docker/Dockerfile.cargo.deps
View File

@@ -7,38 +7,46 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TARGET
ARG CARGO_TARGET_DIR ARG CARGO_TARGET_DIR
ARG CARGO_TARGET_CACHE ARG cargo_tgt_dst
ARG cargo_tgt_sub
ARG cargo_tgt_cache
ARG CARGO_BUILD_RUSTFLAGS ARG CARGO_BUILD_RUSTFLAGS
ARG CARGO_PROFILE_test_DEBUG ARG CARGO_PROFILE_TEST_DEBUG
ARG CARGO_PROFILE_bench_DEBUG ARG CARGO_PROFILE_BENCH_DEBUG
ARG CARGO_PROFILE_bench_LTO ARG CARGO_PROFILE_BENCH_LTO
ARG CARGO_PROFILE_bench_CODEGEN_UNITS ARG CARGO_PROFILE_BENCH_CODEGEN_UNITS
ARG CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG
ARG cargo_profile ARG cargo_profile
ARG cargo_features ARG cargo_features
ARG cargo_spec_features ARG cargo_spec_features
ARG cook_args ARG cook_args
ARG git_checkout ARG git_checkout
WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/lib/${sys_target} WORKDIR /usr/lib/${sys_target}
COPY --from=rocksdb . . COPY --link --from=rocksdb . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
COPY --from=recipe recipe.json . COPY --link --from=recipe recipe.json .
ENV CARGO_TARGET_DIR="${CARGO_TARGET_DIR}" ENV CARGO_TARGET_DIR="${CARGO_TARGET_DIR}"
ENV CARGO_BUILD_RUSTFLAGS="${CARGO_BUILD_RUSTFLAGS}" ENV CARGO_BUILD_RUSTFLAGS="${CARGO_BUILD_RUSTFLAGS}"
ENV CARGO_PROFILE_test_DEBUG="${CARGO_PROFILE_test_DEBUG}" ENV CARGO_PROFILE_TEST_DEBUG="${CARGO_PROFILE_TEST_DEBUG}"
ENV CARGO_PROFILE_bench_DEBUG="${CARGO_PROFILE_bench_DEBUG}" ENV CARGO_PROFILE_BENCH_DEBUG="${CARGO_PROFILE_BENCH_DEBUG}"
ENV CARGO_PROFILE_bench_LTO="${CARGO_PROFILE_bench_LTO}" ENV CARGO_PROFILE_BENCH_LTO="${CARGO_PROFILE_BENCH_LTO}"
ENV CARGO_PROFILE_bench_CODEGEN_UNITS="${CARGO_PROFILE_bench_CODEGEN_UNITS}" ENV CARGO_PROFILE_BENCH_CODEGEN_UNITS="${CARGO_PROFILE_BENCH_CODEGEN_UNITS}"
ENV CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG="${CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG}"
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/deps,id=${CARGO_TARGET_CACHE}/deps,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst}/${cargo_tgt_sub},sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/build,id=${CARGO_TARGET_CACHE}/build,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/incremental,id=${CARGO_TARGET_CACHE}/incremental,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/.fingerprint,id=${CARGO_TARGET_CACHE}/fingerprint,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
<<EOF <<EOF
set -eux set -eux
rustup run ${rust_toolchain} \ rustup run ${rust_toolchain} \

8
docker/Dockerfile.cargo.fmt
View File

@@ -7,10 +7,14 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG fmt_args="" ARG fmt_args=""
WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
<<EOF <<EOF
set -eux set -eux
rustup run ${rust_toolchain} \ rustup run ${rust_toolchain} \

