getsentry · Dav1dde · Apr 29, 2024 · Mar 15, 2024 · Mar 15, 2024 · Mar 15, 2024
@@ -13,3 +13,6 @@
 
 !docker-entrypoint.sh
 !Makefile
+
+# CI files necessary for building the docker file
+!linux/
@@ -18,25 +18,25 @@ jobs:
         with:
           submodules: recursive
 
-      - name: Build in Docker
+      - name: Install Rust Toolchain
+        run: rustup toolchain install stable --profile minimal --no-self-update
+
+      - name: Build binary
         run: |
-          # Get the latest stable rust toolchain version available
-          TOOLCHAIN=$(curl -s 'https://static.rust-lang.org/dist/channel-rust-stable.toml' | awk '/\[pkg.rust\]/ {getline;print;}' | sed -r 's/^version = "([0-9.]+) .*/\1/')
-          scripts/docker-build-linux.sh "$TOOLCHAIN"
+          make build-linux-release
         env:
-          BUILD_ARCH: x86_64
           RELAY_FEATURES:
 
       - name: Bundle Debug File
         run: |
-          cd target/x86_64-unknown-linux-gnu/release/
+          cd target/release/
           zip relay-Linux-x86_64-debug.zip relay.debug
           mv relay relay-Linux-x86_64
 
       - uses: actions/upload-artifact@v3
         with:
           name: ${{ github.sha }}
-          path: target/x86_64-unknown-linux-gnu/release/relay-Linux-x86_64*
+          path: target/release/relay-Linux-x86_64*
 
   macos:
     name: macOS

@@ -183,100 +183,181 @@ jobs:
     timeout-minutes: 30
     strategy:
       matrix:
-        # the arm64 build takes too long, so disable for now
-        arch: [amd64]
         image_name: [relay, relay-pop]
+        target: [x86_64-unknown-linux-gnu, aarch64-unknown-linux-gnu]
 
-    name: Build Docker Image
+    name: Build Relay Binary
     runs-on: ubuntu-latest
 
-    # Skip redundant checks for library releases
     if: "!startsWith(github.ref, 'refs/heads/release-library/')"
 
     env:
-      IMG_BASE: ghcr.io/getsentry/${{ matrix.image_name }}
-      IMG_DEPS: ghcr.io/getsentry/${{ matrix.image_name }}-deps:${{ matrix.arch }}
-      # GITHUB_SHA in pull requests points to the merge commit
-      IMG_VERSIONED: ghcr.io/getsentry/${{ matrix.image_name }}:${{ github.event.pull_request.head.sha || github.sha }}
-      ARCH: ${{ matrix.arch }}
+      RELAY_BIN: "target/${{ matrix.target }}/release/relay"
+      FEATURES: |-
+        ${{fromJson('{ 
+          "relay": "processing,crash-handler", 
+          "relay-pop": "crash-handler"
+        }')[matrix.image_name] }}
+      DOCKER_PLATFORM: |-
+        ${{fromJson('{ 
+          "x86_64-unknown-linux-gnu": "linux/amd64",
+          "aarch64-unknown-linux-gnu": "linux/arm64" 
+        }')[matrix.target] }}
+      # Fix editor: '
 
     steps:
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y llvm
+
       - uses: actions/checkout@v4
         with:
           submodules: recursive
 
+      - uses: dtolnay/rust-toolchain@stable
       - uses: swatinem/rust-cache@v2
         with:
-          key: ${{ github.job }}-${{ matrix.arch }}
+          key: "${{ github.job }}-${{ matrix.target }}-${{ matrix.image_name }}"
+
+      - name: Install Cross
+        # We need a nightly version of cross for `cross-util`.
+        run: cargo install cross --git https://github.com/cross-rs/cross --rev 085092c
+
+      - name: Compile
+        run: |
+          export PATH="/home/runner/.cargo/bin/:$PATH"
 
-      - run: docker run --rm --privileged tonistiigi/binfmt --install arm64
-        if: matrix.arch == 'arm64'
+          cross build --release --locked --features "${FEATURES}" --target "${{ matrix.target }}"
 
