From a34cd6ec9486bf9c1f80867bc5dc2c1888d67cb7 Mon Sep 17 00:00:00 2001 From: Rin Kuryloski Date: Wed, 20 Jul 2022 19:24:22 +0200 Subject: Backport of updates to OCI workflows from master branch --- .github/workflows/oci-base.yaml | 58 ++++++++++++++++++++++++ .github/workflows/oci.yaml | 42 ++++++----------- packaging/base-image/Dockerfile | 18 ++++++++ packaging/docker-image/Dockerfile | 16 ++----- packaging/docker-image/otp-versions/otp-max.yaml | 9 ---- packaging/docker-image/otp-versions/otp-min.yaml | 7 --- 6 files changed, 93 insertions(+), 57 deletions(-) create mode 100644 .github/workflows/oci-base.yaml create mode 100644 packaging/base-image/Dockerfile delete mode 100644 packaging/docker-image/otp-versions/otp-max.yaml delete mode 100644 packaging/docker-image/otp-versions/otp-min.yaml diff --git a/.github/workflows/oci-base.yaml b/.github/workflows/oci-base.yaml new file mode 100644 index 0000000000..93f3576f7c --- /dev/null +++ b/.github/workflows/oci-base.yaml @@ -0,0 +1,58 @@ +# https://github.com/marketplace/actions/build-and-push-docker-images +name: OCI Base Image +on: + schedule: + - cron: '0 3 * * *' + workflow_dispatch: +jobs: + build-publish: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Cache Docker layers + uses: actions/cache@v3.0.5 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-${{ matrix.image_tag_suffix }}-buildx-${{ github.event.pull_request.head.sha || github.sha }} + restore-keys: | + ${{ runner.os }}-${{ matrix.image_tag_suffix }}-buildx- + + - name: Check for Push Credentials + id: authorized + run: | + if [ -n "${{ secrets.DOCKERHUB_USERNAME }}" ]; then + echo "::set-output name=PUSH::true" + else + echo "::set-output name=PUSH::false" + fi + + - name: Login to DockerHub + if: steps.authorized.outputs.PUSH == 'true' + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + + - name: Build and push + uses: docker/build-push-action@v2 + with: + context: packaging/base-image + pull: true + push: ${{ steps.authorized.outputs.PUSH }} + tags: | + pivotalrabbitmq/ubuntu:20.04 + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new + + # Temp fix + # https://github.com/docker/build-push-action/issues/252 + # https://github.com/moby/buildkit/issues/1896 + - name: Move cache + run: | + rm -rf /tmp/.buildx-cache + mv /tmp/.buildx-cache-new /tmp/.buildx-cache diff --git a/.github/workflows/oci.yaml b/.github/workflows/oci.yaml index 39107ce920..5da1bc4441 100644 --- a/.github/workflows/oci.yaml +++ b/.github/workflows/oci.yaml @@ -27,23 +27,15 @@ jobs: matrix: # Build image for every supported Erlang major version. # Source of truth for OTP versions (min & max): https://www.rabbitmq.com/which-erlang.html - image_tag_suffix: - - otp-min - - otp-max + include: + - image_tag_suffix: otp-min + otp_major: 24 + - image_tag_suffix: otp-max + otp_major: 25 steps: - name: Checkout uses: actions/checkout@v3 - - name: Load version info - id: load-info - run: | - # TODO: de-duplicate the info these files and MODULE.bazel - FILE=packaging/docker-image/otp-versions/${{ matrix.image_tag_suffix }}.yaml - echo "::set-output name=otp::$(yq eval '.otp' $FILE)" - echo "::set-output name=otp_major::$(yq eval '.otp_major' $FILE)" - echo "::set-output name=otp_sha256::$(yq eval '.otp_sha256' $FILE)" - echo "::set-output name=elixir::$(yq eval '.elixir' $FILE)" - - name: Mount Bazel Cache uses: actions/cache@v3.0.5 with: @@ -67,26 +59,17 @@ jobs: build:buildbuddy --remote_download_toplevel EOF - - name: Check for otp & elixir version exact match + - name: Load version info + id: load-info run: | - bazelisk build :otp_version --config=rbe-${{ steps.load-info.outputs.otp_major }} - if [ ! "$(cat bazel-bin/otp_version.txt)" == "${{ steps.load-info.outputs.otp }}" ]; then - echo "The version of erlang specified via bazel is $(cat bazel-bin/otp_version.txt), - echo "but ${{ steps.load-info.outputs.otp }} is expected." - exit 1 - fi - bazelisk build :elixir_version --config=rbe-${{ steps.load-info.outputs.otp_major }} - if [ ! "$(cat bazel-bin/elixir_version.txt)" == "${{ steps.load-info.outputs.elixir }}" ]; then - echo "The version of elixir specified via bazel is $(cat bazel-bin/elixir_version.txt), - echo "but ${{ steps.load-info.outputs.elixir }} is expected." - exit 1 - fi + bazelisk build :otp_version --config=rbe-${{ matrix.otp_major }} + echo "::set-output name=otp::$(cat bazel-bin/otp_version.txt)" - name: Build generic unix package run: | sed -i"_orig" -E '/APP_VERSION/ s/3\.[0-9]+\.