24
docker/Dockerfile.cargo.install
View File

@@ -7,7 +7,9 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TARGET
ARG CARGO_TARGET_DIR ARG CARGO_TARGET_DIR
ARG CARGO_TARGET_CACHE ARG cargo_tgt_dst
ARG cargo_tgt_sub
ARG cargo_tgt_cache
ARG cargo_profile ARG cargo_profile
ARG cargo_features ARG cargo_features
ARG cargo_spec_features ARG cargo_spec_features
@@ -24,13 +26,14 @@ COPY --link --from=rocksdb . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/deps,id=${CARGO_TARGET_CACHE}/deps,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst}/${cargo_tgt_sub},sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/build,id=${CARGO_TARGET_CACHE}/build,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/incremental,id=${CARGO_TARGET_CACHE}/incremental,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/.fingerprint,id=${CARGO_TARGET_CACHE}/fingerprint,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
<<EOF <<EOF
set -eux set -eux
case "$cargo_profile" in case "$cargo_profile" in
@@ -43,7 +46,7 @@ RUN \
rustup run ${rust_toolchain} \ rustup run ${rust_toolchain} \
cargo install \ cargo install \
--locked \ --frozen \
--no-track \ --no-track \
"${cargo_spec_features}" \ "${cargo_spec_features}" \
--features "${cargo_features}" \ --features "${cargo_features}" \
@@ -63,9 +66,6 @@ ARG sys_target
ARG CARGO_INSTALL_ROOT ARG CARGO_INSTALL_ROOT
ARG install_temp="/usr/src/tuwunel/install" ARG install_temp="/usr/src/tuwunel/install"
WORKDIR /
COPY --link --from=input . .
RUN \ RUN \
--mount=type=bind,from=output,src=${install_temp},dst=/mnt/install \ --mount=type=bind,from=output,src=${install_temp},dst=/mnt/install \
<<EOF <<EOF

28
docker/Dockerfile.cargo.lychee
View File

@@ -7,23 +7,31 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG lychee_cache_age="7d" ARG lychee_cache_age="7d"
ARG lychee_mode="color" ARG lychee_mode="color"
ARG lychee_args="docs *.md" # .lycheecache is hardcoded as path to reg file in the cwd so we execute lychee
# in cache directory itself. all paths here should be absolute paths
ARG lychee_args="/usr/src/tuwunel/docs /usr/src/tuwunel/*.md"
WORKDIR /usr/src/tuwunel WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/src/
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=lychee,sharing=locked \
<<EOF <<EOF
set -eux set -eux
cd lychee
rustup run ${rust_toolchain} \ rustup run ${rust_toolchain} \
lychee \ lychee \
--verbose \ --verbose \
--cache \ --no-progress \
--offline \ --offline \
--max-cache-age ${lychee_cache_age} \ --cache \
--mode ${lychee_mode} \ --max-cache-age "${lychee_cache_age}" \
--exclude development.md \ --mode "${lychee_mode}" \
--exclude contributing.md \ --exclude /usr/src/tuwunel/contributing.md \
--exclude testing.md \ --exclude /usr/src/tuwunel/development/testing.md \
${lychee_args} ${lychee_args}
EOF EOF

24
docker/Dockerfile.cargo.rpm
View File

@@ -7,7 +7,9 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TARGET
ARG CARGO_TARGET_DIR ARG CARGO_TARGET_DIR
ARG CARGO_TARGET_CACHE ARG cargo_tgt_dst
ARG cargo_tgt_sub
ARG cargo_tgt_cache
ARG cargo_profile ARG cargo_profile
ARG cargo_features ARG cargo_features
ARG cargo_spec_features ARG cargo_spec_features
@@ -19,13 +21,14 @@ COPY --link --from=input . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/deps,id=${CARGO_TARGET_CACHE}/deps,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR},id=${cargo_tgt_dst}/${cargo_tgt_sub},sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/build,id=${CARGO_TARGET_CACHE}/build,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/deps,id=${cargo_tgt_cache}/deps,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/incremental,id=${CARGO_TARGET_CACHE}/incremental,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/build,id=${cargo_tgt_cache}/build,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/.fingerprint,id=${CARGO_TARGET_CACHE}/fingerprint,sharing=shared \ --mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/incremental,id=${cargo_tgt_cache}/incremental,sharing=locked \
--mount=type=cache,dst=${CARGO_TARGET_DIR}/${cargo_tgt_sub}/.fingerprint,id=${cargo_tgt_cache}/fingerprint,sharing=locked \
<<EOF <<EOF
set -eux set -eux
mkdir -p "${pkg_dir}" mkdir -p "${pkg_dir}"
@@ -45,12 +48,15 @@ EOF
FROM scratch AS package FROM scratch AS package
ARG pkg_dir ARG pkg_dir
COPY --from=rpmbuild ${pkg_dir}/* . COPY --link --from=rpmbuild ${pkg_dir}/* .
FROM redhat/ubi9 AS package-install FROM redhat/ubi9 AS package-install
ARG pkg_dir ARG pkg_dir
WORKDIR /
COPY --link --from=input . .
WORKDIR ${pkg_dir} WORKDIR ${pkg_dir}
COPY --link --from=package . . COPY --link --from=package . .
RUN <<EOF RUN <<EOF

