From 3fd4b36c5b474342dc076af3c4a7b3f0fe37e50d Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Tue, 7 Jun 2022 22:14:44 +0000 Subject: [PATCH 01/27] Fail when building container fails --- Dockerfile | 18 +++++++++--------- containers/base-service-Dockerfile | 2 +- scripts/deployment/shipit | 1 + 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 37976bf62c..f220620c0c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ # as part of that build. Search for DOCKERFILE_REPO for where to make that # change. -FROM ubuntu:20.04@sha256:e722c7335fdd0ce77044ab5942cb1fbd2b5f60d1f5416acfcdb0814b2baf7898 as dark-base +FROM ubuntu:22.04@sha256:bace9fb0d5923a675c894d5c815da75ffe35e24970166a48a4460a48ae6e0d19 as dark-base ENV FORCE_BUILD 3 @@ -58,21 +58,21 @@ RUN curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - RUN curl -sSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - RUN curl -sSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - RUN curl -sSL https://nginx.org/keys/nginx_signing.key | apt-key add - -RUN curl -sSL https://baltocdn.com/helm/signing.asc | apt-key add - +RUN curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null # We want postgres 9.6, but it is not in ubuntu 20.04 RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list -RUN echo "deb https://nginx.org/packages/ubuntu/ bionic nginx" > /etc/apt/sources.list.d/nginx.list +RUN echo "deb https://nginx.org/packages/ubuntu/ jammy nginx" > /etc/apt/sources.list.d/nginx.list -RUN echo "deb https://deb.nodesource.com/node_14.x focal main" > /etc/apt/sources.list.d/nodesource.list -RUN echo "deb-src https://deb.nodesource.com/node_14.x focal main" >> /etc/apt/sources.list.d/nodesource.list +RUN echo "deb https://deb.nodesource.com/node_14.x jammy main" > /etc/apt/sources.list.d/nodesource.list +RUN echo "deb-src https://deb.nodesource.com/node_14.x jammy main" >> /etc/apt/sources.list.d/nodesource.list RUN echo "deb http://packages.cloud.google.com/apt cloud-sdk main" > /etc/apt/sources.list.d/google-cloud-sdk.list RUN echo "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list -RUN echo "deb https://baltocdn.com/helm/stable/debian/ all main" > /etc/apt/sources.list.d/helm-stable-debian.list +RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list # Mostly, we use the generic version. However, for things in production we want # to pin the exact package version so that we don't have any surprises. As a @@ -129,7 +129,7 @@ RUN DEBIAN_FRONTEND=noninteractive \ pv \ htop \ net-tools \ - nginx=1.16.1-1~bionic \ + nginx \ bash-completion \ openssh-server \ dnsutils \ @@ -137,8 +137,8 @@ RUN DEBIAN_FRONTEND=noninteractive \ libc6 \ libgcc1 \ libgssapi-krb5-2 \ - libicu66 \ - libssl1.1 \ + libicu70 \ + libssl3 \ libstdc++6 \ zlib1g \ lldb \ diff --git a/containers/base-service-Dockerfile b/containers/base-service-Dockerfile index 2689b5d7c7..e4fb871265 100644 --- a/containers/base-service-Dockerfile +++ b/containers/base-service-Dockerfile @@ -1,6 +1,6 @@ # Base docker image for most services we run in production on GCP -FROM ubuntu:20.04 +FROM ubuntu:22.04@sha256:bace9fb0d5923a675c894d5c815da75ffe35e24970166a48a4460a48ae6e0d19 as dark-base # Our deploy runs this on CircleCI, and the default URLs can sometimes be slow to # download from. This switches to the closest mirror to CircleCI (recommended by diff --git a/scripts/deployment/shipit b/scripts/deployment/shipit index a4a79d186e..c9d6531a08 100755 --- a/scripts/deployment/shipit +++ b/scripts/deployment/shipit @@ -54,6 +54,7 @@ def handle_error(msg: str) -> None: print(msg) if error is None: error = msg + sys.exit(-1) def debug(str: str, str2: Any = None, str3: Any = None) -> None: From d32d3af87ee09898b54632709b9991eae3855c48 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Tue, 7 Jun 2022 22:16:01 +0000 Subject: [PATCH 02/27] Move to latest python --- scripts/build/_build-server | 2 +- scripts/build/compile | 2 +- scripts/deployment/_push-assets-to-cdn | 4 ++-- scripts/deployment/shipit | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/build/_build-server b/scripts/build/_build-server index 25fd46b1d5..7500ff19fa 100755 --- a/scripts/build/_build-server +++ b/scripts/build/_build-server @@ -1,4 +1,4 @@ -#!/usr/bin/env python3.8 +#!/usr/bin/env python3.10 # This is used, in concert with scripts/builder, to run Dark inside the dev # container. There is a strong connection between these files and diff --git a/scripts/build/compile b/scripts/build/compile index 00a64c4830..41c5ca06fd 100755 --- a/scripts/build/compile +++ b/scripts/build/compile @@ -1,4 +1,4 @@ -#!/usr/bin/env python3.8 +#!/usr/bin/env python3.10 import sys import subprocess diff --git a/scripts/deployment/_push-assets-to-cdn b/scripts/deployment/_push-assets-to-cdn index fcd65e2e55..5abf6eaa6c 100755 --- a/scripts/deployment/_push-assets-to-cdn +++ b/scripts/deployment/_push-assets-to-cdn @@ -1,4 +1,4 @@ -#!/usr/bin/env python3.8 +#!/usr/bin/env python3.10 import glob import os @@ -195,4 +195,4 @@ for mimetype in mimetypes_to_process: # Wrap up shutil.rmtree(temp_dir, ignore_errors=True) -print("Done!") \ No newline at end of file +print("Done!") diff --git a/scripts/deployment/shipit b/scripts/deployment/shipit index c9d6531a08..b295085d03 100755 --- a/scripts/deployment/shipit +++ b/scripts/deployment/shipit @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!