From 21912710b5d0cf48b2761f1ee63200357dae1a40 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 25 Mar 2020 09:57:04 +0100 Subject: [PATCH 1/7] Revert "Jenkinsfile: disable Ubuntu 20.04 "focal" on armhf (arm32), pending fix" This reverts commit e406392457681ae7fa7c88eaaff094ca3b42da4d. Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0da60746..e321589b 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -18,7 +18,7 @@ def images = [ [image: "docker.io/balenalib/rpi-raspbian:buster", arches: ["armhf"]], [image: "docker.io/library/ubuntu:xenial", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 16.04 LTS (End of support: April, 2021. EOL: April, 2024) [image: "docker.io/library/ubuntu:bionic", arches: ["amd64", "aarch64", "armhf", "s390x"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028) - [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) + [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) [image: "docker.io/library/ubuntu:groovy", arches: ["amd64", "aarch64"]], // Ubuntu 20.10 (EOL: July, 2021) ] From feb432eb3db8c34a2547f7b7aab920b76ba45c53 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 25 Mar 2020 10:01:16 +0100 Subject: [PATCH 2/7] DEBUGGING: remove all platforms except for Ubuntu 20.03/armhf Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 36 +----------------------------------- 1 file changed, 1 insertion(+), 35 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index e321589b..5fdce76d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -6,18 +6,6 @@ // This list is ordered by Distro (alphabetically), and release (chronologically). // When adding a distro here, also open a pull request in the release repository. def images = [ - [image: "docker.io/library/amazonlinux:2", arches: ["aarch64"]], - [image: "docker.io/library/centos:7", arches: ["amd64", "aarch64"]], - [image: "docker.io/dockereng/rhel:7-s390x", arches: ["s390x"]], - [image: "docker.io/library/centos:8", arches: ["amd64", "aarch64"]], - [image: "docker.io/library/debian:buster", arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024) - [image: "docker.io/library/fedora:32", arches: ["amd64", "aarch64"]], - [image: "docker.io/library/fedora:33", arches: ["amd64", "aarch64"]], - [image: "docker.io/library/fedora:rawhide", arches: ["amd64"]], // Rawhide is the name given to the current development version of Fedora - [image: "docker.io/opensuse/leap:15", arches: ["amd64"]], - [image: "docker.io/balenalib/rpi-raspbian:buster", arches: ["armhf"]], - [image: "docker.io/library/ubuntu:xenial", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 16.04 LTS (End of support: April, 2021. EOL: April, 2024) - [image: "docker.io/library/ubuntu:bionic", arches: ["amd64", "aarch64", "armhf", "s390x"]], // Ubuntu 18.04 LTS (End of support: April, 2023. EOL: April, 2028) [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) [image: "docker.io/library/ubuntu:groovy", arches: ["amd64", "aarch64"]], // Ubuntu 20.10 (EOL: July, 2021) ] @@ -52,35 +40,13 @@ def generatePackageSteps(opts) { } } -def packageBuildSteps = [ - "windows": { -> - node("windows-2019") { - stage("windows") { - try { - checkout scm - sh("make -f Makefile.win archive") - } finally { - deleteDir() - } - } - } - } -] +def packageBuildSteps = [:] packageBuildSteps << images.collectEntries { generatePackageSteps(it) } pipeline { agent none stages { - stage('Check file headers') { - agent { label 'linux&&amd64' } - steps{ - script{ - checkout scm - sh "make validate" - } - } - } stage('Build packages') { steps { script { From 5c9fe569bca12258cacdcc634ef7c12a430d28c6 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 8 Jul 2020 14:37:27 +0200 Subject: [PATCH 3/7] Use