-      - name: Build
+      - name: Split debug info
         run: |
-          # Get the latest stable rust toolchain version available
-          TOOLCHAIN=$(curl -s 'https://static.rust-lang.org/dist/channel-rust-stable.toml' | awk '/\[pkg.rust\]/ {getline;print;}' | sed -r 's/^version = "([0-9.]+) .*/\1/')
-          ./scripts/build-docker-image.sh "$ARCH" "$TOOLCHAIN" ${{ matrix.image_name }}
+          llvm-objcopy --only-keep-debug "${RELAY_BIN}"{,.debug}
+          llvm-objcopy --strip-debug --strip-unneeded "${RELAY_BIN}"
+          llvm-objcopy --add-gnu-debuglink "${RELAY_BIN}"{.debug,}
+
+          cross-util run --target "${{ matrix.target }}" -- "sentry-cli difutil bundle-sources ${RELAY_BIN}.debug"
+          zip "${RELAY_BIN}.debug.zip" "${RELAY_BIN}.debug"
 
-      - name: Export Docker Image
-        run: docker save -o ${{ matrix.image_name }}-docker-image.tgz $IMG_VERSIONED
+      - name: Prepare Artifacts
+        run: |
+          mkdir -p "artifacts/${DOCKER_PLATFORM}"
+          cp "${RELAY_BIN}"{,.debug.zip,.src.zip} "artifacts/${DOCKER_PLATFORM}"
 
-      - name: Upload Docker Image to Artifact
-        uses: actions/upload-artifact@v3
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v4
         with:
           retention-days: 1
-          name: ${{ matrix.image_name }}-docker-image
-          path: ${{ matrix.image_name }}-docker-image.tgz
+          name: ${{ matrix.image_name }}@${{ matrix.target }}
+          path: "./artifacts/*"
+
+  build-docker:
+    timeout-minutes: 5
+    needs: build
+
+    name: Build Docker Image
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        image_name: [relay, relay-pop]
+
+    env:
+      PLATFORMS: "linux/amd64,linux/arm64"
+      DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}"
+      REVISION: "${{ github.event.pull_request.head.sha || github.sha }}"
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: "${{ matrix.image_name }}@*"
+          merge-multiple: true
 
-      - name: Push to ghcr.io
-        # Do not run this on forks as they do not have access to secrets
+      - name: Build and push to ghcr.io
         if: "!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'"
         run: |
-          set -euxo pipefail
           docker login --username '${{ github.actor }}' --password '${{ secrets.GITHUB_TOKEN }}' ghcr.io
-          docker push $IMG_DEPS
-          docker push $IMG_VERSIONED
 
-      - name: Push nightly to ghcr.io
-        if: github.ref == 'refs/heads/master'
+          docker buildx build \
+            --platform "${PLATFORMS}" \
+            --tag "${DOCKER_IMAGE}:${REVISION}" \
+            $( [[ "${GITHUB_REF}" == "refs/heads/master" ]] && printf %s "--tag ${DOCKER_IMAGE}:nightly" ) \
+            --file Dockerfile.release \
+            --push .
+
+  publish-to-dockerhub:
+    needs: build-docker
+
+    runs-on: ubuntu-20.04
+    name: Publish Relay to DockerHub
+
+    strategy:
+      matrix:
+        image_name: [relay] # Don't publish relay-pop (for now)
+
+    if: ${{ (github.ref_name == 'master') }}
+
+    env:
+      GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}"
+      DH_DOCKER_IMAGE: "getsentry/${{ matrix.image_name }}"
+      REVISION: "${{ github.event.pull_request.head.sha || github.sha }}"
+
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.5.0
+
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@2dac4eff5925ed07edbfe12d2d11af6304df29a6
+
+      - name: Login to DockerHub
+        run: docker login --username=sentrybuilder --password ${{ secrets.DOCKER_HUB_RW_TOKEN }}
+
+      - name: Copy Image from GHCR to DockerHub
         run: |
-          set -euxo pipefail
-          docker tag "$IMG_VERSIONED" "$IMG_BASE:nightly"
-          docker push "$IMG_BASE:nightly"
+          # We push 3 tags to Dockerhub:
+          # 1) the full sha of the commit
+          regctl image copy "${GHCR_DOCKER_IMAGE}:${REVISION}" "${DH_DOCKER_IMAGE}:${REVISION}"
 
