-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build Wolfi images #47182
Build Wolfi images #47182
Conversation
ed02326
to
aa369c9
Compare
This means that even when building on an ARM mac, you'll build an x86_64 image
0c7705d
to
4fedb1d
Compare
Codenotify: Notifying subscribers in CODENOTIFY files for diff 2228b36...b4e44bb.
|
Codenotify: Notifying subscribers in OWNERS files for diff 2228b36...b4e44bb.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's great to finally see this land 😊
I've noticed that in some cases, the bazel building process is not ported. I think that's fine, because we'll need to update those things anyway because wolfi isn't running musl, so we got to tweak a few of them anyway.
And we haven't fully landed those either, so we can update them afterward, I don't think it would be wise to delay landing and testing this because of it.
export CGO_ENABLED=0 | ||
|
||
echo "--- go build" | ||
pkg="github.com/sourcegraph/sourcegraph/cmd/frontend" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You didn't port the bazel build in that one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've just been tracking what the build.sh script on main
does, and for this image it doesn't use bazel - https://github.com/sourcegraph/sourcegraph/blob/main/cmd/frontend/build.sh
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's because in our branch, it's done in a build-bazel.sh
Images will be pinned to specific hashes when entering production
We have packages, we have base images, so let's build some actual runnable images!
This PR is my main branch for building Wolfi-based versions of our first-party docker images.
Progress tracked in https://github.com/sourcegraph/security/issues/447
Notes for reviewers
Reviewing does not need to be comprehensive (so don't worry about inspecting every single build script or dockerfile!), as I'll be doing a full verification of each image prior to merging. Helpful feedback would be on any patterns you think could be improved.
One area that could use improvement is duplication in the
wolfi-images/
directory - we could use some YAML templating here.For each image there's a:
build-wolfi.sh
alongside the standardbuild.sh
script. Changes are minimal, and in most cases just changedocker build -f Dockerfile [...]
toDockerfile.wolfi
. In a few cases they remove unneeded build scripts, such asinstall-ctags.sh
Dockerfile.wolfi
which contains the bulk of the changesThe apko build definitions are in the
wolfi-images/
directory. Simple images without additional package requirements rely onwolfi-images/sourcegraph.yaml
. Images that require packaged deps have their own.yaml
file.Test plan
main-dry-run
prior to merging https://buildkite.com/sourcegraph/sourcegraph/builds/214773#_