fix(dashboard): Use OCI images that have ca-certs and new glibc (#108)

BUILD.bazel

@@ -14,12 +14,16 @@ alias(
 alias(
     name = "poetry",
     actual = "@python_deps_poetry//:rules_python_wheel_entry_point_poetry",
+    tags = ["no-cache"],
 )
 
 py_binary(
     name = "mkdocs",
-    deps = ["@python_deps_mkdocs_material//:pkg"],
     srcs = ["@python_deps_mkdocs//:rules_python_wheel_entry_point_mkdocs"],
-    data = ["mkdocs.yml", "docs"],
+    data = [
+        "docs",
+        "mkdocs.yml",
+    ],
     main = "rules_python_wheel_entry_point_mkdocs.py",
+    deps = ["@python_deps_mkdocs_material//:pkg"],
 )

WORKSPACE.bazel

@@ -157,7 +157,7 @@ load("@rules_oci//oci:dependencies.bzl", "rules_oci_dependencies")
 
 rules_oci_dependencies()
 
-load("@rules_oci//oci:repositories.bzl", "LATEST_CRANE_VERSION", "LATEST_ZOT_VERSION", "oci_register_toolchains")
+load("@rules_oci//oci:repositories.bzl", "LATEST_CRANE_VERSION", "oci_register_toolchains")
 
 oci_register_toolchains(
     name = "oci",
@@ -167,9 +167,13 @@ oci_register_toolchains(
 load("@rules_oci//oci:pull.bzl", "oci_pull")
 
 oci_pull(
-    name = "distroless_cc",
-    digest = "sha256:8aad707f96620ee89e27febef51b01c6ff244277a3560fcfcfbe68633ef09193",
-    image = "gcr.io/distroless/cc",
+    # Debian 12 image has a new glibc.
+    # https://console.cloud.google.com/gcr/images/distroless/global/cc-debian12
+    name = "distroless_cc_debian12",
+    # Note: this is a "debug" image, which means that it has busybox, so also a shell at /busybox/sh
+    # https://github.com/GoogleContainerTools/distroless/tree/9dc924b9fe812eec2fa0061824dcad39eb09d0d6?tab=readme-ov-file#debug-images
+    digest = "sha256:53895c8e3a37652d075d22dde58f40b310daa4a7a59d078b8a7f604d11b1adc6",
+    image = "gcr.io/distroless/cc-debian12",
     platforms = [
         "linux/amd64",
         "linux/arm64",

docs/bazel/tips-and-tricks.md

@@ -2,6 +2,76 @@
 ??? tip "Refresh Python dependencies in Bazel"
 
     Steps:
+
     1. `poetry add <dependency>`
     2. Run `./bin/poetry-export.sh`
     3. Use regular bazel operations, the new dependency should now be available
+
+??? tip "Local development and troubleshooting with OCI images"
+
+    Steps:
+    ```
+    # find available bazel build targets
+    bazel query ... | grep image
+
+    # build the image (target) of interest
+    bazel build //rs/slack-notifications:slack-notifications-image
+
+    # import the docker image generated by bazel into podman
+    IMAGE=$(find bazel-out/ -name slack-notifications-image)
+    podman load --input $IMAGE
+
+    # run and test:
+    podman run [<other-args>] localhost/bazel-out/k8-opt/bin/rs/slack-notifications/slack-notifications-image
+    ```
+
+??? tip "Add a deb package to an Ubuntu OCI image"
+
+    Example code to be added to WORKSPACE.bazel (adjustments are necessary for your package!):
+    ```
+    oci_pull(
+        # tag = 22.04
+        # https://hub.docker.com/layers/library/ubuntu/22.04/images/sha256-cb2af41f42b9c9bc9bcdc7cf1735e3c4b3d95b2137be86fd940373471a34c8b0
+        name = "ubuntu_22_04",
+        digest = "sha256:cb2af41f42b9c9bc9bcdc7cf1735e3c4b3d95b2137be86fd940373471a34c8b0",
+        image = "index.docker.io/library/ubuntu",
+    )
+
+    _DEB_TO_LAYER = """\
+    genrule(
+        name = "layer_tar",
+        srcs = ["@ubuntu22_ca_certificates//:data.tar.zst"],
+        outs = ["ca_certificates.tar"],
+        cmd = "cat $< | zstd -d - -c >| $@",
+        visibility = ["//visibility:public"],
+    )
+
+    alias(
+        name = "layer",
+        actual = ":data.tar.zst",
+        visibility = ["//visibility:public"],
+    )
+    """
+
+    http_archive(
+        name = "ubuntu22_ca_certificates",
+        build_file_content = _DEB_TO_LAYER,
+        sha256 = "8ddd3b5d72fa144e53974d6a5782d25a0a9e1eec006118ecf2b76d53a7530f6a",
+        urls = [
+            "http://mirrors.kernel.org/ubuntu/pool/main/c/ca-certificates/ca-certificates_20230311ubuntu0.22.04.1_all.deb",
+            "http://de.archive.ubuntu.com/ubuntu/pool/main/c/ca-certificates/ca-certificates_20230311ubuntu0.22.04.1_all.deb",
+            "http://ftp.osuosl.org/pub/ubuntu/pool/main/c/ca-certificates/ca-certificates_20230311ubuntu0.22.04.1_all.deb",
+        ],
+    )
+    ```
+
+    After that, once could add the additional layer to an image with something like:
+
+    ```
+    rust_binary_oci_image_rules(
+        name = "oci_image",
+        src = ":slack-notifications",
+        base_image = "@distroless_cc_debian12",
+        other_layers = ["@ubuntu22_ca_certificates//:layer_tar"],
+    )
+    ```

rs/ic-management-backend/BUILD.bazel

@@ -59,5 +59,5 @@ rust_test(
 rust_binary_oci_image_rules(
     name = "oci_image",
     src = ":ic-management-backend",
-    base_image = "@bitnami_git_docker_img"
+    base_image = "@distroless_cc_debian12",
 )

rs/oci_images.bzl

@@ -5,13 +5,14 @@ rules for creating oci images from rust binaries
 load("@rules_oci//oci:defs.bzl", "oci_image", "oci_push")
 load("@rules_pkg//:pkg.bzl", "pkg_tar")
 
-def rust_binary_oci_image_rules(name, src, base_image = "@debian-slim"):
+def rust_binary_oci_image_rules(name, src, base_image = "@distroless_cc_debian12", other_layers = []):
     """macro for creating oci image from rust binary
 
     Args:
         name: not used
         src: label of rust binary to be put in the OCI image
         base_image: base image for building rust binaries
+        other_layers: optional of other layers to be added, e.g. deb packages
     """
     binary = native.package_relative_label(src)
     tar_rule_name = "{}_layer".format(binary.name)
@@ -26,7 +27,7 @@ def rust_binary_oci_image_rules(name, src, base_image = "@debian-slim"):
         # Consider using even more minimalistic docker image since we're using static compile
         base = base_image,
         entrypoint = ["/{}".format(binary.name)],
-        tars = [tar_rule_name],
+        tars = [tar_rule_name] + other_layers,
     )
 
     oci_push(

rs/slack-notifications/BUILD.bazel

@@ -37,4 +37,5 @@ rust_test(
 rust_binary_oci_image_rules(
     name = "oci_image",
     src = ":slack-notifications",
+    base_image = "@distroless_cc_debian12",
 )