/usr/bin/env python3.10 # Script to manage deployment/release of kubernetes services From 90f329123838665d32a6489739308f5e62a25366 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 8 Jun 2022 12:24:57 +0000 Subject: [PATCH 03/27] Fix the comment --- containers/tunnel2/tunnel2-daemon | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/containers/tunnel2/tunnel2-daemon b/containers/tunnel2/tunnel2-daemon index f3181a3e8a..9fa82e5dbc 100755 --- a/containers/tunnel2/tunnel2-daemon +++ b/containers/tunnel2/tunnel2-daemon @@ -2,23 +2,16 @@ # DOC: what is this for? # -# We run this as its own k8s deployment (at time of writing, scale=1) and route -# all outgoing traffic through it by setting it as a SOCKS5 proxy in -# libhttpclient.ml's use of libcurl. (And and legacy.ml's.) +# We run this as its own k8s deployment (at time of writing, scale=1) and route all +# outgoing traffic through it by setting it as a SOCKS5 proxy in HttpClient (and +# LegacyHttpClient) # -# It currently restricts direct access to the ocaml server (you can't hit -# http://localhost:80/pkill to take out a pod; you have to send requests off-pod -# first, which forces incoming traffic to go through nginx, which 403s /pkill; -# thus, only k8s itself can hit /pkill), as well as to the GCE instance metadata -# (http://metadata, as observed in the security incident of 2020-04-27; we block -# this by disallowing egress to 169.* in a NetworkPolicy on the tunnel. This was -# the security incident of 2020-04-27.) -# -# The tunnel does not currently restrict traffic otherwise; it might be nice -# to block 10.* and thus disallow access to any cluster-internal routes, but at -# least for the moment we can't, as blocking 10.* would mean breaking DNS -# requests from the tunnel service. - +# It currently restricts direct access to the server (you can't hit the server +# directly; you have to send requests off-pod first, which forces incoming traffic to +# go through nginx), as well as to the GCE instance metadata (http://metadata, as +# observed in the security incident of 2020-04-27; we block this by disallowing +# egress to 169.* in a NetworkPolicy on the tunnel. This was the security incident of +# 2020-04-27.) set -euox pipefail From 715061cc00a940db5f52f1d687055ef6204fb370 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 8 Jun 2022 18:47:48 +0000 Subject: [PATCH 04/27] Switch to watchfiles --- Dockerfile | 7 +------ scripts/build/_build-server | 23 ++++++----------------- 2 files changed, 7 insertions(+), 23 deletions(-) diff --git a/Dockerfile b/Dockerfile index f220620c0c..f44cb37f48 100644 --- a/Dockerfile +++ b/Dockerfile @@ -249,14 +249,9 @@ RUN sudo pip3 install -U --no-cache-dir -U crcmod \ ############################ # Pip packages ############################ -RUN sudo pip3 install --no-cache-dir yq yamllint +RUN sudo pip3 install --no-cache-dir yq yamllint watchfiles yapf==0.32.0 ENV PATH "$PATH:/home/dark/.local/bin" -RUN pip3 install git+https://github.com/pbiggar/watchgod.git@b74cd7ec064ebc7b4263dc532c7c97e046002bef - -# Formatting -RUN pip3 install yapf==0.32.0 - #################################### # CircleCI #################################### diff --git a/scripts/build/_build-server b/scripts/build/_build-server index 7500ff19fa..0db027d4b7 100755 --- a/scripts/build/_build-server +++ b/scripts/build/_build-server @@ -30,6 +30,7 @@ def getFlags(): # Make io unbuffered def flush(fn): + def newfn(x): fn(x) sys.stdout.flush() @@ -152,26 +153,14 @@ def main(): run_fsharp_server() if should_watch: - import watchgod - # watchgod scans the file system on a loop. This is extremely - # fast so long as we list directory trees we don't want to go - # into. We prefer this to notification based systems as we've - # struggled to get them to work with our fun docker-based - # setup. + import watchfiles ignored = [ - ".git", - "_build", - "_esy", - "node_modules", - "integration-tests/node_modules", - "backend/static", - "lib", - "fsharp-backend/Build", + ".git", "_build", "_esy", "node_modules", "integration-tests/node_modules", + "backend/static", "lib", "fsharp-backend/Build" ] ignored = set(["/home/dark/app/" + f for f in ignored]) - for changes in watchgod.watch("/home/dark/app/", - watcher_cls=watchgod.AllWatcher, - watcher_kwargs=dict(ignored_paths=ignored)): + filter = watchfiles.DefaultFilter(ignore_paths=ignored) + for changes in watchfiles.watch("/home/dark/app/", watch_filter=filter): changes = [f for (_, f) in changes] compile(changes) From 1acd1b5d3b1d21e07d1836100dc0efbf053f3df9 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 8 Jun 2022 18:49:04 +0000 Subject: [PATCH 05/27] Don't mess up the terminal when running --- scripts/run-httptunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/run-httptunnel b/scripts/run-httptunnel index 9cc8324230..5dd2befd27 100755 --- a/scripts/run-httptunnel +++ b/scripts/run-httptunnel @@ -18,5 +18,5 @@ sudo pkill -f sleep.infinity || true sudo mkdir -p /run/sshd echo "Starting tunnel" # shellcheck disable=SC2024 -sudo ./"${TUNNEL_DAEMON_EXE}" > rundir/logs/tunnel.log 2>&1 & +nohup sudo ./"${TUNNEL_DAEMON_EXE}" > rundir/logs/tunnel.log 2>&1 & echo "Started tunnel" From 5f2da4959a3142ec12151c4d532ffe90a46e3451 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Thu, 9 Jun 2022 03:05:26 +0000 Subject: [PATCH 06/27] Prevent output from being messed up --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index f44cb37f48..36bbb7e03e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -335,6 +335,8 @@ ENV PATH "$PATH:/home/dark/bin:/home/dark/.dotnet/tools" # tunnel user ############# RUN sudo adduser --disabled-password --gecos '' --gid ${gid} tunnel +# Remove use_pty as it messes up `su tunnel` commands +RUN sudo sed -i 's!Defaults\s\+use_pty!!' /etc/sudoers ############################ # Environment From 747739796e2882a4aee19fd5b4bc16cc9d7d2265 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 23 Nov 2022 01:38:51 +0000 Subject: [PATCH 07/27] Latest ubuntu --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 36bbb7e03e..f4fdf70624 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ # as part of that build. Search for DOCKERFILE_REPO for