8
docker/Dockerfile.cargo.typos
View File

@@ -6,10 +6,14 @@ ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG typos_args="" ARG typos_args=""
WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=shared,ro \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=shared,ro \
<<EOF <<EOF
set -eux set -eux
rustup run ${rust_toolchain} \ rustup run ${rust_toolchain} \

19
docker/Dockerfile.complement
View File

@@ -4,6 +4,9 @@ FROM input AS key-gen-base
ARG var_cache ARG var_cache
ARG var_lib_apt ARG var_lib_apt
WORKDIR /
COPY --link --from=input . .
RUN \ RUN \
--mount=type=cache,dst=${var_cache},sharing=locked \ --mount=type=cache,dst=${var_cache},sharing=locked \
--mount=type=cache,dst=${var_lib_apt},sharing=locked \ --mount=type=cache,dst=${var_lib_apt},sharing=locked \
@@ -116,6 +119,9 @@ EOF
FROM input AS complement-testee FROM input AS complement-testee
WORKDIR /
COPY --link --from=input . .
EXPOSE 8008 8448 EXPOSE 8008 8448
RUN mkdir /database RUN mkdir /database
COPY --from=complement-config * /complement/ COPY --from=complement-config * /complement/
@@ -125,6 +131,9 @@ ENTRYPOINT tuwunel -Oserver_name=\""$SERVER_NAME\""
FROM input AS complement-testee-valgrind FROM input AS complement-testee-valgrind
WORKDIR /
COPY --link --from=input . .
EXPOSE 8008 8448 EXPOSE 8008 8448
RUN mkdir /database RUN mkdir /database
COPY --from=complement-config * /complement/ COPY --from=complement-config * /complement/
@@ -182,6 +191,10 @@ ARG complement_tags="conduwuit_blacklist"
ARG complement_tests="./tests/..." ARG complement_tests="./tests/..."
ARG complement_base_image ARG complement_base_image
WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/src/complement
ENV COMPLEMENT_DEBUG=$complement_debug ENV COMPLEMENT_DEBUG=$complement_debug
ENV complement_parallel="$complement_parallel" ENV complement_parallel="$complement_parallel"
ENV complement_shuffle="$complement_shuffle" ENV complement_shuffle="$complement_shuffle"
@@ -198,7 +211,6 @@ ENV COMPLEMENT_HOST_MOUNTS="/var/run/docker.sock:/var/run/docker.sock"
ENV jq_res='{Action: .Action, Test: .Test}' ENV jq_res='{Action: .Action, Test: .Test}'
ENV jq_sel='select((.Action == \"pass\" or .Action == \"fail\" or .Action == \"skip\") and .Test != null)' ENV jq_sel='select((.Action == \"pass\" or .Action == \"fail\" or .Action == \"skip\") and .Test != null)'
ENV jq_tab='[.Action, .Test] | @tsv' ENV jq_tab='[.Action, .Test] | @tsv'
WORKDIR /usr/src/complement
COPY --from=complement-config /complement/old_results.jsonl . COPY --from=complement-config /complement/old_results.jsonl .
COPY <<EOF uwu.sh COPY <<EOF uwu.sh
env; env;
@@ -240,6 +252,10 @@ ARG complement_tags="conduwuit_blacklist"
ARG complement_tests="./tests/..." ARG complement_tests="./tests/..."
ARG complement_base_image ARG complement_base_image
WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/src/complement
ENV COMPLEMENT_DEBUG=$complement_debug ENV COMPLEMENT_DEBUG=$complement_debug
ENV complement_parallel="$complement_parallel" ENV complement_parallel="$complement_parallel"
ENV complement_shuffle="$complement_shuffle" ENV complement_shuffle="$complement_shuffle"
@@ -252,7 +268,6 @@ ENV complement_run="$complement_run"
ENV complement_tests="$complement_tests" ENV complement_tests="$complement_tests"
ENV COMPLEMENT_HOSTNAME_RUNNING_COMPLEMENT="host.docker.internal" ENV COMPLEMENT_HOSTNAME_RUNNING_COMPLEMENT="host.docker.internal"
ENV COMPLEMENT_HOST_MOUNTS="/var/run/docker.sock:/var/run/docker.sock" ENV COMPLEMENT_HOST_MOUNTS="/var/run/docker.sock:/var/run/docker.sock"
WORKDIR /usr/src/complement
COPY <<EOF valgrind.sh COPY <<EOF valgrind.sh
env; env;
set -eux; set -eux;

