Merge pull request #1465 from GoogleContainerTools/rules_distroless

refactor: start using rules_distroless

WORKSPACE

@@ -2,6 +2,24 @@ workspace(name = "distroless")
 
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
+# rules_distroless setup
+http_archive(
+    name = "rules_distroless",
+    sha256 = "08eeee56f857da3bb6f77d67f8246a1c4d50764debfbc8802a198f3997a3ae7c",
+    strip_prefix = "rules_distroless-0.1.6",
+    url = "https://github.com/GoogleContainerTools/rules_distroless/releases/download/v0.1.6/rules_distroless-v0.1.6.tar.gz",
+)
+
+load("@rules_distroless//distroless:dependencies.bzl", "rules_distroless_dependencies")
+
+rules_distroless_dependencies()
+
+load("@aspect_bazel_lib//lib:repositories.bzl", "register_expand_template_toolchains", "register_tar_toolchains")
+
+register_tar_toolchains()
+
+register_expand_template_toolchains()
+
 # rules_oci setup
 http_archive(
     name = "rules_oci",
@@ -146,11 +164,3 @@ load("@rules_rust//rust:repositories.bzl", "rust_register_toolchains", "rust_rep
 rust_repositories(edition = "2021")
 
 rust_register_toolchains()
-
-# rules_docker setup.
-# NOTE: this ruleset is almost unused and replaced by rules_oci completely expect a few helper macros that'll be hosted on distroless-tools.
-http_archive(
-    name = "io_bazel_rules_docker",
-    sha256 = "b1e80761a8a8243d03ebca8845e9cc1ba6c82ce7c5179ce2b295cd36f7e394bf",
-    urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.25.0/rules_docker-v0.25.0.tar.gz"],
-)

base/BUILD

@@ -1,102 +1,9 @@
-load(":base.bzl", "NONROOT", "distro_components")
+load(":base.bzl", "base_images")
 load(":distro.bzl", "DISTROS")
-load("@rules_pkg//:pkg.bzl", "pkg_tar")
-load("@io_bazel_rules_docker//contrib:group.bzl", "group_entry", "group_file")
-load("@io_bazel_rules_docker//contrib:passwd.bzl", "passwd_entry", "passwd_tar")
 
 package(default_visibility = ["//visibility:public"])
 
-NOBODY = 65534
-
-# Create /etc/passwd with the root user
-passwd_entry(
-    name = "root_user",
-    gid = 0,
-    home = "/root",
-    info = "root",
-    shell = "/sbin/nologin",
-    uid = 0,
-    username = "root",
-)
-
-passwd_entry(
-    name = "nobody_user",
-    create_home = False,
-    gid = NOBODY,
-    home = "/nonexistent",
-    info = "nobody",
-    shell = "/sbin/nologin",
-    uid = NOBODY,
-    username = "nobody",
-)
-
-passwd_entry(
-    name = "nonroot_user",
-    gid = NONROOT,
-    home = "/home/nonroot",
-    info = "nonroot",
-    shell = "/sbin/nologin",
-    uid = NONROOT,
-    username = "nonroot",
-)
-
-passwd_tar(
-    name = "passwd",
-    entries = [
-        ":root_user",
-        ":nobody_user",
-        ":nonroot_user",
-    ],
-    passwd_file_pkg_dir = "etc",
-)
-
-# Create /etc/group with the root, tty, and staff groups
-group_entry(
-    name = "root_group",
-    gid = 0,
-    groupname = "root",
-)
-
-group_entry(
-    name = "nobody_group",
-    gid = NOBODY,
-    groupname = "nobody",
-)
-
-group_entry(
-    name = "nonroot_group",
-    gid = NONROOT,
-    groupname = "nonroot",
-)
-
-group_entry(
-    name = "tty_group",
-    gid = 5,
-    groupname = "tty",
-)
-
-group_entry(
-    name = "staff_group",
-    gid = 50,
-    groupname = "staff",
-)
-
-group_file(
-    name = "group",
-    entries = [
-        ":root_group",
-        ":nobody_group",
-        ":tty_group",
-        ":staff_group",
-        ":nonroot_group",
-    ],
-)
-
-pkg_tar(
-    name = "group_tar",
-    srcs = [":group"],
-    mode = "0644",
-    package_dir = "etc",
-)
-
-[distro_components(distro) for distro in DISTROS]
+[
+    base_images(distro = distro)
+    for distro in DISTROS
+]