[0-9]+/${{ github.event.pull_request.head.sha || github.sha }}/' rabbitmq.bzl bazelisk build :package-generic-unix \ - --config=rbe-${{ steps.load-info.outputs.otp_major }} + --config=rbe-${{ matrix.otp_major }} - name: Resolve generic unix package path run: | @@ -120,7 +103,7 @@ jobs: fi - name: Login to DockerHub - if: steps.authorized.outputs.PUSH + if: steps.authorized.outputs.PUSH == 'true' uses: docker/login-action@v1 with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -141,6 +124,7 @@ jobs: uses: docker/build-push-action@v2 with: context: packaging/docker-image + pull: true push: ${{ steps.authorized.outputs.PUSH }} tags: | pivotalrabbitmq/rabbitmq:${{ steps.compute-tags.outputs.TAG_1 }} @@ -149,7 +133,7 @@ jobs: SKIP_PGP_VERIFY=true PGP_KEYSERVER=pgpkeys.eu OTP_VERSION=${{ steps.load-info.outputs.otp }} - OTP_SHA256=${{ steps.load-info.outputs.otp_sha256 }} + SKIP_OTP_VERIFY=true RABBITMQ_BUILD=rabbitmq_server-${{ github.event.pull_request.head.sha || github.sha }} cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache-new diff --git a/packaging/base-image/Dockerfile b/packaging/base-image/Dockerfile new file mode 100644 index 0000000000..74257bad8d --- /dev/null +++ b/packaging/base-image/Dockerfile @@ -0,0 +1,18 @@ +# The official Canonical Ubuntu Bionic image is ideal from a security perspective, +# especially for the enterprises that we, the RabbitMQ team, have to deal with +FROM ubuntu:20.04 + +RUN set -eux; \ + apt-get update; \ + apt-get install -y lsb-release ubuntu-dbgsym-keyring; \ + echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse" > /etc/apt/sources.list.d/ddebs.list; \ + echo "deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse" >> /etc/apt/sources.list.d/ddebs.list; \ + echo "deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" >> /etc/apt/sources.list.d/ddebs.list; \ + apt-get update; \ + apt-get install -y --no-install-recommends \ + # grab gosu for easy step-down from root + libc6-dbg \ + libgcc-s1-dbgsym \ + libstdc++6-dbgsym \ + libtinfo6-dbgsym \ + zlib1g-dbgsym diff --git a/packaging/docker-image/Dockerfile b/packaging/docker-image/Dockerfile index 4e0b8671ba..ced2a49e76 100644 --- a/packaging/docker-image/Dockerfile +++ b/packaging/docker-image/Dockerfile @@ -1,22 +1,13 @@ # The official Canonical Ubuntu Bionic image is ideal from a security perspective, # especially for the enterprises that we, the RabbitMQ team, have to deal with -FROM ubuntu:20.04 +ARG BASE=ubuntu +FROM ${BASE}:20.04 RUN set -eux; \ - apt-get update; \ - apt-get install -y lsb-release ubuntu-dbgsym-keyring; \ - echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse" > /etc/apt/sources.list.d/ddebs.list; \ - echo "deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse" >> /etc/apt/sources.list.d/ddebs.list; \ - echo "deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" >> /etc/apt/sources.list.d/ddebs.list; \ apt-get update; \ apt-get install -y --no-install-recommends \ # grab gosu for easy step-down from root gosu \ - libc6-dbg \ - libgcc-s1-dbgsym \ - libstdc++6-dbgsym \ - libtinfo6-dbgsym \ - zlib1g-dbgsym \ ; \ rm -rf /var/lib/apt/lists/*; \ # verify that the "gosu" binary works @@ -44,6 +35,7 @@ ENV OTP_VERSION ${OTP_VERSION} # http://erlang.org/pipermail/erlang-questions/2019-January/097067.html ARG OTP_SHA256 ENV OTP_SOURCE_SHA256=${OTP_SHA256} +ARG SKIP_OTP_VERIFY=false # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -116,7 +108,7 @@ RUN set -eux; \ # Download, verify & extract OTP_SOURCE mkdir -p "$OTP_PATH"; \ wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \ - echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \ + test "$SKIP_OTP_VERIFY" = "true" || echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \ tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \ \ # Configure Erlang/OTP for compilation, disable unused features & applications diff --git a/packaging/docker-image/otp-versions/otp-max.yaml b/packaging/docker-image/otp-versions/otp-max.yaml deleted file mode 100644 index 0380682781..0000000000 --- a/packaging/docker-image/otp-versions/otp-max.yaml +++ /dev/null @@ -1,9 +0,0 @@ -otp: '25.0' -otp_major: '25' -# make -C packaging/docker-image find-otp-sha256 OTP_VERSION_MATCH=24.0 -otp_sha256: 5988e3bca208486494446e885ca2149fe487ee115cbc3770535fd22a795af5d2 -# Which is the max supported Elixir? -# https://github.com/rabbitmq/rabbitmq-server/blob/master/deps/rabbitmq_cli/mix.exs#L14 -# Which is the latest Elixir release? -# https://github.com/elixir-lang/elixir/tags -elixir: '1.12.2' \ No newline at end of file diff --git a/packaging/docker-image/otp-versions/otp-min.yaml b/packaging/docker-image/otp-versions/otp-min.yaml deleted file mode 100644 index acfec5d561..0000000000 --- a/packaging/docker-image/otp-versions/otp-min.yaml +++ /dev/null @@ -1,7 +0,0 @@ -otp: '24.3.4' -otp_major: '24' -# make -C packaging/docker-image find-otp-sha256 OTP_VERSION_MATCH=24.0 -otp_sha256: e59bedbb871af52244ca5284fd0a572d52128abd4decf4347fe2aef047b65c58 -# Which is the max supported Elixir? -# https://github.com/rabbitmq/rabbitmq-server/blob/master/deps/rabbitmq_cli/mix.exs#L14 -elixir: '1.12.3' -- cgit v1.2.1