Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(docker): multi-platform docker builds #54

Merged
merged 8 commits into from Oct 30, 2023
Merged

feat(docker): multi-platform docker builds #54

merged 8 commits into from Oct 30, 2023

Conversation

miki725
Copy link
Contributor

@miki725 miki725 commented Oct 12, 2023
edited

pending TODOs for PR:

  • docs/script how to setup builti-build env locally as it requires a few steps, especially if you want to allow insecure registry
  • tests
  • configure CI to support insecure registry which will be required for tests
  • docker push has different config than buildx. when using buildx, we should always --push with buildx will need separate ticket as thats not trivial to handle all cases
  • check impact of cosign on this. does the list manifest gets signed?

Issue

https://github.com/crashappsec/chalk-internal/issues/826

Description

This is a pretty crude approach which:

  • detects if docker build --push --platform=X,Y is used
  • if so breaks it into:
  • docker build --load for each platform
  • docker push for each platform
  • docker buildx imagetools create

In addition this:

  • ensures CHALK_ID is the same for all platform builds
  • ensures METADATA_ID is different for each platform
    by forcing DOCKER_PLATFORM to be part of the chalk
  • falls-back to docker build on docker push failures
    when buildx is being used (see code comment for context)

Testing

While tests are being worked on I used:

➜ make tests args="test_docker.py::test_docker_heartbeat --slow --logs --pdb"

@miki725 miki725 force-pushed the ms/multiplatform branch 2 times, most recently from 38ca65b to 31758fb Compare October 16, 2023 16:05
@miki725 miki725 marked this pull request as ready for review October 16, 2023 16:06
@miki725 miki725 requested a review from viega as a code owner October 16, 2023 16:06
@miki725 miki725 force-pushed the ms/multiplatform branch 7 times, most recently from c7ec0af to 25f9c5b Compare October 18, 2023 16:47
@miki725
feat(report): adding SIGNATURE keys to terminal report
b7d5706
@miki725
feat(docker): multi-platform docker builds
3d749b2 
This is a pretty crude approach which:

* detects if docker build --push --platform=X,Y is used
* if so breaks it into:
* docker build --load for each platform
* docker push for each platform
* docker manifest create
* docker manifest push

As docker manifest is an experimental feature it is guarded so that
if anything fails, docker fallback is used

And it is truly an experimental feature. For example it does not
honor any of the buildx/docker daemon configs for things like insecure
registries so we do our best to fallback in those cases by passing
--insecure flag which is not ideal but does not seem to be any way
around it.

In addition this:

* ensures `CHALK_ID` is the same for all platform builds
* ensures `METADATA_ID` is different for each platform
  by forcing `DOCKER_PLATFORM` to be part of the chalk
* falls-back to docker build on docker push failures
  when buildx is being used (see code comment for context)
@miki725
tests(docker): adding multiplatform tests
cd3defc 
* updating tests/README.md how to setup docker locally
* adding tests entrypoint to configure buildx for tests
miki725 and others added 5 commits October 20, 2023 12:50
@miki725
fixing misc typos [ci skip]
1ed18f3
@indecisivedragon
ip find fix
fbb2457
@miki725
refactor(docker): switching to buildx imagetools create command
08b6cea 
docker manifest create seems to be experimental command
and it has quirks related to insecure registry whereas
imagetools seems work much better out of the box so
switching to it instead
@miki725
docs(tests): adding section in tests/README about QEMU
6b6ac7c
@miki725
fixing tests_bash container cleanup with --rm [ci skip]
98c5c7f
viega
viega approved these changes Oct 30, 2023
View reviewed changes
Copy link
Contributor

@viega viega left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's all clean and straightforward.

Very nicely done.

src/commands/cmd_docker.nim
@@ -500,7 +500,7 @@ proc addBuildCmdMetadataToMark(ctx: DockerInvocation) =
dict.setIfNeeded("DOCKER_CHALK_ADDED_TO_DOCKERFILE",
ctx.addedInstructions.join("\n"))

proc prepareToBuild*(state: DockerInvocation) =
proc prepareToBuild(state: DockerInvocation) =
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like the Nim visibility rules; I tend to err on the side of making everything visible, because the errors can be obtuse sometimes when you actually need cross module visibility. So I wouldn't change these, but 🤷

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they werent used anywhere but I think we can keep things private just to avoid potential naming conflicts

@miki725 miki725 merged commit 794f610 into main Oct 30, 2023
@miki725 miki725 deleted the ms/multiplatform branch October 30, 2023 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viega viega viega approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@miki725 @viega @indecisivedragon