diff --git a/.circleci/config.yml b/.circleci/config.yml index 76ef22cf09..b4b4eccfa5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -17,7 +17,7 @@ executors: IN_DEV_CONTAINER: true docker: # DOCKERFILE_REPO: see Dockerfile note about how this is built. - - image: darklang/dark-base:b1596ba + - image: darklang/dark-base:89294ed commands: show-large-files-and-directories: @@ -385,6 +385,7 @@ jobs: - run: integration-tests/_integration-test-results-to-honeycomb.sh - assert-clean-worktree - store_artifacts: { path: rundir } + - store_artifacts: { path: /var/log/nginx } - store_test_results: { path: rundir/test_results } - save_cache: name: "Save packagejson-specific cache" diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 7af224db7f..195b28b3d4 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -49,6 +49,7 @@ "8.8.8.8", "--dns", "8.8.4.4", + "--ulimit=nofile=65536:65536", "--hostname", "dark-dev", "--env-file", diff --git a/Dockerfile b/Dockerfile index 37976bf62c..42b15a338a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,6 @@ +# syntax=docker/dockerfile:1 +# ^^ The line above is to allow heredocs. It must be before any other content in the file ^^ + # This is an image used to compile and test Dark. Later, we will use this to # create another dockerfile to deploy. @@ -15,10 +18,14 @@ # as part of that build. Search for DOCKERFILE_REPO for where to make that # change. -FROM ubuntu:20.04@sha256:e722c7335fdd0ce77044ab5942cb1fbd2b5f60d1f5416acfcdb0814b2baf7898 as dark-base + +FROM ubuntu:22.04 as dark-base ENV FORCE_BUILD 3 +# Creates variables to allow builds to work on both amd64 and arm64 +ARG TARGETARCH + # These are reasonable defaults, and what the dark uid/gid would be if we didn't # specify values. By exposing them as build-args, we can set these values to # match the host user's uid/gid - allowing for dark-owned files in-container to @@ -58,21 +65,18 @@ RUN curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - RUN curl -sSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - RUN curl -sSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - RUN curl -sSL https://nginx.org/keys/nginx_signing.key | apt-key add - -RUN curl -sSL https://baltocdn.com/helm/signing.asc | apt-key add - -# We want postgres 9.6, but it is not in ubuntu 20.04 +# We want postgres 9.6, but it is not in later ubuntus RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list -RUN echo "deb https://nginx.org/packages/ubuntu/ bionic nginx" > /etc/apt/sources.list.d/nginx.list +RUN echo "deb https://nginx.org/packages/ubuntu/ jammy nginx" > /etc/apt/sources.list.d/nginx.list -RUN echo "deb https://deb.nodesource.com/node_14.x focal main" > /etc/apt/sources.list.d/nodesource.list -RUN echo "deb-src https://deb.nodesource.com/node_14.x focal main" >> /etc/apt/sources.list.d/nodesource.list +RUN echo "deb https://deb.nodesource.com/node_14.x jammy main" > /etc/apt/sources.list.d/nodesource.list +RUN echo "deb-src https://deb.nodesource.com/node_14.x jammy main" >> /etc/apt/sources.list.d/nodesource.list RUN echo "deb http://packages.cloud.google.com/apt cloud-sdk main" > /etc/apt/sources.list.d/google-cloud-sdk.list -RUN echo "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list - -RUN echo "deb https://baltocdn.com/helm/stable/debian/ all