66
docker/Dockerfile.cookware
View File

@@ -2,74 +2,76 @@
FROM input AS cookware FROM input AS cookware
ARG rust_toolchain ARG rust_toolchain
ARG rust_target
ARG RUSTUP_HOME ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET
ARG CARGO_TERM_VERBOSE
ARG rustup_version="1.28.1" ARG rustup_version="1.28.1"
ARG rustup_components ARG rustup_profile="minimal"
WORKDIR / WORKDIR /
COPY --link --from=input . . COPY --link --from=input . .
ENV RUSTUP_HOME="${RUSTUP_HOME}" ENV CARGO_TARGET="${rust_target}"
ENV CARGO_HOME="${CARGO_HOME}"
ENV CARGO_TARGET="${CARGO_TARGET}"
ENV CARGO_TERM_VERBOSE="${CARGO_TERM_VERBOSE}"
WORKDIR /opt WORKDIR /opt
RUN \ RUN <<EOF
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \
<<EOF
set -eux set -eux
url="https://static.rust-lang.org/rustup/archive/${rustup_version}/${CARGO_TARGET}/rustup-init" url="https://static.rust-lang.org/rustup/archive/${rustup_version}/${rust_target}/rustup-init"
curl -S -O -s "$url" curl -S -O -s "$url"
chmod o+x rustup-init chmod o+x rustup-init
EOF
ENV RUSTUP_HOME="${RUSTUP_HOME}"
ENV CARGO_HOME="${CARGO_HOME}"
RUN \
--mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
<<EOF
set -eux
./rustup-init -y \ ./rustup-init -y \
--verbose \ --quiet \
--profile minimal \ --profile "${rustup_profile}" \
--no-modify-path \ --default-host "${CARGO_TARGET}" \
--default-toolchain "${rust_toolchain}" \
--no-update-default-toolchain \ --no-update-default-toolchain \
--default-host ${CARGO_TARGET} \ --no-modify-path
--default-toolchain ${rust_toolchain}
chmod -R go+rw $CARGO_HOME $RUSTUP_HOME chmod -R go+rw $CARGO_HOME $RUSTUP_HOME
rm rustup-init rm rustup-init
EOF EOF
ENV PATH="${CARGO_HOME}/bin:$PATH" ENV PATH="${CARGO_HOME}/bin:$PATH"
RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \
<<EOF
set -eux
rustup component add \
--toolchain ${rust_toolchain} \
--target ${CARGO_TARGET} \
${rustup_components} \
;
EOF
FROM input AS chef FROM input AS chef
ARG rust_toolchain ARG rust_toolchain
ARG rust_target
ARG RUSTUP_HOME ARG RUSTUP_HOME
ARG CARGO_HOME ARG CARGO_HOME
ARG CARGO_TARGET ARG CARGO_TERM_VERBOSE
ARG rustup_components
ARG cargo_installs ARG cargo_installs
WORKDIR / WORKDIR /
COPY --link --from=input . . COPY --link --from=input . .
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
<<EOF <<EOF
set -eux set -eux
rustup component add \
--toolchain ${rust_toolchain} \
--target ${rust_target} \
${rustup_components} \
;
rustup run --install ${rust_toolchain} \ rustup run --install ${rust_toolchain} \
cargo install \ cargo install \
--quiet \
--locked \ --locked \
--target ${CARGO_TARGET} \ --target ${rust_target} \
${cargo_installs} \ ${cargo_installs} \
; ;
EOF EOF

