/
Dockerfile-src-rosetta
229 lines (192 loc) · 8.87 KB
/
Dockerfile-src-rosetta
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
#################################################################################################
# The "build-deps" stage
# - Installs all compilers/interpreters, tools, and OS packages on debian buster-slim
#################################################################################################
FROM debian:buster-slim AS build-deps
# Ocaml Version
ARG OCAML_VERSION=4.07
ARG OCAML_REVISION=.1
ARG OPAM_VERSION=2.0.7
# Golang version number used to detemine tarball name
ARG GO_VERSION=1.13.10
# Rust Version passed into rustup-init, can also be "stable", "nightly" or similar
ARG RUST_VERSION=1.43.0
# Rocksdb commit tag/branch to clone
ARG ROCKSDB_VERSION=v5.17.2
# OS package dependencies
# First add support for https and pkg-config for apt, then install everything else
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && \
apt-get install --yes apt-transport-https pkg-config && \
apt-get install --yes \
build-essential \
libboost-dev \
libboost-program-options-dev \
libffi-dev \
libgmp-dev \
libgmp3-dev \
libjemalloc-dev \
libpq-dev \
libprocps-dev \
libsodium-dev \
libssl-dev \
zlib1g-dev \
libbz2-dev \
libcap-dev \
cmake \
m4 \
git \
curl \
sudo \
rsync \
unzip \
file
# Create opam user (for later) and give sudo to make opam happy
RUN adduser --uid 1000 --disabled-password --gecos '' opam && \
passwd -l opam && \
chown -R opam:opam /home/opam && \
echo 'opam ALL=(ALL:ALL) NOPASSWD:ALL' > /etc/sudoers.d/opam && \
chmod 440 /etc/sudoers.d/opam && \
chown root:root /etc/sudoers.d/opam && \
chmod 777 /tmp
# Opam install of a given OPAM_VERSION from github release
RUN curl -sL \
"https://github.com/ocaml/opam/releases/download/${OPAM_VERSION}/opam-${OPAM_VERSION}-x86_64-linux" \
-o /usr/bin/opam && \
chmod +x /usr/bin/opam
# bubblewrap was disabled in other builds via the dockerfile-toolchain images, and in the default opam2 image.
# Importantly, this also allows the entire container to be built with a permissionless builder, avoiding docker-in-docker
# Keeping the exact install steps from the official opam image in case we want to re-enable in the future.
#RUN curl -fL https://github.com/projectatomic/bubblewrap/releases/download/v0.4.1/bubblewrap-0.4.1.tar.xz | \
# tar -xJ && \
# cd bubblewrap-0.4.1 && ./configure --prefix=/usr/local && make && sudo make install && \
# cd - && rm -rf bubblewrap-0.4.1
# Golang install of a given GO_VERSION (add -v for spam output of each file from the go dist)
# TODO: rosetta requires binary file downloads of this sort to be hashed + validated
RUN curl -s "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar -xz -C /usr/lib/
# Rust install via rustup-init to a given RUST_VERSION
# TODO: rosetta requires binary file downloads of this sort to be hashed + validated
RUN curl --proto '=https' --tlsv1.2 -sSf -o /tmp/rustup-init \
https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init && \
chmod +x /tmp/rustup-init && \
/tmp/rustup-init -y --default-toolchain "${RUST_VERSION}" --profile minimal && \
rm /tmp/rustup-init
# For more about rustup-init see: https://github.com/rust-lang/rustup/blob/master/README.md
# As opposed to introducing another shell script here (that mostly just determines the platform)
# we just download the binary for the only platform we care about in this docker environment
# This builds and installs just the rocksdb static lib for us, and cleans up after itself
RUN git clone https://github.com/facebook/rocksdb \
--depth 1 --shallow-submodules \
-b "${ROCKSDB_VERSION}" /rocksdb && \
make -C /rocksdb static_lib PORTABLE=1 -j$(nproc) && \
cp /rocksdb/librocksdb.a /usr/local/lib/librocksdb_coda.a && \
rm -rf /rocksdb && \
sudo strip -S /usr/local/lib/librocksdb_coda.a
###########################################################################################
# Initialize opam in a minimal fashion
###########################################################################################
# Set up environment for running as opam user
WORKDIR /home/opam
USER opam
ENV HOME /home/opam
# Create the following user directory configs as the Opam user:
## Add go + rust to the path, unlimit the opam user,
## unlimit stack for future shells that might use spacetime,
## disable ipv6
## disable sandboxing to allow unprivledged builds
RUN mkdir --mode=700 ~/.gnupg && \
echo 'export PATH="$PATH:/usr/lib/go/bin:$HOME/.cargo/bin"' >> ~/.bashrc && \
echo 'ulimit -s unlimited' >> ~/.bashrc && \
echo "disable-ipv6" >> ~/.gnupg/dirmngr.conf
ENV PATH "$PATH:/usr/lib/go/bin:$HOME/.cargo/bin"