main" > /etc/apt/sources.list.d/helm-stable-debian.list +RUN echo "deb [arch=${TARGETARCH}] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list # Mostly, we use the generic version. However, for things in production we want # to pin the exact package version so that we don't have any surprises. As a @@ -116,7 +120,6 @@ RUN DEBIAN_FRONTEND=noninteractive \ docker-ce \ build-essential \ kubectl \ - helm \ python3-pip \ python3-setuptools \ python3-dev \ @@ -129,7 +132,7 @@ RUN DEBIAN_FRONTEND=noninteractive \ pv \ htop \ net-tools \ - nginx=1.16.1-1~bionic \ + nginx \ bash-completion \ openssh-server \ dnsutils \ @@ -137,8 +140,8 @@ RUN DEBIAN_FRONTEND=noninteractive \ libc6 \ libgcc1 \ libgssapi-krb5-2 \ - libicu66 \ - libssl1.1 \ + libicu70 \ + libssl3 \ libstdc++6 \ zlib1g \ lldb \ @@ -209,19 +212,121 @@ RUN sudo rm /etc/nginx/conf.d/default.conf RUN sudo rm -r /etc/nginx/nginx.conf RUN sudo chown -R dark:dark /var/log/nginx +############################ +# Scripts to install files from the internet +############################ +COPY <<-"EOF" /home/dark/install-targz-file +#!/bin/bash + +# Script to install binary files, checking the sha + +set -euo pipefail + +for i in "$@" ; do + case "${i}" in + --arm64-sha256=*) + ARM64_SHA256=${1/--arm64-sha256=/''} + shift + ;; + --amd64-sha256=*) + AMD64_SHA256=${1/--amd64-sha256=/''} + shift + ;; + --url=*) + URL=${1/--url=/''} + shift + ;; + --extract-file=*) + EXTRACT_FILE=${1/--extract-file=/''} + shift + ;; + --target=*) + TARGET=${1/--target=/''} + shift + ;; + esac +done +DIR=$(echo $URL | sed 's/[^0-9A-Za-z]*//g') +FILENAME=$(basename $URL) +case $(dpkg --print-architecture) in + arm64) CHECKSUM=$ARM64_SHA256;; + amd64) CHECKSUM=$AMD64_SHA256;; + *) exit 1;; +esac +mkdir -p $DIR +wget -P $DIR $URL +echo "$CHECKSUM $DIR/$FILENAME" | sha256sum -c - +tar xvf $DIR/$FILENAME -C $DIR +ls $DIR +sudo cp $DIR/${EXTRACT_FILE} ${TARGET} +sudo chmod +x ${TARGET} +rm -Rf $DIR +EOF + +COPY <<-"EOF" /home/dark/install-exe-file +#!/bin/bash + +# Script to install single files from tar.gz files, checking the sha + +set -euo pipefail + +for i in "$@" ; do + case "${i}" in + --arm64-sha256=*) + ARM64_SHA256=${1/--arm64-sha256=/''} + shift + ;; + --amd64-sha256=*) + AMD64_SHA256=${1/--amd64-sha256=/''} + shift + ;; + --url=*) + URL=${1/--url=/''} + shift + ;; + --target=*) + TARGET=${1/--target=/''} + shift + ;; + esac +done +DIR=$(echo $URL | sed 's/[^0-9A-Za-z]*//g') +FILENAME=$(basename $URL) +case $(dpkg --print-architecture) in + arm64) CHECKSUM=$ARM64_SHA256;; + amd64) CHECKSUM=$AMD64_SHA256;; + *) exit 1;; +esac +sudo wget -O ${TARGET} $URL +echo "$CHECKSUM ${TARGET}" | sha256sum -c - +sudo chmod +x ${TARGET} +EOF + +RUN sudo chown dark:dark /home/dark/install-targz-file +RUN chmod +x /home/dark/install-targz-file +RUN sudo chown dark:dark /home/dark/install-exe-file +RUN chmod +x /home/dark/install-exe-file + ############################ # Kubernetes ############################ RUN sudo kubectl completion bash | sudo tee /etc/bash_completion.d/kubectl > /dev/null +RUN /home/dark/install-targz-file \ + --arm64-sha256=57fa17b6bb040a3788116557a72579f2180ea9620b4ee8a9b7244e5901df02e4 \ + --amd64-sha256=2315941a13291c277dac9f65e75ead56386440d3907e0540bf157ae70f188347 \ + --url=https://get.helm.sh/helm-v3.10.2-linux-${TARGETARCH}.tar.gz \ + --extract-file=linux-${TARGETARCH}/helm \ + --target=/usr/bin/helm ############################ # Google cloud ############################ -# New authentication for docker - not supported via apt -RUN sudo wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 \ - -O /usr/bin/cloud_sql_proxy \ - && sudo chmod +x /usr/bin/cloud_sql_proxy +RUN /home/dark/install-exe-file \ + --arm64-sha256=834ecd08f54960ee88121ab70b05002bcfb99cd08a63bcd7a1a952c53e30a3ca \ + --amd64-sha256=fb66afb1cb8ee730314088eb7b299398bda6c0434b9b383b27a26b8951e775c5 \ + --url=https://storage.googleapis.com/cloudsql-proxy/v1.33.1/cloud_sql_proxy.linux.${TARGETARCH} \ + --target=/usr/bin/cloud_sql_proxy # PubSub ENV PUBSUB_EMULATOR_HOST=0.0.0.0:8085 @@ -249,14 +354,9 @@ RUN sudo pip3 install -U --no-cache-dir -U crcmod \ ############################ # Pip packages ############################ -RUN sudo pip3 install --no-cache-dir yq yamllint +RUN sudo pip3 install --no-cache-dir yq yamllint watchfiles yapf==0.32.0 ENV PATH "$PATH:/home/dark/.local/bin" -RUN pip3 install git+https://github.com/pbiggar/watchgod.git@b74cd7ec064ebc7b4263dc532c7c97e046002bef - -# Formatting -RUN pip3 install yapf==0.32.0 - #################################### # CircleCI #################################### @@ -266,36 +366,48 @@ RUN curl -fLSs https://raw.githubusercontent.com/CircleCI-Public/circleci-cli/ma # Shellcheck # Ubuntu has a very old version ############################ + RUN \ VERSION=v0.8.0 \ - && FILENAME=shellcheck-$VERSION.linux.x86_64.tar.xz \ - && wget -P tmp_install_folder/ https://github.com/koalaman/shellcheck/releases/download/$VERSION/$FILENAME \ - && tar xvf tmp_install_folder/$FILENAME -C tmp_install_folder \ - && sudo cp tmp_install_folder/shellcheck-$VERSION/shellcheck /usr/bin/shellcheck \ - && rm -Rf tmp_install_folder + && case ${TARGETARCH} in \ + arm64) FILENAME=shellcheck-$VERSION.linux.aarch64.tar.xz;; \ + amd64) FILENAME=shellcheck-$VERSION.linux.x86_64.tar.xz;; \ + *) exit 1;; \ + esac \ + && /home/dark/install-targz-file \ + --arm64-sha256=9f47bbff5624babfa712eb9d64ece14c6c46327122d0c54983f627ae3a30a4ac \ + --amd64-sha256=ab6ee1b178f014d1b86d1e24da20d1139656c8b0ed34d2867fbb834dad02bf0a \ + --url=https://github.com/koalaman/shellcheck/releases/download/$VERSION/$FILENAME \ + --extract-file=shellcheck-${VERSION}/shellcheck \ + --target=/usr/bin/shellcheck ############################ # Kubeconform - for linting k8s files ############################ + RUN \ VERSION=v0.4.14 \ - && wget -P tmp_install_folder/ https://github.com/yannh/kubeconform/releases/download/$VERSION/kubeconform-linux-amd64.tar.gz \ - && tar xvf tmp_install_folder/kubeconform-linux-amd64.tar.gz -C tmp_install_folder \ - && sudo cp tmp_install_folder/kubeconform /usr/bin/ \ - && rm -Rf tmp_install_folder + && /home/dark/install-targz-file \ + --arm64-sha256=0ff34c19b3b19905a9c87906c801d9d4325d0614ae48bc1b2543dc9ec908cf13 \ + --amd64-sha256=140044a5eb44a18e52d737ba15936f87b0e5fca3d34a02ae13b2d68025a449f3 \ + --url=https://github.com/yannh/kubeconform/releases/download/$VERSION/kubeconform-linux-${TARGETARCH}.tar.gz \ + --extract-file=kubeconform \ + --target=/usr/bin/kubeconform #################################### # Honeytail and honeymarker installs #################################### -RUN wget -q https://honeycomb.io/download/honeytail/v1.8.1/honeytail_1.8.1_amd64.deb && \ - echo '971ba06886c5436927a17f8494fe518084a385cb9b9b28e541296d658eb5cc8d honeytail_1.8.1_amd64.deb' | sha256sum -c && \ - sudo dpkg -i honeytail_1.8.1_amd64.deb && \ - rm honeytail_1.8.1_amd64.deb +RUN /home/dark/install-exe-file \ + --arm64-sha256=c5a57a729b0ccf4ca0f2287c862538812604f5fd67d102372e91215701afdbe1 \ + --amd64-sha256=d774112265ee8e98c6221232461cf36c35faf844005cc98b43b55bb375761766 \ + --url=https://github.com/honeycombio/honeytail/releases/download/v1.8.2/honeytail-linux-${TARGETARCH} \ + --target=/usr/bin/honeytail -RUN wget -q https://honeycomb.io/download/honeymarker/linux/honeymarker_1.9_amd64.deb && \ - echo '5aa10dd42f4f369c9463a8c8a361e46058339e6273055600ddad50e1bcdf2149 honeymarker_1.9_amd64.deb' | sha256sum -c && \ - sudo dpkg -i honeymarker_1.9_amd64.deb && \ - rm honeymarker_1.9_amd64.deb +RUN /home/dark/install-exe-file \ + --arm64-sha256=fef8c383419c86ceabb0bbffd3bcad2bf9223537fba9f848218480f873a96e8d \ + --amd64-sha256=6e08038f4587d515856076746ad3a69e67376eddd38d8657f449aad393b95cd8 \ + --url=https://github.com/honeycombio/honeymarker/releases/download/v0.2.10/honeymarker-linux-${TARGETARCH} \ + --target=/usr/bin/honeymarker #################################### @@ -320,16 +432,30 @@ ENV DOTNET_SDK_VERSION=6.0.300 \ # Enable correct mode for dotnet watch (only mode supported in a container) DOTNET_USE_POLLING_FILE_WATCHER=true -RUN curl -SL --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Sdk/$DOTNET_SDK_VERSION/dotnet-sdk-$DOTNET_SDK_VERSION-linux-x64.tar.gz \ - && dotnet_sha512='52d720e90cfb889a92d605d64e6d0e90b96209e1bd7eab00dab1d567017d7a5a4ff4adbc55aff4cffcea4b1bf92bb8d351859d00d8eb65059eec5e449886c938' \ - && echo "$dotnet_sha512 dotnet.tar.gz" | sha512sum -c - \ - && sudo mkdir -p /usr/share/dotnet \ - && sudo tar -C /usr/share/dotnet -oxzf dotnet.tar.gz . \ - && sudo rm dotnet.tar.gz \ - # Trigger first run experience by running arbitrary cmd - && sudo ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet \ - && dotnet help - +RUN <= worker_connections (below) and <= `ulimit -n` ("nofile", +# number of files). We've set `ulimit -n` to match CI, where it is set to 65536, and +# cannot be changed. In production, it's set to 1048576 in the apiserver http-proxy +# container (and also in the nginx-ingress container, though this config isn't used +# there). +worker_rlimit_nofile 65536; events { # CHANGED FOR DARK diff --git a/containers/base-service-Dockerfile b/containers/base-service-Dockerfile index 2689b5d7c7..e4fb871265 100644 --- a/containers/base-service-Dockerfile +++ b/containers/base-service-Dockerfile @@ -1,6 +1,6 @@ # Base docker image for most services we run in production on GCP -FROM ubuntu:20.04 +FROM ubuntu:22.04@sha256:bace9fb0d5923a675c894d5c815da75ffe35e24970166a48a4460a48ae6e0d19 as dark-base # Our deploy runs this on CircleCI, and the default URLs can sometimes be slow to # download from. This switches to the closest mirror to CircleCI (recommended by diff --git a/containers/fsharp-service-Dockerfile b/containers/fsharp-service-Dockerfile index da4086effe..bcdded391a 100644 --- a/containers/fsharp-service-Dockerfile +++ b/containers/fsharp-service-Dockerfile @@ -2,11 +2,11 @@ # FSharp installer image # Copied from https://github.com/dotnet/dotnet-docker/blob/main/src/runtime/6.0/focal/amd64/Dockerfile -FROM amd64/buildpack-deps:focal-curl as installer +FROM amd64/buildpack-deps:jammy-curl as installer # Retrieve .NET -RUN curl -SL --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Sdk/6.0.201/dotnet-sdk-6.0.201-linux-x64.tar.gz \ - && dotnet_sha512='a4d96b6ca2abb7d71cc2c64282f9bd07cedc52c03d8d6668346ae0cd33a9a670d7185ab0037c8f0ecd6c212141038ed9ea9b19a188d1df2aae10b2683ce818ce' \ +RUN curl -SL --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Sdk/6.0.300/dotnet-sdk-6.0.300-linux-x64.tar.gz \ + && dotnet_sha512='52d720e90cfb889a92d605d64e6d0e90b96209e1bd7eab00dab1d567017d7a5a4ff4adbc55aff4cffcea4b1bf92bb8d351859d00d8eb65059eec5e449886c938' \ && echo "$dotnet_sha512 dotnet.tar.gz" | sha512sum -c - \ && mkdir -p /dotnet \ && tar -ozxf dotnet.tar.gz -C /dotnet \ @@ -23,14 +23,14 @@ RUN sudo apt-get update \ libc6 \ libgcc1 \ libgssapi-krb5-2 \ - libicu66 \ - libssl1.1 \ + libicu70 \ + libssl3 \ libstdc++6 \ zlib1g \ && sudo rm -rf /var/lib/apt/lists/* ENV \ - DOTNET_SDK_VERSION=6.0.201 \ + DOTNET_SDK_VERSION=6.0.300 \ DOTNET_RUNNING_IN_CONTAINER=true \ DOTNET_EnableDiagnostics=0 diff --git a/containers/tunnel2/tunnel2-daemon b/containers/tunnel2/tunnel2-daemon index f3181a3e8a..9fa82e5dbc 100755 --- a/containers/tunnel2/tunnel2-daemon +++ b/containers/tunnel2/tunnel2-daemon @@ -2,23 +2,16 @@ # DOC: what is this for? # -# We run this as its own k8s deployment (at time of writing, scale=1) and route -# all outgoing traffic through it by setting it as a SOCKS5 proxy in -# libhttpclient.ml's use of libcurl. (And and legacy.ml's.) +# We run this as its own k8s deployment (at time of writing, scale=1) and route all +# outgoing traffic through it by setting it as a SOCKS5 proxy in HttpClient (and +# LegacyHttpClient) # -# It currently restricts direct access to the ocaml server (you can't hit -# http://localhost:80/pkill to take out a pod; you have to send requests off-pod -# first, which forces incoming traffic to go through nginx, which 403s /pkill; -# thus, only k8s itself can hit /pkill), as well as to the GCE instance metadata -# (http://metadata, as observed in the security incident of 2020-04-27; we block -# this by disallowing egress to 169.* in a NetworkPolicy on the tunnel. This was -# the security incident of 2020-04-27.) -# -# The tunnel does not currently restrict traffic otherwise; it might be nice -# to block 10.* and thus disallow access to any cluster-internal routes, but at -# least for the moment we can't, as blocking 10.* would mean breaking DNS -# requests from the tunnel service. - +# It currently restricts direct access to the server (you can't hit the server +# directly; you have to send requests off-pod first, which forces incoming traffic to +# go through nginx), as well as to the GCE instance metadata (http://metadata, as +# observed in the security incident of 2020-04-27; we block this by disallowing +# egress to 169.