Add the option to use docker containers #181
Conversation
Requires a gitian-builder version with devrandom/gitian-builder#181
| @@ -70,6 +71,10 @@ if [ $# != 0 ] ; then | |||
| VBOX=1 | |||
| shift 1 | |||
| ;; | |||
| --docker) | |||
| DOCKER=1 | |||
There was a problem hiding this comment.
Doesn't have a default value set on top of this script (like LXC and KVM). This later makes $DOCKER = "1" fail when not using docker.
bin/make-base-vm
Outdated
|
|
||
| ENV DEBIAN_FRONTEND=noninteractive | ||
| RUN apt-get update | ||
| RUN apt-get --no-install-recommends -y install $addpkg |
There was a problem hiding this comment.
This should be combined with the previous statement to avoid rare caching issues that would cause the install to fail.
C.f. https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
|
I like this in concept, but I have some concerns about trust. I worry that there is no way to validate that the pulled docker image (e.g. Debian) hasn't been tampered with. If everybody builds using docker, that will become a single point of potential compromise. Any thoughts on this? |
|
To clarify, I contrast this with distribution supplied CD/DVD images, which (I believe) have more eyes on them. |
The main information page for the Ubuntu docker images is at https://hub.docker.com/r/_/ubuntu/. This page has links to the repo which contains the stuff for building the ubuntu docker images, including the Ubuntu images from Canonical. So you can clone that repo, build the docker image yourself, and use The only problem with this is that the docker image used is from https://partner-images.canonical.com/core/ which is not where the normal official Ubuntu images are downloaded from. For debian, the main information page has a section that describes how the images are made deterministically so you can do the same process and then check that the build docker image matches the downloaded one.
That is certainly the case. I don't think these docker images have as many eyes on them as the normal distributions. You can also specify a specific image by its SHA256 hash, so you can verify that a particular image is legit, and then just use that one only by specifying its hash. |
|
That's very good to know, thank you. |
libexec/start-target
Outdated
| @@ -34,4 +36,7 @@ case $VMSW in | |||
| VBoxManage startvm "Gitian-${2}" --type headless | |||
| echo "Gitian-${2}" > var/target.vmname | |||
| ;; | |||
| DOCKER) | |||
| docker run -t -d -P --name gitian-target base-$SUFFIX:latest > /dev/null | |||
There was a problem hiding this comment.
Why -t - is the pty used somehow?
Why -P - we're not exposing any ports?
There was a problem hiding this comment.
-t is necessary for the container to stay up.
-P is not necessary, I have removed it.
bin/make-base-vm
Outdated
|
|
||
| RUN useradd -ms /bin/bash -U ubuntu | ||
| USER ubuntu:ubuntu | ||
| WORKDIR /home/ubuntu |
There was a problem hiding this comment.
Is that right, or should it be $DISTRO on these three lines instead of ubuntu?
There was a problem hiding this comment.
That should be $DISTRO, fixed.
achow101
force-pushed
the
docker
branch
2 times, most recently
from
f081e69 to
0b44462
Compare
| FROM $DISTRO:$SUITE | ||
|
|
||
| ENV DEBIAN_FRONTEND=noninteractive | ||
| RUN apt-get update && apt-get --no-install-recommends -y install $addpkg |
There was a problem hiding this comment.
Does it make sense to run a dist-upgrade here as well? This seems to be done later by gitian-builder nevertheless, but doing it here as well would speed up the later upgrade.
There was a problem hiding this comment.
I think we should keep the base vm image as close to what lxc and kvm modes would generate. AFAICT, they don't do dist-upgrade either.
bin/make-base-vm
Outdated
| CMD ["/bin/bash"] | ||
| EOF | ||
|
|
||
| docker build -f $OUT.Dockerfile -t $OUT . |
There was a problem hiding this comment.
Adding --pull here would also speed up later dist-upgrades.
Requires a gitian-builder version with devrandom/gitian-builder#181 This will also switch to use Docker by default.
* gitian-build.sh: fix signProg being recognized as two parameters * Support docker based Gitian builds Requires a gitian-builder version with devrandom/gitian-builder#181 This will also switch to use Docker by default. * Switch back to using lxc as default until upstream gitian-builder is ready
bin/make-base-vm
Outdated
| USER $DISTRO:$DISTRO | ||
| WORKDIR /home/$DISTRO | ||
|
|
||
| CMD ["/bin/bash"] |
There was a problem hiding this comment.
I assume this is why there is the -t flag. If you want it to just stay up, why not explicitly have a wait+sleep loop here? It seems cleaner.
There was a problem hiding this comment.
I don't think we can do that. The line is supposed to be of the form CMD [“executable”, “param1”, “param2”…]. I don't know how such a loop would be written in that form.
There was a problem hiding this comment.
CMD ["bash", "-c", "while true; do sleep 1; done"] should work
There was a problem hiding this comment.
Actually, you can do CMD ["sleep", "infinity"]
make-base-vm can be run with --docker to create a dockerfile and docker image for the specified arch and suite.
start-target creates and starts a docker container from the image created by make-base-vm stop-target stops and removes the docker container from start-target copy-from-target, copy-to-target, and on-target can execute commands and copy files to and from the docker container started by start-target. make-clean-vm does nothing because nothing needs to be done to make a clean docker container.
|
After reading I'll go ahead and merge this, but would be great if a PR could be submitted for that, and Bitcoin and other Gitian descriptors are updated to specify the digest. |
Well |
|
That may confuse the user, since it will stop working if they switch to another virtualization. Seems like it's virtualization specific, so maybe it should be something like |
|
To be more precise, the Gitian descriptors were meant to be virtualization tech independent. |
|
Ah, good point. I will open a PR for that later today or tomorrow. |
|
Great. |
* gitian-build.sh: fix signProg being recognized as two parameters * Support docker based Gitian builds Requires a gitian-builder version with devrandom/gitian-builder#181 This will also switch to use Docker by default. * Switch back to using lxc as default until upstream gitian-builder is ready
This PR adds another VM type: docker containers.
Since vmbuilder appears to be borked in recent versions (at least for how we are using it) and people have had issues with lxc in the past (including myself), I have added the option of using docker containers instead of LXC, KVM, or vbox. Setting up and using the docker containers is just as easy and seamless as the setup for lxc and kvm, except it should actually work since the docker people know what they are doing and have made it easy to actually setup and interact with docker containers.
make-base-vmnow has a--dockerswitch to enable docker containers. Like with lxc, aUSE_DOCKERenvironment variable needs to be set for the other scripts to use docker.I have tested this with a build of Bitcoin Core 0.16.1rc1. The host is Ubuntu 18.04 while the container uses Ubuntu 14.04 as specified by the Bitcoin Core gitian descriptors. The binaries built matched those built by others using lxc or kvm (I am currently unable to compare with my own lxc and kvm builds because neither work for me).
While this PR supports using debian instead of ubuntu, I have no idea whether it actually works and I don't have anything to test that with.