where to make that # change. -FROM ubuntu:22.04@sha256:bace9fb0d5923a675c894d5c815da75ffe35e24970166a48a4460a48ae6e0d19 as dark-base +FROM ubuntu:22.04@sha256:817cfe4672284dcbfee885b1a66094fd907630d610cab329114d036716be49ba as dark-base ENV FORCE_BUILD 3 From b79b74182692dd327ff5403a23088d11e0e859cd Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 23 Nov 2022 00:23:53 -0500 Subject: [PATCH 08/27] Add support for native amd64 to the dockerfile --- Dockerfile | 207 +++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 168 insertions(+), 39 deletions(-) diff --git a/Dockerfile b/Dockerfile index f4fdf70624..b19a92a0c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,6 @@ +# syntax=docker/dockerfile:1 +# ^^ The line above is to allow heredocs. It must be before any other content in the file ^^ + # This is an image used to compile and test Dark. Later, we will use this to # create another dockerfile to deploy. @@ -15,10 +18,14 @@ # as part of that build. Search for DOCKERFILE_REPO for where to make that # change. -FROM ubuntu:22.04@sha256:817cfe4672284dcbfee885b1a66094fd907630d610cab329114d036716be49ba as dark-base + +FROM ubuntu:22.04 as dark-base ENV FORCE_BUILD 3 +# Creates variables to allow builds to work on both amd64 and arm64 +ARG TARGETARCH + # These are reasonable defaults, and what the dark uid/gid would be if we didn't # specify values. By exposing them as build-args, we can set these values to # match the host user's uid/gid - allowing for dark-owned files in-container to @@ -58,10 +65,9 @@ RUN curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - RUN curl -sSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - RUN curl -sSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - RUN curl -sSL https://nginx.org/keys/nginx_signing.key | apt-key add - -RUN curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null -# We want postgres 9.6, but it is not in ubuntu 20.04 +# We want postgres 9.6, but it is not in later ubuntus RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list RUN echo "deb https://nginx.org/packages/ubuntu/ jammy nginx" > /etc/apt/sources.list.d/nginx.list @@ -70,9 +76,7 @@ RUN echo "deb https://deb.nodesource.com/node_14.x jammy main" > /etc/apt/source RUN echo "deb-src https://deb.nodesource.com/node_14.x jammy main" >> /etc/apt/sources.list.d/nodesource.list RUN echo "deb http://packages.cloud.google.com/apt cloud-sdk main" > /etc/apt/sources.list.d/google-cloud-sdk.list -RUN echo "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list - -RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list +RUN echo "deb [arch=${TARGETARCH}] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list # Mostly, we use the generic version. However, for things in production we want # to pin the exact package version so that we don't have any surprises. As a @@ -116,7 +120,6 @@ RUN DEBIAN_FRONTEND=noninteractive \ docker-ce \ build-essential \ kubectl \ - helm \ python3-pip \ python3-setuptools \ python3-dev \ @@ -209,19 +212,121 @@ RUN sudo rm /etc/nginx/conf.d/default.conf RUN sudo rm -r /etc/nginx/nginx.conf RUN sudo chown -R dark:dark /var/log/nginx +############################ +# Scripts to install files from the internet +############################ +COPY <<-"EOF" /home/dark/install-targz-file +#!/bin/bash + +# Script to install binary files, checking the sha + +set -euo pipefail + +for i in "$@" ; do + case "${i}" in + --arm64-sha256=*) + ARM64_SHA256=${1/--arm64-sha256=/''} + shift + ;; + --amd64-sha256=*) + AMD64_SHA256=${1/--amd64-sha256=/''} + shift + ;; + --url=*) + URL=${1/--url=/''} + shift + ;; + --extract-file=*) + EXTRACT_FILE=${1/--extract-file=/''} + shift + ;; + --target=*) + TARGET=${1/--target=/''} + shift + ;; + esac +done +DIR=$(echo $URL | sed 's/[^0-9A-Za-z]*//g') +FILENAME=$(basename $URL) +case $(dpkg --print-architecture) in + arm64) CHECKSUM=$ARM64_SHA256;; + amd64) CHECKSUM=$AMD64_SHA256;; + *) exit 1;; +esac +mkdir -p $DIR +wget -P $DIR $URL +echo "$CHECKSUM $DIR/$FILENAME" | sha256sum -c - +tar xvf $DIR/$FILENAME -C $DIR +ls $DIR +sudo cp $DIR/${EXTRACT_FILE} ${TARGET} +sudo chmod +x ${TARGET} +rm -Rf $DIR +EOF + +COPY <<-"EOF" /home/dark/install-exe-file +#!/bin/bash + +# Script to install single files from tar.gz files, checking the sha + +set -euo pipefail + +for i in "$@" ; do + case "${i}" in + --arm64-sha256=*) + ARM64_SHA256=${1/--arm64-sha256=/''} + shift + ;; + --amd64-sha256=*) + AMD64_SHA256=${1/--amd64-sha256=/''} + shift + ;; + --url=*) + URL=${1/--url=/''} + shift + ;; + --target=*) + TARGET=${1/--target=/''} + shift + ;; + esac +done +DIR=$(echo $URL | sed 's/[^0-9A-Za-z]*//g') +FILENAME=$(basename $URL) +case $(dpkg --print-architecture) in + arm64) CHECKSUM=$ARM64_SHA256;; + amd64) CHECKSUM=$AMD64_SHA256;; + *) exit 1;; +esac +sudo wget -O ${TARGET} $URL +echo "$CHECKSUM ${TARGET}" | sha256sum -c - +sudo chmod +x ${TARGET} +EOF + +RUN sudo chown dark:dark /home/dark/install-targz-file +RUN chmod +x /home/dark/install-targz-file +RUN sudo chown dark:dark /home/dark/install-exe-file +RUN chmod +x /home/dark/install-exe-file + ############################ # Kubernetes ############################ RUN sudo kubectl completion bash | sudo tee /etc/bash_completion.d/kubectl > /dev/null +RUN /home/dark/install-targz-file \ + --arm64-sha256=57fa17b6bb040a3788116557a72579f2180ea9620b4ee8a9b7244e5901df02e4 \ + --amd64-sha256=2315941a13291c277dac9f65e75ead56386440d3907e0540bf157ae70f188347 \ + --url=https://get.helm.sh/helm-v3.10.2-linux-${TARGETARCH}.tar.gz \ + --extract-file=linux-${TARGETARCH}/helm \ + --target=/usr/bin/helm ############################ # Google cloud ############################ -# New authentication for docker - not supported via apt -RUN sudo wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 \ - -O /usr/bin/cloud_sql_proxy \ - && sudo chmod +x /usr/bin/cloud_sql_proxy +RUN /home/dark/install-exe-file \ + --arm64-sha256=834ecd08f54960ee88121ab70b05002bcfb99cd08a63bcd7a1a952c53e30a3ca \ + --amd64-sha256=fb66afb1cb8ee730314088eb7b299398bda6c0434b9b383b27a26b8951e775c5 \ + --url=https://storage.googleapis.com/cloudsql-proxy/v1.33.1/cloud_sql_proxy.linux.