* in a NetworkPolicy on the tunnel. This was the security incident of +# 2020-04-27.) set -euox pipefail diff --git a/fsharp-backend/.config/dotnet-tools.json b/fsharp-backend/.config/dotnet-tools.json index cea15f09d3..88efe9a122 100644 --- a/fsharp-backend/.config/dotnet-tools.json +++ b/fsharp-backend/.config/dotnet-tools.json @@ -7,7 +7,7 @@ "commands": ["paket"] }, "dotnet-trace": { - "version": "6.0.257301", + "version": "6.0.351802", "commands": ["dotnet-trace"] } } diff --git a/fsharp-backend/src/ApiServer/ApiServer.fs b/fsharp-backend/src/ApiServer/ApiServer.fs index 70562f9229..07dd3f60ab 100644 --- a/fsharp-backend/src/ApiServer/ApiServer.fs +++ b/fsharp-backend/src/ApiServer/ApiServer.fs @@ -53,7 +53,10 @@ let addRoutes // This route is used so that we know that the http proxy is actually proxying the server let checkApiserver : HttpHandler = (fun (ctx : HttpContext) -> - task { return ctx.Response.WriteAsync("success: this is apiserver") }) + task { + ctx.Response.StatusCode <- 200 + return ctx.Response.WriteAsync("success: this is apiserver") + }) let addRoute (verb : string) diff --git a/scripts/build/_build-server b/scripts/build/_build-server index 25fd46b1d5..0db027d4b7 100755 --- a/scripts/build/_build-server +++ b/scripts/build/_build-server @@ -1,4 +1,4 @@ -#!/usr/bin/env python3.8 +#!/usr/bin/env python3.10 # This is used, in concert with scripts/builder, to run Dark inside the dev # container. There is a strong connection between these files and @@ -30,6 +30,7 @@ def getFlags(): # Make io unbuffered def flush(fn): + def newfn(x): fn(x) sys.stdout.flush() @@ -152,26 +153,14 @@ def main(): run_fsharp_server() if should_watch: - import watchgod - # watchgod scans the file system on a loop. This is extremely - # fast so long as we list directory trees we don't want to go - # into. We prefer this to notification based systems as we've - # struggled to get them to work with our fun docker-based - # setup. + import watchfiles ignored = [ - ".git", - "_build", - "_esy", - "node_modules", - "integration-tests/node_modules", - "backend/static", - "lib", - "fsharp-backend/Build", + ".git", "_build", "_esy", "node_modules", "integration-tests/node_modules", + "backend/static", "lib", "fsharp-backend/Build" ] ignored = set(["/home/dark/app/" + f for f in ignored]) - for changes in watchgod.watch("/home/dark/app/", - watcher_cls=watchgod.AllWatcher, - watcher_kwargs=dict(ignored_paths=ignored)): + filter = watchfiles.DefaultFilter(ignore_paths=ignored) + for changes in watchfiles.watch("/home/dark/app/", watch_filter=filter): changes = [f for (_, f) in changes] compile(changes) diff --git a/scripts/build/compile b/scripts/build/compile index 00a64c4830..41c5ca06fd 100755 --- a/scripts/build/compile +++ b/scripts/build/compile @@ -1,4 +1,4 @@ -#!/usr/bin/env python3.8 +#!/usr/bin/env python3.10 import sys import subprocess diff --git a/scripts/builder b/scripts/builder index 22f9ecaabc..5abb271022 100755 --- a/scripts/builder +++ b/scripts/builder @@ -2,10 +2,11 @@ set -euo pipefail -# This is used, in concert with scripts/build/_build-server, to run Dark inside the -# devcontainer. There is a strong connection between these files and -# .circleci/config.yml, as well as devcontainer.yaml. Generally, if you add something -# to one of these files, there's an equivalent to be added in both .circleci/config.yml and devcontainer.yaml. +# This is used, in concert with scripts/build/_build-server, to run Dark inside +# the devcontainer. There is a strong connection between these files and +# .circleci/config.yml, as