Bug 1422326 - Use fewer layers in HACL* docker image r=franziskus

Summary: https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=2fc53af42652ac888f87516a4f681cab56135f6a Reviewers: franziskus Reviewed By: franziskus Differential Revision: https://phabricator.services.mozilla.com/D308
author: Tim Taubert <ttaubert@mozilla.com> 2017-12-01 16:17:06 +0100
committer: Tim Taubert <ttaubert@mozilla.com> 2017-12-01 16:17:06 +0100
commit: c00df3870876ac841b890f328da112c80c04f12e (patch)
tree: db9e1ada2b693536604d341e70d77bf705b51508
parent: 07ec5f898074ac09b24ec124a33d717d1ef01ab0 (diff)
download: nss-hg-c00df3870876ac841b890f328da112c80c04f12e.tar.gz
4 files changed, 63 insertions, 44 deletions
diff --git a/automation/taskcluster/docker-hacl/Dockerfile b/automation/taskcluster/docker-hacl/Dockerfile
index 12a798101..399513143 100644
--- a/automation/taskcluster/docker-hacl/Dockerfile
+++ b/automation/taskcluster/docker-hacl/Dockerfile
@@ -12,56 +12,18 @@ ENV opamv 4.04.2
 ENV haclversion 122e47dee739029f7dd8e7b9dd8e9d77e8646652
 
 # Install required packages and set versions
-RUN apt-get -qq update
-RUN apt-get install --yes sudo libssl-dev libsqlite3-dev g++-5 gcc-5 m4 make opam pkg-config python libgmp3-dev cmake curl libtool-bin autoconf wget
-RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200
-RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200
+ADD setup.sh /tmp/setup.sh
+RUN bash /tmp/setup.sh
 
-# Create user
+# Create user, add scripts.
 RUN useradd -ms /bin/bash worker
-RUN echo "worker ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers
 WORKDIR /home/worker
-
-# Add build and test scripts.
 ADD bin /home/worker/bin
 RUN chmod +x /home/worker/bin/*
 USER worker
 