base/base.bzl

@@ -1,23 +1,21 @@
 "defines a function to replicate the container images for different distributions"
 
 load("@container_structure_test//:defs.bzl", "container_structure_test")
-load("@io_bazel_rules_go//go:def.bzl", "go_binary")
 load("@rules_oci//oci:defs.bzl", "oci_image", "oci_image_index")
+load("@io_bazel_rules_go//go:def.bzl", "go_binary")
 load("@rules_pkg//:pkg.bzl", "pkg_tar")
 load("//:checksums.bzl", "ARCHITECTURES", "VARIANTS")
-load("//cacerts:cacerts.bzl", "cacerts")
-
-NONROOT = 65532
+load("//common:variables.bzl", "NONROOT")
+load("//private/util:deb.bzl", "deb")
 
-def deb_file(arch, distro, package):
-    return "@{arch}_{distro}_{package}//:data".format(arch = arch, distro = distro, package = package)
+USER_VARIANTS = [("root", 0, "/"), ("nonroot", NONROOT, "/home/nonroot")]
 
-def deb_pkg(arch, distro, package):
-    return "@{arch}_{distro}_{package}".format(arch = arch, distro = distro, package = package)
+def base_images(distro):
+    """Replicate everything for all distroless suffixes
 
-# Replicate everything for all distroless suffixes
-def distro_components(distro):
-    USER_VARIANTS = [("root", 0, "/"), ("nonroot", NONROOT, "/home/nonroot")]
+    Args:
+        distro: name of the distribution
+    """
 
     # loop for multi-arch images
     for (user, _, _) in USER_VARIANTS:
@@ -70,11 +68,6 @@ def distro_components(distro):
         )
 
     for arch in ARCHITECTURES:
-        cacerts(
-            name = "cacerts_" + arch + "_" + distro,
-            deb = deb_file(arch, distro, "ca-certificates"),
-        )
-
         for (user, uid, workdir) in USER_VARIANTS:
             oci_image(
                 name = "static_" + user + "_" + arch + "_" + distro,
@@ -86,20 +79,20 @@ def distro_components(distro):
                     "SSL_CERT_FILE": "/etc/ssl/certs/ca-certificates.crt",
                 },
                 tars = [
-                    deb_pkg(arch, distro, "base-files"),
-                    deb_pkg(arch, distro, "netbase"),
-                    deb_pkg(arch, distro, "tzdata"),
-                    ":passwd",
-                    ":group_tar",
-
+                    deb.package(arch, distro, "base-files"),
+                    deb.package(arch, distro, "netbase"),
+                    deb.package(arch, distro, "tzdata"),
                     # Create /tmp, too many things assume it exists.
                     # tmp.tar has a /tmp with the correct permissions 01777
                     # A tar is needed because at the moment there is no way to create a
                     # directory with specific permissions.
                     ":tmp.tar",
                     ":nsswitch.tar",
-                    "//os_release:os_release_" + distro + ".tar",
-                    ":cacerts_" + arch + "_" + distro + ".tar",
+                    "//common:passwd",
+                    "//common:home",
+                    "//common:group",
+                    "//common:os_release_" + distro,
+                    "//common:cacerts_" + distro + "_" + arch,
                 ],
                 user = "%d" % uid,
                 workdir = workdir,
@@ -112,7 +105,7 @@ def distro_components(distro):
                 name = "base_nossl_" + user + "_" + arch + "_" + distro,
                 base = ":static_" + user + "_" + arch + "_" + distro,
                 tars = [
-                    deb_pkg(arch, distro, "libc6"),
+                    deb.package(arch, distro, "libc6"),
                 ],
             )
 
@@ -131,10 +124,10 @@ def distro_components(distro):
                 name = "base_" + user + "_" + arch + "_" + distro,
                 base = ":static_" + user + "_" + arch + "_" + distro,
                 tars = [
-                    deb_pkg(arch, distro, "libc6"),
+                    deb.package(arch, distro, "libc6"),
                 ] + [
-                    deb_pkg(arch, distro, deb)
-                    for deb in BASE_DISTRO_DEBS[distro]
+                    deb.package(arch, distro, pkg)
+                    for pkg in BASE_DISTRO_DEBS[distro]
                 ],
             )