9
docker/Dockerfile.diner
View File

@@ -11,6 +11,9 @@ ARG var_cache
ARG var_lib_apt ARG var_lib_apt
ARG packages ARG packages
WORKDIR /
COPY --link --from=input . .
ENV packages="ca-certificates ${packages}" ENV packages="ca-certificates ${packages}"
RUN \ RUN \
--mount=type=cache,dst=${var_cache},sharing=locked \ --mount=type=cache,dst=${var_cache},sharing=locked \
@@ -31,6 +34,9 @@ FROM input AS valgrind
ARG var_cache ARG var_cache
ARG var_lib_apt ARG var_lib_apt
WORKDIR /
COPY --link --from=input . .
RUN \ RUN \
--mount=type=cache,dst=${var_cache},sharing=locked \ --mount=type=cache,dst=${var_cache},sharing=locked \
--mount=type=cache,dst=${var_lib_apt},sharing=locked \ --mount=type=cache,dst=${var_lib_apt},sharing=locked \
@@ -44,6 +50,9 @@ FROM input AS perf
ARG var_cache ARG var_cache
ARG var_lib_apt ARG var_lib_apt
WORKDIR /
COPY --link --from=input . .
RUN \ RUN \
--mount=type=cache,dst=${var_cache},sharing=locked \ --mount=type=cache,dst=${var_cache},sharing=locked \
--mount=type=cache,dst=${var_lib_apt},sharing=locked \ --mount=type=cache,dst=${var_lib_apt},sharing=locked \

18
docker/Dockerfile.ingredients
View File

@@ -8,7 +8,9 @@ COPY --link --from=input . .
ADD --link --keep-git-dir . /usr/src/tuwunel ADD --link --keep-git-dir . /usr/src/tuwunel
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN <<EOF RUN \
--mount=type=cache,dst=/var/lock/uwu/source,sharing=locked \
<<EOF
set -eux set -eux
git reset \ git reset \
--hard \ --hard \
@@ -41,8 +43,9 @@ ENV JEMALLOC_OVERRIDE="${JEMALLOC_OVERRIDE}"
#ENV ZSTD_SYS_USE_PKG_CONFIG="${ZSTD_SYS_USE_PKG_CONFIG}" #ENV ZSTD_SYS_USE_PKG_CONFIG="${ZSTD_SYS_USE_PKG_CONFIG}"
ENV ROCKSDB_LIB_DIR="${ROCKSDB_LIB_DIR}" ENV ROCKSDB_LIB_DIR="${ROCKSDB_LIB_DIR}"
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
<<EOF <<EOF
set -eux set -eux
git submodule update \ git submodule update \
@@ -70,8 +73,9 @@ COPY --link --from=input . .
WORKDIR /usr/src/tuwunel WORKDIR /usr/src/tuwunel
RUN \ RUN \
--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \ --mount=type=cache,dst=${RUSTUP_HOME}/downloads,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME},sharing=locked \ --mount=type=cache,dst=${CARGO_HOME}/registry,sharing=locked \
--mount=type=cache,dst=${CARGO_HOME}/git,sharing=locked \
<<EOF <<EOF
set -euxo pipefail set -euxo pipefail
rustup run ${rust_toolchain} \ rustup run ${rust_toolchain} \
@@ -91,5 +95,5 @@ EOF
FROM scratch AS recipe FROM scratch AS recipe
WORKDIR / WORKDIR /
COPY --from=preparing /usr/src/tuwunel/recipe.json . COPY --link --from=preparing /usr/src/tuwunel/recipe.json .
COPY --from=preparing /usr/src/tuwunel/rocksdb.url . COPY --link --from=preparing /usr/src/tuwunel/rocksdb.url .

11
docker/Dockerfile.rocksdb
View File

@@ -2,8 +2,12 @@
FROM input AS rocksdb-fetch FROM input AS rocksdb-fetch
WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/src WORKDIR /usr/src
COPY --link --from=recipe rocksdb.url . COPY --link --from=recipe rocksdb.url .
RUN <<EOF RUN <<EOF
set -eux set -eux
submodule="librocksdb-sys/rocksdb" submodule="librocksdb-sys/rocksdb"
@@ -33,12 +37,15 @@ ARG rocksdb_zlib=0
ARG rocksdb_snappy=0 ARG rocksdb_snappy=0
ARG nprocs ARG nprocs
WORKDIR /
COPY --link --from=input . .
WORKDIR /usr/src/rocksdb/librocksdb-sys/rocksdb
ENV CC="clang" ENV CC="clang"
ENV CXX="clang++" ENV CXX="clang++"
WORKDIR /usr/src/rocksdb/librocksdb-sys/rocksdb
ENV nprocs=${nprocs} ENV nprocs=${nprocs}
RUN \ RUN \
--mount=type=cache,dst=/var/lock/uwu/${rocksdb_jemalloc}/${rocksdb_iouring}/${rocksdb_portable},sharing=locked \ --mount=type=cache,dst=/var/lock/uwu/rocksdb,sharing=locked \
<<EOF <<EOF
set -eux set -eux

