feat: NODE-1236 - Bazel base image target

Author: garym-dfinity

ic-os/bootloader/BUILD.bazel

@@ -14,6 +14,7 @@ genrule(
         "bootloader-tree.tar",
     ],
     cmd = "$(location build-bootloader-tree.sh) -o $@",
+    tags = ["manual"],
     target_compatible_with = [
         "@platforms//os:linux",
     ],
@@ -25,6 +26,7 @@ vfat_image(
     src = ":bootloader-tree.tar",
     partition_size = "100M",
     subdir = "boot/efi",
+    tags = ["manual"],
     target_compatible_with = [
         "@platforms//os:linux",
     ],

ic-os/defs.bzl

@@ -7,7 +7,7 @@ load("//bazel:defs.bzl", "gzip_compress", "sha256sum2url", "zstd_compress")
 load("//bazel:output_files.bzl", "output_files")
 load("//gitlab-ci/src/artifacts:upload.bzl", "upload_artifacts")
 load("//ic-os/bootloader:defs.bzl", "build_grub_partition")
-load("//toolchains/sysimage:toolchain.bzl", "build_container_filesystem", "disk_image", "ext4_image", "sha256sum", "tar_extract", "upgrade_image")
+load("//toolchains/sysimage:toolchain.bzl", "build_container_base_image", "build_container_filesystem", "disk_image", "ext4_image", "sha256sum", "tar_extract", "upgrade_image")
 
 def icos_build(
         name,
@@ -18,6 +18,7 @@ def icos_build(
         upgrades = True,
         vuln_scan = True,
         visibility = None,
+        build_local_base_image = False,
         ic_version = "//bazel:version.txt"):
     """
     Generic ICOS build tooling.
@@ -31,6 +32,7 @@ def icos_build(
       upgrades: if True, build upgrade images as well
       vuln_scan: if True, create targets for vulnerability scanning
       visibility: See Bazel documentation
+      build_local_base_image: if True, build the base images from scratch. Do not download the docker.io base image.
       ic_version: the label pointing to the target that returns IC version
     """
 
@@ -67,13 +69,39 @@ def icos_build(
 
     build_container_filesystem_config_file = Label(image_deps.get("build_container_filesystem_config_file"))
 
-    build_container_filesystem(
-        name = "rootfs-tree.tar",
-        context_files = [image_deps["container_context_files"]],
-        config_file = build_container_filesystem_config_file,
-        target_compatible_with = ["@platforms//os:linux"],
-        tags = ["manual"],
-    )
+    if build_local_base_image:
+        base_image_tag = "base-image-" + name  # Reuse for build_container_filesystem_tar
+        package_files_arg = "PACKAGE_FILES=packages.common"
+        if "dev" in mode:
+            package_files_arg += " packages.dev"
+
+        build_container_base_image(
+            name = "base_image.tar",
+            context_files = [image_deps["container_context_files"]],
+            image_tag = base_image_tag,
+            dockerfile = image_deps["base_dockerfile"],
+            build_args = [package_files_arg],
+            target_compatible_with = ["@platforms//os:linux"],
+            tags = ["manual"],
+        )
+
+        build_container_filesystem(
+            name = "rootfs-tree.tar",
+            context_files = [image_deps["container_context_files"]],
+            config_file = build_container_filesystem_config_file,
+            base_image_tar_file = ":base_image.tar",
+            base_image_tar_file_tag = base_image_tag,
+            target_compatible_with = ["@platforms//os:linux"],
+            tags = ["manual"],
+        )
+    else:
+        build_container_filesystem(
+            name = "rootfs-tree.tar",
+            context_files = [image_deps["container_context_files"]],
+            config_file = build_container_filesystem_config_file,
+            target_compatible_with = ["@platforms//os:linux"],
+            tags = ["manual"],
+        )
 
     tar_extract(
         name = "file_contexts",
@@ -566,6 +594,7 @@ EOF
             ":update-img-test.tar.gz",
         ] if upgrades else []),
         visibility = visibility,
+        tags = ["manual"] if build_local_base_image else [],
     )
 
 # end def icos_build

ic-os/guestos/BUILD.bazel

@@ -21,6 +21,7 @@ filegroup(
 ext4_image(
     name = "partition-config.tar",
     partition_size = "100M",
+    tags = ["manual"],
     target_compatible_with = [
         "@platforms//os:linux",
     ],

ic-os/guestos/defs.bzl

@@ -19,6 +19,8 @@ def image_deps(mode, malicious = False):
     """
 
     deps = {
+        "base_dockerfile": "//ic-os/guestos:rootfs/Dockerfile.base",
+
         # Define rootfs and bootfs
         "bootfs": {
             # base layer
@@ -75,9 +77,17 @@ def image_deps(mode, malicious = False):
         "dev": {
             "build_container_filesystem_config_file": "//ic-os/guestos/envs/dev:build_container_filesystem_config.txt",
         },
+        "local-base-dev": {
+            # Use the non-local-base file
+            "build_container_filesystem_config_file": "//ic-os/guestos/envs/dev:build_container_filesystem_config.txt",
+        },
         "dev-malicious": {
             "build_container_filesystem_config_file": "//ic-os/guestos/envs/dev-malicious:build_container_filesystem_config.txt",
         },
+        "local-base-prod": {
+            # Use the non-local-base file
+            "build_container_filesystem_config_file": "//ic-os/guestos/envs/prod:build_container_filesystem_config.txt",
+        },
         "prod": {
             "build_container_filesystem_config_file": "//ic-os/guestos/envs/prod:build_container_filesystem_config.txt",
         },
@@ -90,6 +100,9 @@ def image_deps(mode, malicious = False):
         "dev": {
             "//ic-os/guestos:rootfs/allow_console_root": "/etc/allow_console_root:0644",
         },
+        "local-base-dev": {
+            "//ic-os/guestos:rootfs/allow_console_root": "/etc/allow_console_root:0644",
+        },
     }
 