well as devcontainer.yaml. Generally, if you add +# something to one of these files, there's an equivalent to be added in both +# .circleci/config.yml and devcontainer.yaml. if [[ "${BASH_VERSINFO[0]}" -lt 4 ]]; then # Because we use `-v` @@ -33,7 +34,11 @@ gid=$((gid > 1000 ? gid : 1000)) # -------------- if [[ ! -v NEVER_REBUILD_DOCKER ]]; then echo "Building docker image" - # Always build for linux/amd64 (new OSX arm machines have emulation) + # Always build for linux/amd64 (new OSX arm machines have emulation). This is + # slow on MacOS but it gets there eventually. + # Most of the work is done to enable arm64 builds, but rescript 9.1.4 won't + # build on arm64 (10 supposedly does), and dotnet won't support building wasm + # until dotnet 8 at the earliest. docker buildx build --platform linux/amd64 -t dark --build-arg uid="$(id -u)" --build-arg gid="$gid" . echo "Removing running containers" @@ -119,6 +124,7 @@ echo "Run the build" # -p 9000:9000 to expose the F# api server # -p 11001:11001 to expose the F# bwd server # -cap-add & -security-opt to attach a gdb/strace to .net code +# --ulimit=nofile=65536:65536 to match CI docker run \ --init \ --rm \ @@ -144,6 +150,7 @@ docker run \ --user "$(id -u):$gid" \ --cap-add=ALL \ --security-opt seccomp=unconfined \ + --ulimit=nofile=65536:65536 \ $MOUNTS \ dark \ scripts/build/_build-server "${@}" diff --git a/scripts/deployment/_push-assets-to-cdn b/scripts/deployment/_push-assets-to-cdn index fcd65e2e55..5abf6eaa6c 100755 --- a/scripts/deployment/_push-assets-to-cdn +++ b/scripts/deployment/_push-assets-to-cdn @@ -1,4 +1,4 @@ -#!/usr/bin/env python3.8 +#!/usr/bin/env python3.10 import glob import os @@ -195,4 +195,4 @@ for mimetype in mimetypes_to_process: # Wrap up shutil.rmtree(temp_dir, ignore_errors=True) -print("Done!") \ No newline at end of file +print("Done!") diff --git a/scripts/deployment/shipit b/scripts/deployment/shipit index a4a79d186e..b295085d03 100755 --- a/scripts/deployment/shipit +++ b/scripts/deployment/shipit @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!/usr/bin/env python3.10 # Script to manage deployment/release of kubernetes services @@ -54,6 +54,7 @@ def handle_error(msg: str) -> None: print(msg) if error is None: error = msg + sys.exit(-1) def debug(str: str, str2: Any = None, str3: Any = None) -> None: diff --git a/scripts/devcontainer/_start-background-services b/scripts/devcontainer/_start-background-services index 5a4dd7a3b0..c9e44bfe9d 100755 --- a/scripts/devcontainer/_start-background-services +++ b/scripts/devcontainer/_start-background-services @@ -4,10 +4,27 @@ set -euo pipefail for name in "${@}"; do if [[ $name == postgresql ]]; then + + # When rebuilding the docker container (esp between ubuntu versions), the + # postgres user may have a different userid, so fix up the existing volume + sudo chown -R postgres:postgres /etc/postgresql + sudo chown -R postgres:postgres /var/log/postgresql + sudo chown -R postgres:postgres /var/lib/postgresql + # for some reason, uncommenting the equivalent line in the Dockerfile doesn't do the # job. don't have time right now to figure out why. LA="listen_addresses = '*'" echo "$LA" | sudo tee -a /etc/postgresql/9.6/main/postgresql.conf + + # Fix weird permission problem, see from