# Avoid the need to pass -y everywhere, although we still do because its not hard
ENV OPAMYES 1
# Ocaml install of a given OCAML_VERSION via opam switch
# additionally initializes opam with sandboxing disabled, as we did not install bubblewrap above.
RUN git clone git://github.com/ocaml/opam-repository \
--depth 1 \
/home/opam/opam-repository && \
opam init --disable-sandboxing -k git -a ~/opam-repository --bare && \
opam switch create "${OCAML_VERSION}" "ocaml-base-compiler.${OCAML_VERSION}${OCAML_REVISION}" && \
opam switch "${OCAML_VERSION}"
# Alternate variants for 4.07 that are included in the official opam image
# opam switch create 4.07+afl ocaml-variants.4.07.1+afl && \
# opam switch create 4.07+flambda ocaml-variants.4.07.1+flambda && \
# opam switch create 4.07+default-unsafe-string ocaml-variants.4.07.1+default-unsafe-string && \
# opam switch create 4.07+force-safe-string ocaml-variants.4.07.1+force-safe-string && \
#################################################################################################
# The "opam-deps" Stage
# - Continues from the build-deps image
# - Installs all opam dependencies and pins from coda's github
# - Includes the entire coda codebase and submodules in "${CODA_DIR}" (must be writable by opam user)
# - Largely mirrors/replaces ./scripts/setup-opam.sh
#################################################################################################
FROM build-deps AS opam-deps
# location of repo used for pins and external package commits
ARG CODA_DIR=coda
# branch to checkout on first clone (this will be the only availible branch in the container)
# can also be a tagged release
ARG CODA_BRANCH=develop
# location of external packages
ARG EXTERNAL_PKG_DIR=$CODA_DIR/src/external
# don't keep sources, to force reinstall of pinned packages from Coda sources
# and to keep Docker image reasonable size
ENV OPAMKEEPBUILDDIR false
ENV OPAMREUSEBUILDDIR false
# git will clone into an empty dir, but this also helps us set the workdir in advance
RUN git clone \
-b "${CODA_BRANCH}" \
--depth 1 \
--shallow-submodules \
--recurse-submodules \
https://github.com/CodaProtocol/coda ${HOME}/${CODA_DIR}
WORKDIR $HOME/$CODA_DIR
# TODO: handle this opam work without cloning the full repository (directly pull src/opam.export)
# All our ocaml packages
RUN opam switch import src/opam.export --strict && opam clean --unused-repositories --logs -cs
# Our pins
RUN eval $(opam config env) && \
opam pin add src/external/ocaml-extlib && \
opam pin add src/external/ocaml-sodium && \
opam pin add src/external/rpc_parallel && \
opam pin add src/external/digestif && \
opam pin add src/external/async_kernel && \
opam pin add src/external/coda_base58 && \
opam pin add src/external/graphql_ppx && \
opam clean --unused-repositories --logs -cs
#&& \
#rm -rf src/external
#################################################################################################
# The "builder" Stage
# - builds coda and any other binaries required to run a node
# - should not include any data related to joining a specific network, only the node software itself
#################################################################################################
FROM opam-deps AS builder
ARG DUNE_PROFILE=testnet_postake_medium_curves
# Set up environment again for running as opam user, to make sure its working properly
#USER opam
#ENV HOME /home/opam
#WORKDIR ${HOME}/${CODA_DIR}
# don't keep sources, to force reinstall of pinned packages from Coda sources
# and to keep Docker image reasonable size
ENV OPAMKEEPBUILDDIR false
ENV OPAMREUSEBUILDDIR false
RUN cd src/app/libp2p_helper && \
rm -rf result && \
mkdir -p result/bin && \
cd src && \
go mod download && \
cd generate_methodidx && go build -o ../../result/bin/generate_methodidx && cd - && \
cd libp2p_helper && go build -o ../../result/bin/libp2p_helper && \
go clean --cache --modcache --testcache -r
RUN eval $(opam config env) && \
dune build --profile=${DUNE_PROFILE} \
src/app/generate_keypair/generate_keypair.exe \
src/app/cli/src/coda.exe \
src/app/archive/archive.exe \
src/app/rosetta/rosetta.exe && \
dune cache trim --size=0B && \
opam clean --unused-repositories --logs -cs && \
rm -rf /tmp && \
rm -rf $HOME/.opam
#RUN eval $(opam config env) && make deb