Updates to system image base management

This just a checkpoint along the way to, pushing a properly structured base image that we will pull and use in later work. * Tweak build-base.sh to output a normal `docker export` tarball. * Add bazel targets to help with pushing the base image. * Add a noci tag that can be used to skip rules. * Exclude noci-tagged targets in xtask bazel build and bazel test Change-Id: Ib91687dad80a9d179b730fd0c47d05a6d744c6ad
project-oak · Apr 10, 2024 · fe215a2 · fe215a2
1 parent 55e4fea
commit fe215a2
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 7 deletions.
diff --git a/oak_containers_system_image/BUILD b/oak_containers_system_image/BUILD
@@ -0,0 +1,53 @@
+#
+# Copyright 2024 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+load("@rules_oci//oci:defs.bzl", "oci_image", "oci_push")
+
+package(
+    licenses = ["notice"],
+)
+
+### Base Image Update Targets
+### These can't yet be run automatically. First, the build-base.sh script must be run.
+
+# This can be generated by running build-base.sh
+filegroup(
+    name = "base_image_tar",
+    srcs = [
+        "target/base-image.tar",
+    ],
+    # This rule will fail until build-base.sh has been run
+    tags = ["noci"],
+)
+
+oci_image(
+    name = "oak_containers_sysimage_base",
+    architecture = "amd64",
+    os = "linux",
+    # This rule will fail until build-base.sh has been run
+    tags = ["noci"],
+    tars = [":base_image_tar"],
+)
+
+# After running this target, you will need to update the hash for
+# oak_containers_sysimage_base in the WORKSPACE file to use it.
+oci_push(
+    name = "push_base",
+    image = ":oak_containers_sysimage_base",
+    remote_tags = ["latest"],
+    repository = "europe-west2-docker.pkg.dev/oak-ci/oak-containers-sysimage-base/oak-containers-sysimage-base",
+    # This rule will fail until build-base.sh has been run
+    tags = ["noci"],
+)
diff --git a/oak_containers_system_image/README.md b/oak_containers_system_image/README.md
@@ -15,7 +15,7 @@ the guest Linux distribution and the Orchestrator.
 
 ## Base System Image Tools
 
-`build-base.sh` and `base_iamge.Dockerfile`
+`build-base.sh` and `base_iamge.Dockerfile` and some `BUILD` targets
 
 This directory contains files needed to rebuild the base image used by the
 system container.
@@ -25,3 +25,8 @@ operating system, network configuration, and service enablements.
 
 This image is used to build the system container image with `oci_rules`,
 avoiding the need for Docker when rebuilding a system image container.
+
+To update the base image and push it:
+
+1. ./oak_containers_system_image/build-base.sh
+2. bazel run oak_containers_system_image:push_base
diff --git a/oak_containers_system_image/build-base.sh b/oak_containers_system_image/build-base.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+### Build the base system image with Docker.
+### This script is expected to be run manually, and infrequently, for now.
+### It only needs to be run if base_image.Dockerfile changes.
+
 set -o xtrace
 set -o errexit
 set -o nounset
@@ -9,12 +13,30 @@ readonly SCRIPTS_DIR="$(dirname "$0")"
 
 cd "$SCRIPTS_DIR"
 
+mkdir --parent target
+
 # Fix the file permissions that will be loaded into the system image, as Git doesn't track them.
 # Unfortunately we can't do it in Dockerfile (with `COPY --chown`), as that requires BuildKit.
-chmod --recursive a+rX files/
+chmod --recursive a+rX files
 
 docker build . --tag=oak-containers-sysimage-base:latest --file base_image.Dockerfile
 
-readonly DOCKER_IMAGE_NAME='europe-west2-docker.pkg.dev/oak-ci/oak-containers-sysimage-base/oak-containers-sysimage-base:latest'
-docker tag oak-containers-sysimage-base:latest "${DOCKER_IMAGE_NAME}"
-docker push "${DOCKER_IMAGE_NAME}"
+# We need to actually create a container, otherwise we won't be able to use
+# `docker export` that gives us a filesystem image.
+# (`docker save` creates a tarball which has all the layers separate, which is
+# _not_ what we want.)
+readonly NEW_DOCKER_CONTAINER_ID="$(docker create oak-containers-sysimage-base:latest)"
+
+# We export a plain tarball.
+# The oak_containers_sysimage_base oci_image rule will use this tarball to
+# create an OCI image that it can then push to Google artifact registry.
+# There *might* be a better approach here, but this is working for now.
+docker export "$NEW_DOCKER_CONTAINER_ID" > target/base-image.tar
+
+docker rm "$NEW_DOCKER_CONTAINER_ID"
+
+set +o xtrace
+printf "\n\nIf you want to push this newly created base, run:\n"
+printf "\nbazel run oak_containers_system_image:push_base\n\n"
+printf "If you want to use the newly created base, update the hash for\n"
+printf "the oak_containers_sysimage_base oci_pull target in WORKSPACE\n\n"
diff --git a/xtask/src/main.rs b/xtask/src/main.rs
@@ -636,13 +636,19 @@ fn run_cargo_clean() -> Step {
 fn run_bazel_build() -> Step {
     Step::Single {
         name: "bazel build".to_string(),
-        command: Cmd::new("bazel", ["build", "--", "//...:all"]),
+        command: Cmd::new(
+            "bazel",
+            ["build", "--build_tag_filters=-noci", "--", "//java/...:all", "//cc/...:all"],
+        ),
     }
 }
 
 fn run_bazel_test() -> Step {
     Step::Single {
         name: "bazel test".to_string(),
-        command: Cmd::new("bazel", ["test", "--", "//...:all"]),
+        command: Cmd::new(
+            "bazel",
+            ["build", "--build_tag_filters=-noci", "--", "//java/...:all", "//cc/...:all"],
+        ),
     }
 }