https://github.com/puntonim/docker-postgresql93/issues/2 + sudo chmod 766 /etc/ssl/private + sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key + sudo mkdir /etc/ssl/private-copy + sudo mv /etc/ssl/private/* /etc/ssl/private-copy/ + sudo rm -r /etc/ssl/private + sudo mv /etc/ssl/private-copy /etc/ssl/private + sudo chmod -R 0700 /etc/ssl/private + sudo chown -R postgres /etc/ssl/private fi echo "--------------------------" diff --git a/scripts/devcontainer/_wait-until-apiserver-ready b/scripts/devcontainer/_wait-until-apiserver-ready index 5d661e0824..132e5dbd6d 100755 --- a/scripts/devcontainer/_wait-until-apiserver-ready +++ b/scripts/devcontainer/_wait-until-apiserver-ready @@ -4,14 +4,24 @@ set -euo pipefail function wait_for { - test_url="http://${DARK_CONFIG_APISERVER_STATIC_HOST}/$1" count=0 - until curl --output /dev/null --silent --show-error --head --fail "${test_url}"; do + until curl --output /dev/null --silent --show-error --fail "$1"; do ((count++)) && ((count==60)) && exit 1 - printf "waiting for %s at %s\n" "$1" "$test_url" + printf "waiting for %s\n" "$1" sleep 1 done } -wait_for app.js -wait_for app.css \ No newline at end of file +wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/app.js +wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/app.css +wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/blazor/dotnet.wasm + +# The static server is often ready before the ApiServer +wait_for http://${DARK_CONFIG_APISERVER_HOST}/check-apiserver + +# Don't let nginx say it's ready until blazor files can be reached - sometimes these +# timeout otherwise +for file in backend/static/blazor/*.dll ; do + filename=$(basename $file) + wait_for "http://${DARK_CONFIG_APISERVER_STATIC_HOST}/blazor/${filename}" +done \ No newline at end of file diff --git a/scripts/devcontainer/_wait-until-container-ready b/scripts/devcontainer/_wait-until-container-ready deleted file mode 100755 index eecaf32216..0000000000 --- a/scripts/devcontainer/_wait-until-container-ready +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -until [[ "$(docker ps --last 1 --filter "ancestor=dark" --filter status=running --quiet)" != "" ]]; do - printf 'd' - sleep 1 -done - - - diff --git a/scripts/devcontainer/_wait-until-server-ready b/scripts/devcontainer/_wait-until-server-ready deleted file mode 100755 index 91a274d5e2..0000000000 --- a/scripts/devcontainer/_wait-until-server-ready +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env bash -. ./scripts/devcontainer/_assert-in-container "$0" "$@" - -set -euo pipefail - -function wait_for { - test_url="http://${DARK_CONFIG_STATIC_HOST}/$1" - count=0 - until curl --output /dev/null --silent --show-error --head --fail "${test_url}"; do - ((count++)) && ((count==60)) && exit 1 - printf "waiting for %s at %s\n" "$1" "$test_url" - sleep 1 - done -} - -wait_for app.js -wait_for app.css diff --git a/scripts/run-httptunnel b/scripts/run-httptunnel index 9cc8324230..5dd2befd27 100755 --- a/scripts/run-httptunnel +++ b/scripts/run-httptunnel @@ -18,5 +18,5 @@ sudo pkill -f sleep.infinity || true sudo mkdir -p /run/sshd echo "Starting tunnel" # shellcheck disable=SC2024 -sudo ./"${TUNNEL_DAEMON_EXE}" > rundir/logs/tunnel.log 2>&1 & +nohup sudo ./"${TUNNEL_DAEMON_EXE}" > rundir/logs/tunnel.log 2>&1 & echo "Started tunnel"