${TARGETARCH} \ + --target=/usr/bin/cloud_sql_proxy # PubSub ENV PUBSUB_EMULATOR_HOST=0.0.0.0:8085 @@ -261,36 +366,48 @@ RUN curl -fLSs https://raw.githubusercontent.com/CircleCI-Public/circleci-cli/ma # Shellcheck # Ubuntu has a very old version ############################ + RUN \ VERSION=v0.8.0 \ - && FILENAME=shellcheck-$VERSION.linux.x86_64.tar.xz \ - && wget -P tmp_install_folder/ https://github.com/koalaman/shellcheck/releases/download/$VERSION/$FILENAME \ - && tar xvf tmp_install_folder/$FILENAME -C tmp_install_folder \ - && sudo cp tmp_install_folder/shellcheck-$VERSION/shellcheck /usr/bin/shellcheck \ - && rm -Rf tmp_install_folder + && case ${TARGETARCH} in \ + arm64) FILENAME=shellcheck-$VERSION.linux.aarch64.tar.xz;; \ + amd64) FILENAME=shellcheck-$VERSION.linux.x86_64.tar.xz;; \ + *) exit 1;; \ + esac \ + && /home/dark/install-targz-file \ + --arm64-sha256=9f47bbff5624babfa712eb9d64ece14c6c46327122d0c54983f627ae3a30a4ac \ + --amd64-sha256=ab6ee1b178f014d1b86d1e24da20d1139656c8b0ed34d2867fbb834dad02bf0a \ + --url=https://github.com/koalaman/shellcheck/releases/download/$VERSION/$FILENAME \ + --extract-file=shellcheck-${VERSION}/shellcheck \ + --target=/usr/bin/shellcheck ############################ # Kubeconform - for linting k8s files ############################ + RUN \ VERSION=v0.4.14 \ - && wget -P tmp_install_folder/ https://github.com/yannh/kubeconform/releases/download/$VERSION/kubeconform-linux-amd64.tar.gz \ - && tar xvf tmp_install_folder/kubeconform-linux-amd64.tar.gz -C tmp_install_folder \ - && sudo cp tmp_install_folder/kubeconform /usr/bin/ \ - && rm -Rf tmp_install_folder + && /home/dark/install-targz-file \ + --arm64-sha256=0ff34c19b3b19905a9c87906c801d9d4325d0614ae48bc1b2543dc9ec908cf13 \ + --amd64-sha256=140044a5eb44a18e52d737ba15936f87b0e5fca3d34a02ae13b2d68025a449f3 \ + --url=https://github.com/yannh/kubeconform/releases/download/$VERSION/kubeconform-linux-${TARGETARCH}.tar.gz \ + --extract-file=kubeconform \ + --target=/usr/bin/kubeconform #################################### # Honeytail and honeymarker installs #################################### -RUN wget -q https://honeycomb.io/download/honeytail/v1.8.1/honeytail_1.8.1_amd64.deb && \ - echo '971ba06886c5436927a17f8494fe518084a385cb9b9b28e541296d658eb5cc8d honeytail_1.8.1_amd64.deb' | sha256sum -c && \ - sudo dpkg -i honeytail_1.8.1_amd64.deb && \ - rm honeytail_1.8.1_amd64.deb +RUN /home/dark/install-exe-file \ + --arm64-sha256=c5a57a729b0ccf4ca0f2287c862538812604f5fd67d102372e91215701afdbe1 \ + --amd64-sha256=d774112265ee8e98c6221232461cf36c35faf844005cc98b43b55bb375761766 \ + --url=https://github.com/honeycombio/honeytail/releases/download/v1.8.2/honeytail-linux-${TARGETARCH} \ + --target=/usr/bin/honeytail -RUN wget -q https://honeycomb.io/download/honeymarker/linux/honeymarker_1.9_amd64.deb && \ - echo '5aa10dd42f4f369c9463a8c8a361e46058339e6273055600ddad50e1bcdf2149 honeymarker_1.9_amd64.deb' | sha256sum -c && \ - sudo dpkg -i honeymarker_1.9_amd64.deb && \ - rm honeymarker_1.9_amd64.deb +RUN /home/dark/install-exe-file \ + --arm64-sha256=fef8c383419c86ceabb0bbffd3bcad2bf9223537fba9f848218480f873a96e8d \ + --amd64-sha256=6e08038f4587d515856076746ad3a69e67376eddd38d8657f449aad393b95cd8 \ + --url=https://github.com/honeycombio/honeymarker/releases/download/v0.2.10/honeymarker-linux-${TARGETARCH} \ + --target=/usr/bin/honeymarker #################################### @@ -315,17 +432,29 @@ ENV DOTNET_SDK_VERSION=6.0.300 \ # Enable correct mode for dotnet watch (only mode supported in a container) DOTNET_USE_POLLING_FILE_WATCHER=true -RUN curl -SL --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Sdk/$DOTNET_SDK_VERSION/dotnet-sdk-$DOTNET_SDK_VERSION-linux-x64.tar.gz \ - && dotnet_sha512='52d720e90cfb889a92d605d64e6d0e90b96209e1bd7eab00dab1d567017d7a5a4ff4adbc55aff4cffcea4b1bf92bb8d351859d00d8eb65059eec5e449886c938' \ - && echo "$dotnet_sha512 dotnet.tar.gz" | sha512sum -c - \ - && sudo mkdir -p /usr/share/dotnet \ - && sudo tar -C /usr/share/dotnet -oxzf dotnet.tar.gz . \ - && sudo rm dotnet.tar.gz \ - # Trigger first run experience by running arbitrary cmd - && sudo ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet \ - && dotnet help - -RUN sudo dotnet workload install wasm-tools +RUN \ + case ${TARGETARCH} in \ + arm64) \ + ARCH=arm64 \ + CHECKSUM=67eb088ccad197a39f104af60f3e6d12ea9b17560e059c0f7c8e956005d919d00bf0f3e487b06280be63ad57aa8895f16ebc8c92107c5019c9cf47bd620ea925 \ + ;; \ + amd64) \ + ARCH=x64 \ + CHECKSUM=52d720e90cfb889a92d605d64e6d0e90b96209e1bd7eab00dab1d567017d7a5a4ff4adbc55aff4cffcea4b1bf92bb8d351859d00d8eb65059eec5e449886c938 \ + ;; \ + *) exit 1;; \ + esac \ + && curl -SL --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Sdk/$DOTNET_SDK_VERSION/dotnet-sdk-$DOTNET_SDK_VERSION-linux-${ARCH}.tar.gz \ + && echo "$CHECKSUM dotnet.tar.gz" | sha512sum -c - \ + && sudo mkdir -p /usr/share/dotnet \ + && sudo tar -C /usr/share/dotnet -oxzf dotnet.tar.gz . \ + && sudo rm dotnet.tar.gz \ + # Trigger first run experience by running arbitrary cmd + && sudo ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet \ + && dotnet --help + +# Not supported on arm64 until maybe dotnet 8 - https://github.com/dotnet/runtime/issues/75613 +RUN if [[ ${TARGETARCH} == "amd64" ]]; then sudo dotnet workload install wasm-tools ; fi # formatting RUN dotnet tool install fantomas-tool --version 