-# Prepare build (OCaml packages)
+# Build F*, HACL*, verify. Install a few more dependencies.
 ENV OPAMYES true
-RUN opam init
-RUN echo ". /home/worker/.opam/opam-init/init.sh > /dev/null 2> /dev/null || true" >> .bashrc
-RUN opam switch -v ${opamv}
-RUN opam install ocamlfind batteries sqlite3 fileutils yojson ppx_deriving_yojson zarith pprint menhir ulex process fix wasm stdint
-
-# Get the HACL* code
-RUN git clone ${haclrepo} hacl-star
-RUN git -C hacl-star checkout ${haclversion}
-
-# Prepare submodules, and build, verify, test, and extract c code
-# This caches the extracted c code (pins the HACL* version). All we need to do
-# on CI now is comparing the code in this docker image with the one in NSS.
-RUN opam config exec -- make -C hacl-star prepare -j$(nproc)
 ENV PATH "/home/worker/hacl-star/dependencies/z3/bin:$PATH"
-RUN make -C hacl-star verify-nss -j$(nproc)
-RUN make -C hacl-star -f Makefile.build snapshots/nss -j$(nproc)
-RUN KOPTS="-funroll-loops 5" make -C hacl-star/code/curve25519 test -j$(nproc)
-RUN make -C hacl-star/code/salsa-family test -j$(nproc)
-
-# Get clang-format-3.9
-RUN curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-RUN curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
-# Verify the signature.
-RUN gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
-RUN gpg --verify *.tar.xz.sig
-# Install into /usr/local/.
-RUN sudo tar xJvf *.tar.xz -C /usr/local --strip-components=1
-# Cleanup.
-RUN rm *.tar.xz*
-
-# Cleanup
-RUN rm -rf ~/.ccache ~/.cache
-RUN rm -rf /home/worker/hacl-star/dependencies
-RUN sudo apt-get autoremove -y
-RUN sudo apt-get clean
-RUN sudo apt-get autoclean
+ADD setup-user.sh /tmp/setup-user.sh
+RUN bash /tmp/setup-user.sh
diff --git a/automation/taskcluster/docker-hacl/setup-user.sh b/automation/taskcluster/docker-hacl/setup-user.sh
new file mode 100644
index 000000000..ef341ec7d
--- /dev/null
+++ b/automation/taskcluster/docker-hacl/setup-user.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+# Prepare build (OCaml packages)
+opam init
+echo ". /home/worker/.opam/opam-init/init.sh > /dev/null 2> /dev/null || true" >> .bashrc
+opam switch -v ${opamv}
+opam install ocamlfind batteries sqlite3 fileutils yojson ppx_deriving_yojson zarith pprint menhir ulex process fix wasm stdint
+
+# Get the HACL* code
+git clone ${haclrepo} hacl-star
+git -C hacl-star checkout ${haclversion}
+
+# Prepare submodules, and build, verify, test, and extract c code
+# This caches the extracted c code (pins the HACL* version). All we need to do
+# on CI now is comparing the code in this docker image with the one in NSS.
+opam config exec -- make -C hacl-star prepare -j$(nproc)
+make -C hacl-star verify-nss -j$(nproc)
+make -C hacl-star -f Makefile.build snapshots/nss -j$(nproc)
+KOPTS="-funroll-loops 5" make -C hacl-star/code/curve25519 test -j$(nproc)
+make -C hacl-star/code/salsa-family test -j$(nproc)
+
+# Cleanup.
+rm -rf ~/.ccache ~/.cache
+rm -rf /home/worker/hacl-star/dependencies
diff --git a/automation/taskcluster/docker-hacl/setup.sh b/automation/taskcluster/docker-hacl/setup.sh
new file mode 100644
index 000000000..418150a4f
--- /dev/null
+++ b/automation/taskcluster/docker-hacl/setup.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+# Update packages.
+export DEBIAN_FRONTEND=noninteractive
+apt-get -qq update
+apt-get install --yes libssl-dev libsqlite3-dev g++-5 gcc-5 m4 make opam pkg-config python libgmp3-dev cmake curl libtool-bin autoconf wget locales
+update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200
+update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200
+
+# Get clang-format-3.9
+curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
+curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+# Verify the signature.
+gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
+gpg --verify *.tar.xz.sig
+# Install into /usr/local/.
+tar xJvf *.tar.xz -C /usr/local --strip-components=1
+# Cleanup.
+rm *.tar.xz*
+
+locale-gen en_US.UTF-8
+dpkg-reconfigure locales
+
+# Cleanup.
+rm -rf ~/.ccache ~/.cache
+apt-get autoremove -y
+apt-get clean
+apt-get autoclean
diff --git a/automation/taskcluster/graph/src/image_builder.js b/automation/taskcluster/graph/src/image_builder.js
index 1346f43b2..b89b6980c 100644
--- a/automation/taskcluster/graph/src/image_builder.js
+++ b/automation/taskcluster/graph/src/image_builder.js
@@ -54,6 +54,7 @@ export async function buildTask({name, path}) {
     ],
     platform: "nss-decision",
     features: ["dind"],
+    maxRunTime: 7200,
     kind: "build",
     symbol: "I"
   };
author	Tim Taubert <ttaubert@mozilla.com>	2017-12-01 16:17:06 +0100
committer	Tim Taubert <ttaubert@mozilla.com>	2017-12-01 16:17:06 +0100
commit	c00df3870876ac841b890f328da112c80c04f12e (patch)
tree	db9e1ada2b693536604d341e70d77bf705b51508
parent	07ec5f898074ac09b24ec124a33d717d1ef01ab0 (diff)
download	nss-hg-c00df3870876ac841b890f328da112c80c04f12e.tar.gz