     deps["rootfs"].update(extra_rootfs_deps.get(mode, {}))

ic-os/guestos/envs/local-base-dev/BUILD.bazel

@@ -0,0 +1,17 @@
+load("//ic-os:defs.bzl", "icos_build")
+load("//ic-os/guestos:defs.bzl", "image_deps")
+
+exports_files(["build_container_filesystem_config.txt"])
+
+# The macro contains several targets.
+# Check
+#       //ic-os/guestos/BUILD.bazel for examples
+#    or //ic-os/defs.bzl for the full list of targets.
+icos_build(
+    name = "local-base-dev",
+    build_local_base_image = True,
+    ic_version = "//bazel:rc_only_version.txt",
+    image_deps_func = image_deps,
+    upload_prefix = None,  # Do not upload locally built base images
+    visibility = ["//visibility:public"],
+)

ic-os/guestos/envs/local-base-prod/BUILD.bazel

@@ -0,0 +1,16 @@
+load("//ic-os:defs.bzl", "icos_build")
+load("//ic-os/guestos:defs.bzl", "image_deps")
+
+exports_files(["build_container_filesystem_config.txt"])
+
+# The macro contains several targets.
+# Check
+#       //ic-os/guestos/BUILD.bazel for examples
+#    or //ic-os/defs.bzl for the full list of targets.
+icos_build(
+    name = "local-base-prod",
+    build_local_base_image = True,
+    image_deps_func = image_deps,
+    upload_prefix = None,  # Do not upload locally built base images
+    visibility = ["//visibility:public"],
+)

ic-os/hostos/BUILD.bazel

@@ -19,6 +19,7 @@ filegroup(
 ext4_image(
     name = "partition-config.tar",
     partition_size = "100M",
+    tags = ["manual"],
     target_compatible_with = [
         "@platforms//os:linux",
     ],

ic-os/hostos/defs.bzl

@@ -21,6 +21,8 @@ def image_deps(mode, _malicious = False):
     """
 
     deps = {
+        "base_dockerfile": "//ic-os/hostos:rootfs/Dockerfile.base",
+
         # Define rootfs and bootfs
         "bootfs": {
             # base layer
@@ -57,6 +59,14 @@ def image_deps(mode, _malicious = False):
         "dev": {
             "build_container_filesystem_config_file": "//ic-os/hostos/envs/dev:build_container_filesystem_config.txt",
         },
+        "local-base-dev": {
+            # Use the non-local-base file
+            "build_container_filesystem_config_file": "//ic-os/hostos/envs/dev:build_container_filesystem_config.txt",
+        },
+        "local-base-prod": {
+            # Use the non-local-base file
+            "build_container_filesystem_config_file": "//ic-os/hostos/envs/prod:build_container_filesystem_config.txt",
+        },
         "prod": {
             "build_container_filesystem_config_file": "//ic-os/hostos/envs/prod:build_container_filesystem_config.txt",
         },
@@ -82,7 +92,7 @@ def _custom_partitions():
         pv_uuid = "eu0VQE-HlTi-EyRc-GceP-xZtn-3j6t-iqEwyv",
         # The image is pretty big, therefore it is usually much faster to just rebuild it instead of fetching from the cache.
         # TODO(IDX-2221): remove this when CI jobs and bazel infrastructure will run in the same clusters.
-        tags = ["no-remote-cache"],
+        tags = ["no-remote-cache", "manual"],
         target_compatible_with = [
             "@platforms//os:linux",
         ],

ic-os/hostos/envs/local-base-dev/BUILD.bazel

@@ -0,0 +1,18 @@
+load("//ic-os:defs.bzl", "icos_build")
+load("//ic-os/hostos:defs.bzl", "image_deps")
+
+exports_files(["build_container_filesystem_config.txt"])
+
+# The macro contains several targets.
+# Check
+#       //ic-os/hostos/BUILD.bazel for examples
+#    or //ic-os/defs.bzl for the full list of targets.
+icos_build(
+    name = "local-base-dev",
+    build_local_base_image = True,
+    ic_version = "//bazel:rc_only_version.txt",
+    image_deps_func = image_deps,
+    upload_prefix = None,  # Do not upload locally built base images
+    visibility = ["//visibility:public"],
+    vuln_scan = False,
+)

ic-os/hostos/envs/local-base-prod/BUILD.bazel

@@ -0,0 +1,17 @@
+load("//ic-os:defs.bzl", "icos_build")
+load("//ic-os/hostos:defs.bzl", "image_deps")
+
+exports_files(["build_container_filesystem_config.txt"])
+
+# The macro contains several targets.
+# Check
+#       //ic-os/hostos/BUILD.bazel for examples
+#    or //ic-os/defs.bzl for the full list of targets.
+icos_build(
+    name = "local-base-prod",
+    build_local_base_image = True,
+    image_deps_func = image_deps,
+    upload_prefix = None,  # Do not upload locally built base images
+    visibility = ["//visibility:public"],
+    vuln_scan = False,
+)