4.7.9 -g From 8fe5551c2dd354aa460a97291b05bc62242fd27c Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 23 Nov 2022 00:24:26 -0500 Subject: [PATCH 09/27] Use native platform for docker --- scripts/builder | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/scripts/builder b/scripts/builder index 22f9ecaabc..ad809893f9 100755 --- a/scripts/builder +++ b/scripts/builder @@ -33,8 +33,7 @@ gid=$((gid > 1000 ? gid : 1000)) # -------------- if [[ ! -v NEVER_REBUILD_DOCKER ]]; then echo "Building docker image" - # Always build for linux/amd64 (new OSX arm machines have emulation) - docker buildx build --platform linux/amd64 -t dark --build-arg uid="$(id -u)" --build-arg gid="$gid" . + docker buildx build -t dark --build-arg uid="$(id -u)" --build-arg gid="$gid" . echo "Removing running containers" c=$(docker ps --filter "name=dark-builder" -q) @@ -123,7 +122,6 @@ docker run \ --init \ --rm \ -i \ - --platform linux/amd64 \ --dns 8.8.8.8 \ --dns 8.8.4.4 \ --name dark-builder \ From fbad9f3c0f4b26bbd1c9093864e0afd6f9727835 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 23 Nov 2022 00:27:12 -0500 Subject: [PATCH 10/27] Fix postgres starting Co-authored-by: liweijian --- scripts/devcontainer/_start-background-services | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/scripts/devcontainer/_start-background-services b/scripts/devcontainer/_start-background-services index 5a4dd7a3b0..c9e44bfe9d 100755 --- a/scripts/devcontainer/_start-background-services +++ b/scripts/devcontainer/_start-background-services @@ -4,10 +4,27 @@ set -euo pipefail for name in "${@}"; do if [[ $name == postgresql ]]; then + + # When rebuilding the docker container (esp between ubuntu versions), the + # postgres user may have a different userid, so fix up the existing volume + sudo chown -R postgres:postgres /etc/postgresql + sudo chown -R postgres:postgres /var/log/postgresql + sudo chown -R postgres:postgres /var/lib/postgresql + # for some reason, uncommenting the equivalent line in the Dockerfile doesn't do the # job. don't have time right now to figure out why. LA="listen_addresses = '*'" echo "$LA" | sudo tee -a /etc/postgresql/9.6/main/postgresql.conf + + # Fix weird permission problem, see from https://github.com/puntonim/docker-postgresql93/issues/2 + sudo chmod 766 /etc/ssl/private + sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key + sudo mkdir /etc/ssl/private-copy + sudo mv /etc/ssl/private/* /etc/ssl/private-copy/ + sudo rm -r /etc/ssl/private + sudo mv /etc/ssl/private-copy /etc/ssl/private + sudo chmod -R 0700 /etc/ssl/private + sudo chown -R postgres /etc/ssl/private fi echo "--------------------------" From ebeb0d0113ba807624cec6ddc525ef5f6dab42df Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 23 Nov 2022 00:35:31 -0500 Subject: [PATCH 11/27] Update dotnet-trace version --- fsharp-backend/.config/dotnet-tools.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fsharp-backend/.config/dotnet-tools.json b/fsharp-backend/.config/dotnet-tools.json index cea15f09d3..88efe9a122 100644 --- a/fsharp-backend/.config/dotnet-tools.json +++ b/fsharp-backend/.config/dotnet-tools.json @@ -7,7 +7,7 @@ "commands": ["paket"] }, "dotnet-trace": { - "version": "6.0.257301", + "version": "6.0.351802", "commands": ["dotnet-trace"] } } From 0375ddcb7e32eb56cdc2de5039effb9df5b0f666 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 23 Nov 2022 00:47:42 -0500 Subject: [PATCH 12/27] Use architecture specific dockerfile --- Dockerfile | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index b19a92a0c2..d50adfe984 100644 --- a/Dockerfile +++ b/Dockerfile @@ -432,26 +432,27 @@ ENV DOTNET_SDK_VERSION=6.0.300 \ # Enable correct mode for dotnet watch (only mode supported in a container) DOTNET_USE_POLLING_FILE_WATCHER=true -RUN \ - case ${TARGETARCH} in \ - arm64) \ - ARCH=arm64 \ - CHECKSUM=67eb088ccad197a39f104af60f3e6d12ea9b17560e059c0f7c8e956005d919d00bf0f3e487b06280be63ad57aa8895f16ebc8c92107c5019c9cf47bd620ea925 \ - ;; \ - amd64) \ - ARCH=x64 \ - CHECKSUM=52d720e90cfb889a92d605d64e6d0e90b96209e1bd7eab00dab1d567017d7a5a4ff4adbc55aff4cffcea4b1bf92bb8d351859d00d8eb65059eec5e449886c938 \ - ;; \ - *) exit 1;; \ - esac \ - && curl -SL --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Sdk/$DOTNET_SDK_VERSION/dotnet-sdk-$DOTNET_SDK_VERSION-linux-${ARCH}.tar.gz \ - && echo "$CHECKSUM dotnet.tar.gz" | sha512sum -c - \ - && sudo mkdir -p /usr/share/dotnet \ - && sudo tar -C /usr/share/dotnet -oxzf dotnet.tar.gz . \ - && sudo rm dotnet.tar.gz \ - # Trigger first run experience by running arbitrary cmd - && sudo ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet \ - && dotnet --help +RUN < Date: Wed, 23 Nov 2022 01:01:35 -0500 Subject: [PATCH 13/27] add back the amd64 platform by default on arm --- scripts/builder | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/scripts/builder b/scripts/builder index ad809893f9..be666dc129 100755 --- a/scripts/builder +++ b/scripts/builder @@ -2,10 +2,11 @@ set -euo pipefail -# This is used, in concert with scripts/build/_build-server, to run Dark inside the -# devcontainer. There is a strong connection between these files and -# .circleci/config.yml, as well as devcontainer.yaml. Generally, if you add something -# to one of these files, there's an equivalent to be added in both .circleci/config.yml and devcontainer.yaml. +# This is used, in concert with scripts/build/_build-server, to run Dark inside +# the devcontainer. There is a strong connection between these files and +# .circleci/config.yml, as well as devcontainer.yaml. Generally, if you add +# something to one of these files, there's an equivalent to be added in both +# .circleci/config.yml and devcontainer.yaml. if [[ "${BASH_VERSINFO[0]}" -lt 4 ]]; then # Because we use `-v` @@ -33,7 +34,12 @@ gid=$((gid > 1000 ? gid : 1000)) # -------------- if [[ ! -v NEVER_REBUILD_DOCKER ]]; then echo "Building docker image" - docker buildx build -t dark --build-arg uid="$(id -u)" --build-arg gid="$gid" . + # Always build for linux/amd64 (new OSX arm machines have emulation). This is + # slow on MacOS but it gets there eventually. + # Most of the work is done to enable arm64 builds, but rescript 9.1.4 won't + # build on arm64 (10 supposedly does), and dotnet won't support building wasm + # until dotnet 8 at the earliest. + docker buildx build --platform linux/amd64 -t dark --build-arg uid="$(id -u)" --build-arg gid="$gid" . echo "Removing running containers" c=$(docker ps --filter "name=dark-builder" -q) @@ -122,6 +128,7 @@ docker run \ --init \ --rm \ -i \ + --platform linux/amd64 \ --dns 8.8.8.8 \ --dns 8.8.4.4 \ --name dark-builder \ From e749b4931832e779a912c547ac0188de7f484910 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 23 Nov 2022 02:16:33 -0500 Subject: [PATCH 14/27] Fix syntax installing dotnet --- Dockerfile | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index d50adfe984..8c2c710bb7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -443,15 +443,15 @@ case ${TARGETARCH} in CHECKSUM=52d720e90cfb889a92d605d64e6d0e90b96209e1bd7eab00dab1d567017d7a5a4ff4adbc55aff4cffcea4b1bf92bb8d351859d00d8eb65059eec5e449886c938 ;; *) exit 1;; -esac -&& curl -SL --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Sdk/$DOTNET_SDK_VERSION/dotnet-sdk-$DOTNET_SDK_VERSION-linux-${ARCH}.tar.gz -&& echo "$CHECKSUM dotnet.tar.gz" | sha512sum -c - -&& sudo mkdir -p /usr/share/dotnet -&& sudo tar -C /usr/share/dotnet -oxzf dotnet.tar.gz . -&& sudo rm dotnet.tar.gz -# Trigger first run experience by running arbitrary cmd -&& sudo ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet -&& dotnet --help +esac +curl -SL --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Sdk/$DOTNET_SDK_VERSION/dotnet-sdk-$DOTNET_SDK_VERSION-linux-${ARCH}.tar.gz +echo "$CHECKSUM dotnet.tar.gz" | sha512sum -c - +sudo mkdir -p /usr/share/dotnet +sudo tar -C /usr/share/dotnet -oxzf dotnet.tar.gz . +sudo rm dotnet.tar.gz +# Trigger first run experience by running arbitrary cmd \ +sudo ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet +dotnet --help EOF # Not supported on arm64 until maybe dotnet 8 - https://github.com/dotnet/runtime/issues/75613 From 72449834f01393b7b8c8cdd4e0f62d681dd548ad Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 23 Nov 2022 09:37:20 -0500 Subject: [PATCH 15/27] remove not working conditional --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8c2c710bb7..5a8f1b7580 100644 --- a/Dockerfile +++ b/Dockerfile @@ -455,7 +455,7 @@ dotnet --help EOF # Not supported on arm64 until maybe dotnet 8 - https://github.com/dotnet/runtime/issues/75613 -RUN if [[ ${TARGETARCH} == "amd64" ]]; then sudo dotnet workload install wasm-tools ; fi +RUN sudo dotnet workload install wasm-tools # formatting RUN dotnet tool install fantomas-tool --version 4.7.9 -g From d7c93155124ddab570bf363684d4ab0141a9e202 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 23 Nov 2022 15:41:17 +0000 Subject: [PATCH 16/27] Fix syntax, add error checking --- Dockerfile | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5a8f1b7580..42b15a338a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -433,24 +433,25 @@ ENV DOTNET_SDK_VERSION=6.0.300 \ DOTNET_USE_POLLING_FILE_WATCHER=true RUN < Date: Wed, 23 Nov 2022 16:21:19 +0000 Subject: [PATCH 17/27] Update CI image --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 76ef22cf09..b16d5bcfbf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -17,7 +17,7 @@ executors: IN_DEV_CONTAINER: true docker: # DOCKERFILE_REPO: see Dockerfile note about how this is built. - - image: darklang/dark-base:b1596ba + - image: darklang/dark-base:4cd3b01 commands: show-large-files-and-directories: From 3f9f950e7bfc162095e8928948d70a115df17dbe Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Wed, 23 Nov 2022 14:01:32 -0500 Subject: [PATCH 18/27] Match versions in production container to devcontainer --- containers/fsharp-service-Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/containers/fsharp-service-Dockerfile b/containers/fsharp-service-Dockerfile index da4086effe..bcdded391a 100644 --- a/containers/fsharp-service-Dockerfile +++ b/containers/fsharp-service-Dockerfile @@ -2,11 +2,11 @@ # FSharp installer image # Copied from https://github.com/dotnet/dotnet-docker/blob/main/src/runtime/6.0/focal/amd64/Dockerfile -FROM amd64/buildpack-deps:focal-curl as installer +FROM amd64/buildpack-deps:jammy-curl as installer # Retrieve .NET -RUN curl -SL --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Sdk/6.0.201/dotnet-sdk-6.0.201-linux-x64.tar.gz \ - && dotnet_sha512='a4d96b6ca2abb7d71cc2c64282f9bd07cedc52c03d8d6668346ae0cd33a9a670d7185ab0037c8f0ecd6c212141038ed9ea9b19a188d1df2aae10b2683ce818ce' \ +RUN curl -SL --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Sdk/6.0.300/dotnet-sdk-6.0.300-linux-x64.tar.gz \ + && dotnet_sha512='52d720e90cfb889a92d605d64e6d0e90b96209e1bd7eab00dab1d567017d7a5a4ff4adbc55aff4cffcea4b1bf92bb8d351859d00d8eb65059eec5e449886c938' \ && echo "$dotnet_sha512 dotnet.tar.gz" | sha512sum -c - \ && mkdir -p /dotnet \ && tar -ozxf dotnet.tar.gz -C /dotnet \ @@ -23,14 +23,14 @@ RUN sudo apt-get update \ libc6 \ libgcc1 \ libgssapi-krb5-2 \ - libicu66 \ - libssl1.1 \ + libicu70 \ + libssl3 \ libstdc++6 \ zlib1g \ && sudo rm -rf /var/lib/apt/lists/* ENV \ - DOTNET_SDK_VERSION=6.0.201 \ + DOTNET_SDK_VERSION=6.0.300 \ DOTNET_RUNNING_IN_CONTAINER=true \ DOTNET_EnableDiagnostics=0 From 17ff1e5e1d69b8f2c7549fcdbe4943b1dc81757d Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Fri, 25 Nov 2022 02:18:21 +0000 Subject: [PATCH 19/27] Try to fix integration test by addressing warning --- containers/base-fsharp-nginx.