example: add dockerfile build (#570)

.github/workflows/ci.yaml

@@ -141,6 +141,13 @@ jobs:
               ],
           )
           EOF
+
+      # the /examples/dockerfile uses buildx to build Dockerfile images which needs to use a docker-container
+      # builder to work, which does not exist by default. Create one here.
+      - name: Setup buildx
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: bazel run examples/dockerfile:buildx -- create --name container --driver=docker-container
+
       - name: bazel test //...
         working-directory: ${{ matrix.folder }}
         env:

WORKSPACE

@@ -80,3 +80,8 @@ new_local_repository(
 load(":fetch.bzl", "fetch_images")
 
 fetch_images()
+
+### Fetch buildx
+load("//examples/dockerfile:buildx.bzl", "fetch_buildx")
+
+fetch_buildx()

WORKSPACE.bzlmod

@@ -19,3 +19,8 @@ fetch_images()
 load("//cosign:repositories.bzl", "cosign_register_toolchains")
 
 cosign_register_toolchains(name = "oci_cosign")
+
+### Fetch buildx
+load("//examples/dockerfile:buildx.bzl", "fetch_buildx")
+
+fetch_buildx()

examples/dockerfile/BUILD.bazel

@@ -0,0 +1,50 @@
+load("@aspect_bazel_lib//lib:run_binary.bzl", "run_binary")
+load("@bazel_skylib//rules:native_binary.bzl", "native_binary")
+load("@container_structure_test//:defs.bzl", "container_structure_test")
+load("@rules_oci//oci:defs.bzl", "oci_image", "oci_tarball")
+
+native_binary(
+    name = "buildx",
+    src = select({
+        "@bazel_tools//src/conditions:linux_x86_64": "@buildx_linux_amd64//file",
+        "@bazel_tools//src/conditions:darwin_arm64": "@buildx_darwin_arm64//file",
+        "@bazel_tools//src/conditions:darwin_x86_64": "@buildx_darwin_amd64//file",
+    }),
+    out = "buildx",
+)
+
+# docker buildx create --name container --driver=docker-container
+run_binary(
+    name = "base",
+    srcs = ["Dockerfile"] + glob(["src/*"]),
+    args = [
+        "build",
+        "./examples/dockerfile",
+        "--builder",
+        "container",
+        "--output=type=oci,tar=false,dest=$@",
+    ],
+    execution_requirements = {"local": "1"},
+    out_dirs = ["base"],
+    target_compatible_with = [
+        "@platforms//os:linux",
+    ],
+    tool = ":buildx",
+)
+
+oci_image(
+    name = "image",
+    base = ":base",
+)
+
+oci_tarball(
+    name = "tar",
+    image = ":image",
+    repo_tags = [],
+)
+
+container_structure_test(
+    name = "test",
+    configs = ["test.yaml"],
+    image = ":image",
+)

e2e/convert_docker_tarball/Dockerfile → examples/dockerfile/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:18.04
+FROM python:3.11.9-bullseye
 
 ARG DEBIAN_FRONTEND=noninteractive
 
@@ -10,3 +10,9 @@ RUN apt-get -y update \
     && apt-get -y install jq \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+RUN pip install cowsay
+
+COPY src /app
+
+CMD ["/app/say.py"]

examples/dockerfile/README.md

@@ -0,0 +1,17 @@
+# Dockerfile + rules_oci
+
+STOP before committing this atrocity. Here's some good reasons why you should not do what we have done here.
+
+- Dockerfiles are fundamentally non-reproducible
+- Reproducible builds are important for Bazel, Dockerfiles will lead to poor cache hits.
+- `RUN` instruction is a perfect foot-gun for non-reprocubile builds, a simple command `RUN apt-get install curl` is non-hermetic by default.
+- Building the same Dockerfile one month apart will yield different results.
+- `FROM python:3.11.9-bullseye` is non-producible.
+
+# Resources
+
+https://reproducible-builds.org/
+https://github.com/bazel-contrib/rules_oci/issues/35#issuecomment-1285954483
+https://github.com/bazel-contrib/rules_oci/blob/main/docs/compare_dockerfile.md
+https://github.com/moby/moby/issues/43124
+https://medium.com/nttlabs/bit-for-bit-reproducible-builds-with-dockerfile-7cc2b9faed9f

examples/dockerfile/buildx.bzl

@@ -0,0 +1,31 @@
+"repos for buildx"
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file")
+
+def fetch_buildx():
+    http_file(
+        name = "buildx_linux_amd64",
+        urls = [
+            "https://github.com/docker/buildx/releases/download/v0.14.0/buildx-v0.14.0.linux-amd64",
+        ],
+        integrity = "sha256-Mvjxfso1vy7+bA5H9A5Gkqh280UxtCHvyYR5mltBIm4=",
+        executable = True,
+    )
+
+    http_file(
+        name = "buildx_darwin_arm64",
+        urls = [
+            "https://github.com/docker/buildx/releases/download/v0.14.0/buildx-v0.14.0.darwin-arm64",
+        ],
+        integrity = "sha256-3BdvI2ZgnMITKubwi7IZOjL5/ZNUv9Agz3+juNt0hA0=",
+        executable = True,
+    )
+
+    http_file(
+        name = "buildx_darwin_amd64",
+        urls = [
+            "https://github.com/docker/buildx/releases/download/v0.14.0/buildx-v0.14.0.darwin-amd64",
+        ],
+        integrity = "sha256-J6rZfENSvCzFBHDgnA8Oqq2FDXR+M9CTejhhg9DruPU=",
+        executable = True,
+    )

examples/dockerfile/src/say.py

@@ -0,0 +1,3 @@
+import cowsay
+
+cowsay.cow('moo!')

e2e/convert_docker_tarball/test.yaml → examples/dockerfile/test.yaml

@@ -9,13 +9,20 @@ metadataTest:
     - key: "LANGUAGE"
       value: "C.UTF-8"
   entrypoint: []
-  cmd: ["/bin/bash"]
+  cmd: ["/app/say.py"]
 
 commandTests:
   - name: "jq should be installed"
     command: "jq"
-    expectedError: ["jq - commandline JSON processor"]
-    exitCode: 2
+    args: ["--version"]
+    expectedOutput: ["jq\\-1\\.6"]
+    exitCode: 0
+
+  - name: "should say moo"
+    command: "python"
+    args: ["/app/say.py"]
+    expectedOutput: ["moo!"]
+    exitCode: 0
 
 fileExistenceTests:
   - name: "should not remove /var/lib/apt/lists"