47
docker/README.md
View File

@@ -55,7 +55,7 @@ so please be patient.
2. Some unsavory options are required for some targets. It might be possible to omit these if 2. Some unsavory options are required for some targets. It might be possible to omit these if
you're not building the full tree. Otherwise I've included them in the create command below. you're not building the full tree. Otherwise I've included them in the create command below.
- To run the complement compliance suite we need the `--allow-insecure-entitlement netwok.host`. - To run the complement compliance suite we need the `--allow-insecure-entitlement network.host`.
This requirement is probably a defect in Complement. This requirement is probably a defect in Complement.
Finally create Finally create
@@ -84,3 +84,48 @@ cues from the primary user of this system, the [GitHub CI](https://github.com/ma
building the targets for `complement-tester` and `complement-testee` using `bake.sh` and then building the targets for `complement-tester` and `complement-testee` using `bake.sh` and then
invoking `complement.sh`. You can take cues again from another user of this in the invoking `complement.sh`. You can take cues again from another user of this in the
[GitHub CI](https://github.com/matrix-construct/tuwunel/blob/main/.github/workflows/test.yml#L79). [GitHub CI](https://github.com/matrix-construct/tuwunel/blob/main/.github/workflows/test.yml#L79).
## Notes
- For CI our builders are more persistent rather than being created and destroyed for
each invocation. The builder is meant to be safely reused across operations, but
for concurrent operations this is tricky, see the next point.
- For CI our builders are isolated only by actor/user. This will probably change to
`actor/repo/branch` as it's easy to cause issues with concurrent builds right now.
However we can't accept destroying the builder after each use, so we'll likely
choose `actor/repo/branch` with the expectation of one build at a time under those
constraints. Some external caching might need to be contrived between builders for
deduplication but with care such that malicious actors cannot poison data used
by other actors, otherwise it defeats the purpose of builder isolation.
#### On Target Caches
The challenge here is to get all aspects of the target directory perfectly optimal
within the many constraints including cargo issues and our goals. This is highly complex
because we have to provide each image being built with a safe environment yet share as
much as possible between builds. This includes maximum reuse of prior builds but without
unnecessary dirtying or more serious unexpected conflicts.
We first create a hausdorff space based on builds which could never benefit from sharing
and would always be unsound (even silently) if they came into contact; so all cache id's
are prefixed by the matrix components:
`${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}`. This is
important because we can simplify the mount path inside the image which is important for
the absolute paths generated by fingerprints and dependency files. We need to keep those
the same if any builds expect to share them.
The top-level of target directory is immediately partitioned by cargo into different
profiles. Note that we already imposed separation based on profile but we still have to
deal with that subdirectory in the mount, which has special-cases for the dev, test, and
bench profiles. These directories at their top-level are the final artifact area which is
not concurrency safe and there are open issues in cargo for explicit artifact directories.
Within these unsafe directories are sub-directories which contain hash-sharded components
making them safe again for shared caching, so long as the path to them remains consistent
for all images mounting.
As you can see this is already getting very complicated. If this is done wrong lots of
different bad things can happen such as broken builds from bad conflicts, constant
rebuilds from modest conflicts, or over-use of resources from too much separation.
TODO