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/containers/base-fsharp-nginx.conf b/containers/base-fsharp-nginx.conf index 1b943b16ca..d1fd52cf30 100644 --- a/containers/base-fsharp-nginx.conf +++ b/containers/base-fsharp-nginx.conf @@ -7,6 +7,10 @@ worker_processes auto; error_log /var/log/nginx/error.log notice; pid /tmp/nginx.pid; +# CHANGED FOR DARK +# nginx complains if this setting isn't present +# ulimit -n is set to 1048576 in this container +worker_rlimit_nofile 1048576; events { # CHANGED FOR DARK From 01330295bdae36bb5b595515c5b66634cf61dc2e Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Fri, 25 Nov 2022 02:19:43 +0000 Subject: [PATCH 20/27] Improve comment --- containers/base-fsharp-nginx.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/containers/base-fsharp-nginx.conf b/containers/base-fsharp-nginx.conf index d1fd52cf30..a60ca043b9 100644 --- a/containers/base-fsharp-nginx.conf +++ b/containers/base-fsharp-nginx.conf @@ -9,7 +9,9 @@ pid /tmp/nginx.pid; # CHANGED FOR DARK # nginx complains if this setting isn't present -# ulimit -n is set to 1048576 in this container +# ulimit -n is set to 1048576 in the apiserver http-proxy container (also in the +# devcontainer, and also in the ngix-ingress container, though this config isn't used +# there) worker_rlimit_nofile 1048576; events { From d854709e2bd41dfcb4f40c0441fdb26fa1b2a43b Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Fri, 25 Nov 2022 22:52:51 +0000 Subject: [PATCH 21/27] Remove unused scripts --- .../devcontainer/_wait-until-container-ready | 11 ----------- scripts/devcontainer/_wait-until-server-ready | 17 ----------------- 2 files changed, 28 deletions(-) delete mode 100755 scripts/devcontainer/_wait-until-container-ready delete mode 100755 scripts/devcontainer/_wait-until-server-ready diff --git a/scripts/devcontainer/_wait-until-container-ready b/scripts/devcontainer/_wait-until-container-ready deleted file mode 100755 index eecaf32216..0000000000 --- a/scripts/devcontainer/_wait-until-container-ready +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -until [[ "$(docker ps --last 1 --filter "ancestor=dark" --filter status=running --quiet)" != "" ]]; do - printf 'd' - sleep 1 -done - - - diff --git a/scripts/devcontainer/_wait-until-server-ready b/scripts/devcontainer/_wait-until-server-ready deleted file mode 100755 index 91a274d5e2..0000000000 --- a/scripts/devcontainer/_wait-until-server-ready +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env bash -. ./scripts/devcontainer/_assert-in-container "$0" "$@" - -set -euo pipefail - -function wait_for { - test_url="http://${DARK_CONFIG_STATIC_HOST}/$1" - count=0 - until curl --output /dev/null --silent --show-error --head --fail "${test_url}"; do - ((count++)) && ((count==60)) && exit 1 - printf "waiting for %s at %s\n" "$1" "$test_url" - sleep 1 - done -} - -wait_for app.js -wait_for app.css From 94eb00eb4fe0a9d7276cd068b177d69b8e096333 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Mon, 28 Nov 2022 21:43:06 +0000 Subject: [PATCH 22/27] Try a lower setting, since we can't see to increase it above this in CI --- containers/base-fsharp-nginx.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/containers/base-fsharp-nginx.conf b/containers/base-fsharp-nginx.conf index a60ca043b9..c9fa9bdc8b 100644 --- a/containers/base-fsharp-nginx.conf +++ b/containers/base-fsharp-nginx.conf @@ -10,9 +10,9 @@ pid /tmp/nginx.pid; # CHANGED FOR DARK # nginx complains if this setting isn't present # ulimit -n is set to 1048576 in the apiserver http-proxy container (also in the -# devcontainer, and also in the ngix-ingress container, though this config isn't used -# there) -worker_rlimit_nofile 1048576; +# devcontainer, and also in the nginx-ingress container, though this config isn't used +# there). However, it's limited to 65536 in CI. +worker_rlimit_nofile 65536; events { # CHANGED FOR DARK From 1784a70b45fcb0b313c79f5f745759aadbcf7255 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Mon, 28 Nov 2022 22:10:14 +0000 Subject: [PATCH 23/27] Make sure ApiServer has actually started --- fsharp-backend/src/ApiServer/ApiServer.fs | 5 ++++- scripts/devcontainer/_wait-until-apiserver-ready | 11 ++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/fsharp-backend/src/ApiServer/ApiServer.fs b/fsharp-backend/src/ApiServer/ApiServer.fs index 70562f9229..07dd3f60ab 100644 --- a/fsharp-backend/src/ApiServer/ApiServer.fs +++ b/fsharp-backend/src/ApiServer/ApiServer.fs @@ -53,7 +53,10 @@ let addRoutes // This route is used so that we know that the http proxy is actually proxying the server let checkApiserver : HttpHandler = (fun (ctx : HttpContext) -> - task { return ctx.Response.WriteAsync("success: this is apiserver") }) + task { + ctx.Response.StatusCode <- 200 + return ctx.Response.WriteAsync("success: this is apiserver") + }) let addRoute (verb : string) diff --git a/scripts/devcontainer/_wait-until-apiserver-ready b/scripts/devcontainer/_wait-until-apiserver-ready index 5d661e0824..df567faa6b 100755 --- a/scripts/devcontainer/_wait-until-apiserver-ready +++ b/scripts/devcontainer/_wait-until-apiserver-ready @@ -4,14 +4,15 @@ set -euo pipefail function wait_for { - test_url="http://${DARK_CONFIG_APISERVER_STATIC_HOST}/$1" count=0 - until curl --output /dev/null --silent --show-error --head --fail "${test_url}"; do + until curl --output /dev/null --silent --show-error --fail "$1"; do ((count++)) && ((count==60)) && exit 1 - printf "waiting for %s at %s\n" "$1" "$test_url" + printf "waiting for %s\n" "$1" sleep 1 done } -wait_for app.js -wait_for app.css \ No newline at end of file +# The static server is often ready before the ApiServer +wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/app.js +wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/app.css +wait_for http://${DARK_CONFIG_APISERVER_HOST}/check-apiserver \ No newline at end of file From 25853f2e268886e2be09dac93a3b3cb36095e1e0 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Mon, 28 Nov 2022 23:12:29 +0000 Subject: [PATCH 24/27] Get nginx logs from circleci --- .circleci/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index b16d5bcfbf..7fb608b969 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -385,6 +385,7 @@ jobs: - run: integration-tests/_integration-test-results-to-honeycomb.sh - assert-clean-worktree - store_artifacts: { path: rundir } + - store_artifacts: { path: /var/log/nginx } - store_test_results: { path: rundir/test_results } - save_cache: name: "Save packagejson-specific cache" From b3856c897bd7534127c03ca3e16d621e3f2834fa Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Mon, 28 Nov 2022 23:43:06 +0000 Subject: [PATCH 25/27] Wait for blazor files to load --- scripts/devcontainer/_wait-until-apiserver-ready | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/devcontainer/_wait-until-apiserver-ready b/scripts/devcontainer/_wait-until-apiserver-ready index df567faa6b..63e33e720a 100755 --- a/scripts/devcontainer/_wait-until-apiserver-ready +++ b/scripts/devcontainer/_wait-until-apiserver-ready @@ -15,4 +15,10 @@ function wait_for { # The static server is often ready before the ApiServer wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/app.js wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/app.css -wait_for http://${DARK_CONFIG_APISERVER_HOST}/check-apiserver \ No newline at end of file +wait_for http://${DARK_CONFIG_APISERVER_HOST}/check-apiserver + +# Don't let nginx say it's ready until blazor files can be reached - sometimes these +# timeout otherwise +for file in backend/static/blazor/*.dll; do + wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/$file +done \ No newline at end of file From 9c78b7acf96fe25b19d103f5431860c601189461 Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Mon, 28 Nov 2022 23:47:25 +0000 Subject: [PATCH 26/27] Wait for more files to be accessible --- scripts/devcontainer/_wait-until-apiserver-ready | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/devcontainer/_wait-until-apiserver-ready b/scripts/devcontainer/_wait-until-apiserver-ready index 63e33e720a..132e5dbd6d 100755 --- a/scripts/devcontainer/_wait-until-apiserver-ready +++ b/scripts/devcontainer/_wait-until-apiserver-ready @@ -12,13 +12,16 @@ function wait_for { done } -# The static server is often ready before the ApiServer wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/app.js wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/app.css +wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/blazor/dotnet.wasm + +# The static server is often ready before the ApiServer wait_for http://${DARK_CONFIG_APISERVER_HOST}/check-apiserver # Don't let nginx say it's ready until blazor files can be reached - sometimes these # timeout otherwise -for file in backend/static/blazor/*.dll; do - wait_for http://${DARK_CONFIG_APISERVER_STATIC_HOST}/$file +for file in backend/static/blazor/*.dll ; do + filename=$(basename $file) + wait_for "http://${DARK_CONFIG_APISERVER_STATIC_HOST}/blazor/${filename}" done \ No newline at end of file From 1b32f170f49b8b4e9942175d713257f52920ff9d Mon Sep 17 00:00:00 2001 From: Paul Biggar Date: Tue, 29 Nov 2022 00:30:01 +0000 Subject: [PATCH 27/27] Set ulimit -n properly --- .circleci/config.yml | 2 +- .devcontainer/devcontainer.json | 1 + containers/base-fsharp-nginx.conf | 8 +++++--- scripts/builder | 2 ++ 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 7fb608b969..b4b4eccfa5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -17,7 +17,7 @@ executors: IN_DEV_CONTAINER: true docker: # DOCKERFILE_REPO: see Dockerfile note about how this is built. - - image: darklang/dark-base:4cd3b01 + - image: darklang/dark-base:89294ed commands: show-large-files-and-directories: diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 7af224db7f..195b28b3d4 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -49,6 +49,7 @@ "8.8.8.8", "--dns", "8.8.4.4", + "--ulimit=nofile=65536:65536", "--hostname", "dark-dev", "--env-file", diff --git a/containers/base-fsharp-nginx.conf b/containers/base-fsharp-nginx.conf index c9fa9bdc8b..cec05db25f 100644 --- a/containers/base-fsharp-nginx.conf +++ b/containers/base-fsharp-nginx.conf @@ -9,9 +9,11 @@ pid /tmp/nginx.pid; # CHANGED FOR DARK # nginx complains if this setting isn't present -# ulimit -n is set to 1048576 in the apiserver http-proxy container (also in the -# devcontainer, and also in the nginx-ingress container, though this config isn't used -# there). However, it's limited to 65536 in CI. +# This number must be >= worker_connections (below) and <= `ulimit -n` ("nofile", +# number of files). We've set `ulimit -n` to match CI, where it is set to 65536, and +# cannot be changed. In production, it's set to 1048576 in the apiserver http-proxy +# container (and also in the nginx-ingress container, though this config isn't used +# there). worker_rlimit_nofile 65536; events { diff --git a/scripts/builder b/scripts/builder index be666dc129..5abb271022 100755 --- a/scripts/builder +++ b/scripts/builder @@ -124,6 +124,7 @@ echo "Run the build" # -p 9000:9000 to expose the F# api server # -p 11001:11001 to expose the F# bwd server # -cap-add & -security-opt to attach a gdb/strace to .net code +# --ulimit=nofile=65536:65536 to match CI docker run \ --init \ --rm \ @@ -149,6 +150,7 @@ docker run \ --user "$(id -u):$gid" \ --cap-add=ALL \ --security-opt seccomp=unconfined \ + --ulimit=nofile=65536:65536 \ $MOUNTS \ dark \ scripts/build/_build-server "${@}"