ubuntu-18.04 to force EC2 machines Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 5fdce76d..93752f8a 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -7,12 +7,11 @@ // When adding a distro here, also open a pull request in the release repository. def images = [ [image: "docker.io/library/ubuntu:focal", arches: ["amd64", "aarch64", "armhf"]], // Ubuntu 20.04 LTS (End of support: April, 2025. EOL: April, 2030) - [image: "docker.io/library/ubuntu:groovy", arches: ["amd64", "aarch64"]], // Ubuntu 20.10 (EOL: July, 2021) ] def generatePackageStep(opts, arch) { return { - wrappedNode(label: "linux&&${arch}") { + wrappedNode(label: "ubuntu-1804&&${arch}") { stage("${opts.image}-${arch}") { try { sh 'docker version' From 81253bd3de9c9bcd3db4db29f86b44f7769365a7 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Jul 2020 11:26:03 +0200 Subject: [PATCH 4/7] Try building with --security=insecure Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 7 +++++++ dockerfiles/deb.dockerfile | 1 + 2 files changed, 8 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 93752f8a..7a32d917 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -14,6 +14,13 @@ def generatePackageStep(opts, arch) { wrappedNode(label: "ubuntu-1804&&${arch}") { stage("${opts.image}-${arch}") { try { + sh ''' + sudo mkdir -p /etc/docker + sudo sh -c \'echo {\\"builder\\":{\\"entitlements\\":{\\"security-insecure\\": true}}} > /etc/docker/daemon.json\' + cat /etc/docker/daemon.json + sudo systemctl restart docker + sudo journalctl -u docker + ''' sh 'docker version' sh 'docker info' sh ''' diff --git a/dockerfiles/deb.dockerfile b/dockerfiles/deb.dockerfile index 00c0dc21..54930b6e 100644 --- a/dockerfiles/deb.dockerfile +++ b/dockerfiles/deb.dockerfile @@ -74,6 +74,7 @@ ARG CREATE_ARCHIVE # with CGO when building multiple distros on the same machine / build-cache RUN --mount=type=bind,from=golang,source=/usr/local/go/,target=/usr/local/go/ \ --mount=type=bind,source=/src,target=/go/src,rw \ + --security=insecure \ /root/build-deb ARG UID=0 ARG GID=0 From 9a324ff13a0925d230129c8c75fee750a9084658 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Jul 2020 11:49:51 +0200 Subject: [PATCH 5/7] Remove --insecure from Dockerfile, try daemon config only Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 16 +++++++++------- dockerfiles/deb.dockerfile | 1 - 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 7a32d917..338282fd 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -14,13 +14,15 @@ def generatePackageStep(opts, arch) { wrappedNode(label: "ubuntu-1804&&${arch}") { stage("${opts.image}-${arch}") { try { - sh ''' - sudo mkdir -p /etc/docker - sudo sh -c \'echo {\\"builder\\":{\\"entitlements\\":{\\"security-insecure\\": true}}} > /etc/docker/daemon.json\' - cat /etc/docker/daemon.json - sudo systemctl restart docker - sudo journalctl -u docker - ''' + if (arch == "armhf") { + // TODO remove this: temporarily using "insecure" builds on armhf to disable seccomp + sh ''' + sudo mkdir -p /etc/docker + sudo sh -c \'echo {\\"builder\\":{\\"entitlements\\":{\\"security-insecure\\": true}}} > /etc/docker/daemon.json\' + cat /etc/docker/daemon.json + sudo systemctl restart docker + ''' + } sh 'docker version' sh 'docker info' sh ''' diff --git a/dockerfiles/deb.dockerfile b/dockerfiles/deb.dockerfile index 54930b6e..00c0dc21 100644 --- a/dockerfiles/deb.dockerfile +++ b/dockerfiles/deb.dockerfile @@ -74,7 +74,6 @@ ARG CREATE_ARCHIVE # with CGO when building multiple distros on the same machine / build-cache RUN --mount=type=bind,from=golang,source=/usr/local/go/,target=/usr/local/go/ \ --mount=type=bind,source=/src,target=/go/src,rw \ - --security=insecure \ /root/build-deb ARG UID=0 ARG GID=0 From 12a3a0c0d85afef975af3563800b24f5c2d9b8cc Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Jul 2020 12:49:59 +0200 Subject: [PATCH 6/7] Build without buildkit Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 9 --- Makefile | 24 +++++- dockerfiles/deb.dockerfile | 8 +- dockerfiles/deb.dockerfile.nobuildkit | 104 ++++++++++++++++++++++++++ 4 files changed, 128 insertions(+), 17 deletions(-) create mode 100644 dockerfiles/deb.dockerfile.nobuildkit diff --git a/Jenkinsfile b/Jenkinsfile index 338282fd..93752f8a 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -14,15 +14,6 @@ def generatePackageStep(opts, arch) { wrappedNode(label: "ubuntu-1804&&${arch}") { stage("${opts.image}-${arch}") { try { - if (arch == "armhf") { - // TODO remove this: temporarily using "insecure" builds on armhf to disable seccomp - sh ''' - sudo mkdir -p /etc/docker - sudo sh -c \'echo {\\"builder\\":{\\"entitlements\\":{\\"security-insecure\\": true}}} > /etc/docker/daemon.json\' - cat /etc/docker/daemon.json - sudo systemctl restart docker - ''' - } sh 'docker version' sh 'docker info' sh ''' diff --git a/Makefile b/Makefile index 3e546862..521cc3d5 100644 --- a/Makefile +++ b/Makefile @@ -94,7 +94,21 @@ build: @if [ -z "$(BUILD_BASE)" ]; then echo "Invalid build image $(BUILD_IMAGE) no build base found"; exit 1; fi @if [ -z "$(BUILD_TYPE)" ]; then echo "Invalid build image $(BUILD_IMAGE) no build type found"; exit 1; fi - @set -x; DOCKER_BUILDKIT=1 docker build \ +# @set -x; DOCKER_BUILDKIT=1 docker build \ +# --pull \ +# --build-arg GOLANG_IMAGE="$(GOLANG_IMAGE)" \ +# --build-arg BUILD_IMAGE="$(BUILD_IMAGE)" \ +# --build-arg BASE="$(BUILD_BASE)" \ +# --build-arg CREATE_ARCHIVE="$(CREATE_ARCHIVE)" \ +# --build-arg UID="$(shell id -u)" \ +# --build-arg GID="$(shell id -g)" \ +# --file="dockerfiles/$(BUILD_TYPE).dockerfile" \ +# --progress="$(PROGRESS)" \ +# --target="$(TARGET)" \ +# --output=. \ +# . +# + @set -x; DOCKER_BUILDKIT=0 docker build \ --pull \ --build-arg GOLANG_IMAGE="$(GOLANG_IMAGE)" \ --build-arg BUILD_IMAGE="$(BUILD_IMAGE)" \ @@ -102,11 +116,15 @@ build: --build-arg CREATE_ARCHIVE="$(CREATE_ARCHIVE)" \ --build-arg UID="$(shell id -u)" \ --build-arg GID="$(shell id -g)" \ - --file="dockerfiles/$(BUILD_TYPE).dockerfile" \ + --file="dockerfiles/$(BUILD_TYPE).dockerfile.nobuildkit" \ --progress="$(PROGRESS)" \ --target="$(TARGET)" \ - --output=. \ + --tag=containerd \ . + @set -x; export cid=$$(docker create containerd sh); \ + docker cp $$cid:/archive/ ./; \ + docker cp $$cid:/build/ ./; \ + docker rm -f $$cid .PHONY: validate validate: ## Validate files license header diff --git a/dockerfiles/deb.dockerfile b/dockerfiles/deb.dockerfile index 00c0dc21..36c9b018 100644 --- a/dockerfiles/deb.dockerfile +++ b/dockerfiles/deb.dockerfile @@ -70,11 +70,9 @@ FROM build-env AS build-packages RUN mkdir -p /archive /build COPY common/containerd.service common/containerd.toml /root/common/ ARG CREATE_ARCHIVE -# NOTE: not using a cache-mount for /root/.cache/go-build, to prevent issues -# with CGO when building multiple distros on the same machine / build-cache -RUN --mount=type=bind,from=golang,source=/usr/local/go/,target=/usr/local/go/ \ - --mount=type=bind,source=/src,target=/go/src,rw \ - /root/build-deb +COPY --from=golang /usr/local/go/ /usr/local/go/ +COPY /src /go/src +RUN /root/build-deb ARG UID=0 ARG GID=0 RUN chown -R ${UID}:${GID} /archive /build diff --git a/dockerfiles/deb.dockerfile.nobuildkit b/dockerfiles/deb.dockerfile.nobuildkit new file mode 100644 index 00000000..36c9b018 --- /dev/null +++ b/dockerfiles/deb.dockerfile.nobuildkit @@ -0,0 +1,104 @@ +# syntax=docker/dockerfile:experimental + + +# Copyright 2018-2020 Docker Inc. + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG BUILD_IMAGE=ubuntu:bionic +ARG GOLANG_IMAGE=golang:latest + +# Install golang from the official image, since the package managed +# one probably is too old and ppa's don't cover all distros +FROM ${GOLANG_IMAGE} AS golang + +FROM golang AS go-md2man +ARG GOPROXY=direct +ARG GO111MODULE=on +ARG MD2MAN_VERSION=v2.0.0 +RUN go get github.com/cpuguy83/go-md2man/v2/@${MD2MAN_VERSION} + +FROM ${BUILD_IMAGE} AS distro-image + +FROM distro-image AS build-env +RUN mkdir -p /go +ENV GOPATH=/go +ENV PATH="${PATH}:/usr/local/go/bin:${GOPATH}/bin" +ENV IMPORT_PATH=github.com/containerd/containerd +ENV GO_SRC_PATH="/go/src/${IMPORT_PATH}" +ARG DEBIAN_FRONTEND=noninteractive +WORKDIR /root/containerd + +# Install some pre-reqs +# NOTE: not using a cache-mount for apt, to prevent issues when building multiple +# distros on the same machine / build-cache +RUN apt-get update -q && apt-get install -y --no-install-recommends \ + curl \ + devscripts \ + equivs \ + git \ + lsb-release \ + && apt-get clean \ + && rm -rf /var/cache/apt /var/lib/apt/lists/* + +# Install build dependencies and build scripts +COPY --from=go-md2man /go/bin/go-md2man /go/bin/go-md2man +COPY debian/ debian/ +# NOTE: not using a cache-mount for apt, to prevent issues when building multiple +# distros on the same machine / build-cache +RUN apt-get update -q \ + && mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" -i debian/control \ + && apt-get clean \ + && rm -rf /var/cache/apt /var/lib/apt/lists/* +COPY scripts/build-deb /root/ +COPY scripts/.helpers /root/ + +ARG PACKAGE +ENV PACKAGE=${PACKAGE:-containerd.io} + +FROM build-env AS build-packages +RUN mkdir -p /archive /build +COPY common/containerd.service common/containerd.toml /root/common/ +ARG CREATE_ARCHIVE +COPY --from=golang /usr/local/go/ /usr/local/go/ +COPY /src /go/src +RUN /root/build-deb +ARG UID=0 +ARG GID=0 +RUN chown -R ${UID}:${GID} /archive /build + +# Verify that installing the package succeeds succesfully, and if we're able +# to run both containerd and runc. This is just a rudimentary check to make +# sure that package dependencies are installed and that the binaries are not +# completely defunct. +FROM distro-image AS verify-packages +COPY --from=build-packages /build /build +# NOTE: not using a cache-mount for apt, to prevent issues when building multiple +# distros on the same machine / build-cache +RUN apt-get update -q \ + && dpkg --force-depends -i $(find /build -mindepth 3 -type f -name containerd.io_*.deb) || true; \ + apt-get -y install --no-install-recommends --fix-broken \ + && apt-get clean \ + && rm -rf /var/cache/apt /var/lib/apt/lists/* +RUN containerd --version +RUN ctr --version +RUN runc --version + +FROM scratch AS packages +COPY --from=build-packages /archive /archive +COPY --from=verify-packages /build /build + +# This stage is mainly for debugging (running the build interactively with mounted source) +FROM build-env AS runtime +COPY --from=golang /usr/local/go/ /usr/local/go/ +COPY common/containerd.service common/containerd.toml /root/common/ From 5ab13d562f93868eb2c4aa3742e3804c80d89322 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Jul 2020 13:44:28 +0200 Subject: [PATCH 7/7] Use Ubuntu 20.04 nodes Signed-off-by: Sebastiaan van Stijn --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 93752f8a..840433ee 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -11,7 +11,7 @@ def images = [ def generatePackageStep(opts, arch) { return { - wrappedNode(label: "ubuntu-1804&&${arch}") { + wrappedNode(label: "ubuntu-2004&&${arch}") { stage("${opts.image}-${arch}") { try { sh 'docker version'