48
docker/bake.hcl
View File

@@ -200,7 +200,6 @@ group "lints" {
"audit", "audit",
"check", "check",
"clippy", "clippy",
"docs",
"fmt", "fmt",
"lychee", "lychee",
] ]
@@ -305,7 +304,6 @@ target "tuwunel" {
target = "tuwunel" target = "tuwunel"
dockerfile-inline =<<EOF dockerfile-inline =<<EOF
FROM input AS tuwunel FROM input AS tuwunel
COPY --link --from=input . .
EXPOSE 8008 8448 EXPOSE 8008 8448
ENTRYPOINT ["${cargo_install_root}/bin/tuwunel"] ENTRYPOINT ["${cargo_install_root}/bin/tuwunel"]
EOF EOF
@@ -551,8 +549,6 @@ target "standalone" {
] ]
target = "standalone" target = "standalone"
labels = install_labels labels = install_labels
output = ["type=docker,compression=zstd,mode=min"]
cache_to = ["type=local,compression=zstd,mode=min"]
matrix = cargo_rust_feat_sys matrix = cargo_rust_feat_sys
inherits = [ inherits = [
elem("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]), elem("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
@@ -613,6 +609,8 @@ target "installer" {
group "pkg" { group "pkg" {
targets = [ targets = [
"pkg-deb",
"pkg-rpm",
"pkg-deb-install", "pkg-deb-install",
"pkg-rpm-install", "pkg-rpm-install",
] ]
@@ -1050,6 +1048,10 @@ target "deps-check" {
} }
} }
variable "cargo_tgt_dir_base" {
default = "/usr/src/tuwunel/target"
}
target "deps-base" { target "deps-base" {
name = elem("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]) name = elem("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
tags = [ tags = [
@@ -1071,12 +1073,22 @@ target "deps-base" {
args = { args = {
cargo_profile = cargo_profile cargo_profile = cargo_profile
cook_args = "--all-targets --no-build" cook_args = "--all-targets --no-build"
CARGO_TARGET_DIR = "/usr/src/tuwunel/target/${sys_name}/${sys_version}/${rust_toolchain}/${cargo_profile}/${feat_set}"
CARGO_TARGET_CACHE = "/usr/src/tuwunel/target/${sys_name}/${sys_version}/_shared_cache" CARGO_TARGET_DIR = "${cargo_tgt_dir_base}"
CARGO_PROFILE_test_DEBUG = "0" cargo_tgt_cache = "${cargo_tgt_dir_base}/${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}/_shared_cache"
CARGO_PROFILE_bench_DEBUG = "0" cargo_tgt_dst = "${cargo_tgt_dir_base}/${sys_name}/${sys_version}/${rust_target}/${rust_toolchain}/${cargo_profile}/${feat_set}"
CARGO_PROFILE_bench_LTO = "0" cargo_tgt_sub = (
CARGO_PROFILE_bench_CODEGEN_UNITS = "1" (cargo_profile == "dev" || cargo_profile == "test")? "debug":
(cargo_profile == "release" || cargo_profile == "bench")? "release":
cargo_profile
)
CARGO_PROFILE_TEST_DEBUG = "false"
CARGO_PROFILE_BENCH_DEBUG = "false"
CARGO_PROFILE_BENCH_LTO = "false"
CARGO_PROFILE_BENCH_CODEGEN_UNITS = "1"
CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG = "true"
CARGO_BUILD_RUSTFLAGS = ( CARGO_BUILD_RUSTFLAGS = (
cargo_profile == "release-max-perf"? cargo_profile == "release-max-perf"?
join(" ", [ join(" ", [
@@ -1345,6 +1357,11 @@ target "chef" {
contexts = { contexts = {
input = elem("target:cookware", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]) input = elem("target:cookware", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
} }
args = {
CARGO_TERM_VERBOSE = CARGO_TERM_VERBOSE
rustup_components = join(" ", rustup_components)
cargo_installs = join(" ", cargo_installs)
}
} }
target "cookware" { target "cookware" {
@@ -1363,12 +1380,9 @@ target "cookware" {
} }
args = { args = {
rust_toolchain = rust_toolchain rust_toolchain = rust_toolchain
RUSTUP_HOME = "/opt/rustup" rust_target = rust_target
CARGO_HOME = "/opt/${sys_name}/${sys_target}/cargo" RUSTUP_HOME = "/opt/rustup/${sys_name}"
CARGO_TARGET = rust_target CARGO_HOME = "/opt/cargo/${sys_name}/${sys_target}"
CARGO_TERM_VERBOSE = CARGO_TERM_VERBOSE
cargo_installs = join(" ", cargo_installs)
rustup_components = join(" ", rustup_components)
} }
} }
@@ -1506,7 +1520,7 @@ target "system" {
] ]
target = "system" target = "system"
output = ["type=cacheonly,compression=zstd,mode=min"] output = ["type=cacheonly,compression=zstd,mode=min"]
cache_to = ["type=local,compression=zstd,mode=max"] cache_to = ["type=local,compression=zstd,mode=min"]
cache_from = ["type=local"] cache_from = ["type=local"]
dockerfile = "${docker_dir}/Dockerfile.diner" dockerfile = "${docker_dir}/Dockerfile.diner"
matrix = sys matrix = sys