diff --git a/oak_containers_system_image/BUILD b/oak_containers_system_image/BUILD new file mode 100644 index 00000000000..10d0ea6f32c --- /dev/null +++ b/oak_containers_system_image/BUILD @@ -0,0 +1,53 @@ +# +# Copyright 2024 The Project Oak Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +load("@rules_oci//oci:defs.bzl", "oci_image", "oci_push") + +package( + licenses = ["notice"], +) + +### Base Image Update Targets +### These can't yet be run automatically. First, the build-base.sh script must be run. + +# This can be generated by running build-base.sh +filegroup( + name = "base_image_tar", + srcs = [ + "target/base-image.tar", + ], + # This rule will fail until build-base.sh has been run + tags = ["noci"], +) + +oci_image( + name = "oak_containers_sysimage_base", + architecture = "amd64", + os = "linux", + # This rule will fail until build-base.sh has been run + tags = ["noci"], + tars = [":base_image_tar"], +) + +# After running this target, you will need to update the hash for +# oak_containers_sysimage_base in the WORKSPACE file to use it. +oci_push( + name = "push_base", + image = ":oak_containers_sysimage_base", + remote_tags = ["latest"], + repository = "europe-west2-docker.pkg.dev/oak-ci/oak-containers-sysimage-base/oak-containers-sysimage-base", + # This rule will fail until build-base.sh has been run + tags = ["noci"], +) diff --git a/oak_containers_system_image/README.md b/oak_containers_system_image/README.md index e9e8c84f176..279620921cd 100644 --- a/oak_containers_system_image/README.md +++ b/oak_containers_system_image/README.md @@ -15,7 +15,7 @@ the guest Linux distribution and the Orchestrator. ## Base System Image Tools -`build-base.sh` and `base_iamge.Dockerfile` +`build-base.sh` and `base_iamge.Dockerfile` and some `BUILD` targets This directory contains files needed to rebuild the base image used by the system container. @@ -25,3 +25,8 @@ operating system, network configuration, and service enablements. This image is used to build the system container image with `oci_rules`, avoiding the need for Docker when rebuilding a system image container. + +To update the base image and push it: + +1. ./oak_containers_system_image/build-base.sh +2. bazel run oak_containers_system_image:push_base diff --git a/oak_containers_system_image/build-base.sh b/oak_containers_system_image/build-base.sh index 2c6e8211d72..f452fa6bbbc 100755 --- a/oak_containers_system_image/build-base.sh +++ b/oak_containers_system_image/build-base.sh @@ -1,5 +1,9 @@ #!/bin/bash +### Build the base system image with Docker. +### This script is expected to be run manually, and infrequently, for now. +### It only needs to be run if base_image.Dockerfile changes. + set -o xtrace set -o errexit set -o nounset @@ -9,12 +13,30 @@ readonly SCRIPTS_DIR="$(dirname "$0")" cd "$SCRIPTS_DIR" +mkdir --parent target + # Fix the file permissions that will be loaded into the system image, as Git doesn't track them. # Unfortunately we can't do it in Dockerfile (with `COPY --chown`), as that requires BuildKit. -chmod --recursive a+rX files/ +chmod --recursive a+rX files docker build . --tag=oak-containers-sysimage-base:latest --file base_image.Dockerfile -readonly DOCKER_IMAGE_NAME='europe-west2-docker.pkg.dev/oak-ci/oak-containers-sysimage-base/oak-containers-sysimage-base:latest' -docker tag oak-containers-sysimage-base:latest "${DOCKER_IMAGE_NAME}" -docker push "${DOCKER_IMAGE_NAME}" +# We need to actually create a container, otherwise we won't be able to use +# `docker export` that gives us a filesystem image. +# (`docker save` creates a tarball which has all the layers separate, which is +# _not_ what we want.) +readonly NEW_DOCKER_CONTAINER_ID="$(docker create oak-containers-sysimage-base:latest)" + +# We export a plain tarball. +# The oak_containers_sysimage_base oci_image rule will use this tarball to +# create an OCI image that it can then push to Google artifact registry. +# There *might* be a better approach here, but this is working for now. +docker export "$NEW_DOCKER_CONTAINER_ID" > target/base-image.tar + +docker rm "$NEW_DOCKER_CONTAINER_ID" + +set +o xtrace +printf "\n\nIf you want to push this newly created base, run:\n" +printf "\nbazel run oak_containers_system_image:push_base\n\n" +printf "If you want to use the newly created base, update the hash for\n" +printf "the oak_containers_sysimage_base oci_pull target in WORKSPACE\n\n" diff --git a/xtask/src/main.rs b/xtask/src/main.rs index 7f81135b69d..7047fa1bfd9 100644 --- a/xtask/src/main.rs +++ b/xtask/src/main.rs @@ -636,13 +636,19 @@ fn run_cargo_clean() -> Step { fn run_bazel_build() -> Step { Step::Single { name: "bazel build".to_string(), - command: Cmd::new("bazel", ["build", "--", "//...:all"]), + command: Cmd::new( + "bazel", + ["build", "--build_tag_filters=-noci", "--", "//java/...:all", "//cc/...:all"], + ), } } fn run_bazel_test() -> Step { Step::Single { name: "bazel test".to_string(), - command: Cmd::new("bazel", ["test", "--", "//...:all"]), + command: Cmd::new( + "bazel", + ["build", "--build_tag_filters=-noci", "--", "//java/...:all", "//cc/...:all"], + ), } }