-  push-prod-image:
+          # 2) the short sha
+          SHORT_SHA=$(echo ${GITHUB_SHA} | cut -c1-8)
+          regctl image copy "${GHCR_DOCKER_IMAGE}:${REVISION}" "${DH_DOCKER_IMAGE}:${SHORT_SHA}"
+
+          # 3) nightly
+          regctl image copy "${GHCR_DOCKER_IMAGE}:nightly" "${DH_DOCKER_IMAGE}:nightly"
+
+  publish-to-gcr:
     timeout-minutes: 5
-    needs: build
+    needs: build-docker
+
+    name: Publish Relay to GCR
+    runs-on: ubuntu-latest
 
     strategy:
       matrix:
         image_name: [relay, relay-pop]
 
-    name: Push GCR Docker Image
-    runs-on: ubuntu-latest
-
     # required for google auth
     permissions:
       contents: "read"
       id-token: "write"
 
+    env:
+      GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}"
+      GCR_DOCKER_IMAGE: "us.gcr.io/sentryio/${{ matrix.image_name }}"
+      REVISION: "${{ github.event.pull_request.head.sha || github.sha }}"
+
     # Skip redundant checks for library releases
     # Skip for dependabot and if run on a fork
     if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'"
 
-    env:
-      # GITHUB_SHA in pull requests points to the merge commit
-      REVISION: ${{ github.event.pull_request.head.sha || github.sha }}
-      IMG_VERSIONED: ghcr.io/getsentry/${{ matrix.image_name }}:${{ github.event.pull_request.head.sha || github.sha }}
-
     steps:
-      - name: Download Docker Image
-        uses: actions/download-artifact@v3
-        with:
-          name: ${{ matrix.image_name }}-docker-image
-
-      - name: Import Docker Image
-        run: docker load -i ${{ matrix.image_name }}-docker-image.tgz
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.5.0
 
       - name: Google Auth
         id: auth
@@ -296,28 +377,62 @@ jobs:
         run: |
           gcloud auth configure-docker us.gcr.io
 
-      - name: Push to us.gcr.io
-        run: |
-          set -euxo pipefail
-          docker tag "$IMG_VERSIONED" "us.gcr.io/sentryio/${{ matrix.image_name }}:$REVISION"
-          docker push "us.gcr.io/sentryio/${{ matrix.image_name }}:$REVISION"
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@2dac4eff5925ed07edbfe12d2d11af6304df29a6
+
+      - name: Copy Image from GHCR to GCR
+        run: regctl image copy "${GHCR_DOCKER_IMAGE}:${REVISION}" "${GCR_DOCKER_IMAGE}:${REVISION}"
 
-      - name: Push nightly to us.gcr.io
+      - name: Copy Nightly from GHCR to GCR
         if: github.ref == 'refs/heads/master'
-        run: |
-          set -euxo pipefail
-          docker tag "$IMG_VERSIONED" "us.gcr.io/sentryio/${{ matrix.image_name }}:nightly"
-          docker push "us.gcr.io/sentryio/${{ matrix.image_name }}:nightly"
+        run: regctl image copy "${GHCR_DOCKER_IMAGE}:nightly" "${GCR_DOCKER_IMAGE}:nightly"
+
+  gocd-artifacts:
+    timeout-minutes: 5
+    needs: build-docker
+
+    name: Upload build artifacts to gocd
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        image_name: [relay, relay-pop]
+
+    # required for google auth
+    permissions:
+      contents: "read"
+      id-token: "write"
+
+    env:
+      GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}"
+      REVISION: "${{ github.event.pull_request.head.sha || github.sha }}"
+
+    if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'"
+
+    steps:
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool
+          service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com
+
+      - name: "Set up Cloud SDK"
+        uses: "google-github-actions/setup-gcloud@v2"
+        with:
+          # https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation
+          # You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools.
+          version: ">= 390.0.0"
 
       - name: Upload gocd deployment assets
         run: |
           set -euxo pipefail
-          VERSION="$(docker run --rm "$IMG_VERSIONED" --version | cut -d" " -f2)"
-          echo "relay@$VERSION+$REVISION" > release-name
+          VERSION="$(docker run --rm "${GHCR_DOCKER_IMAGE}:${REVISION}" --version | cut -d" " -f2)"
+          echo "${{ matrix.image_name }}@${VERSION}+${REVISION}" > release-name
 
-          docker run --rm --entrypoint cat "$IMG_VERSIONED" /opt/relay-debug.zip > relay-debug.zip
-          docker run --rm --entrypoint cat "$IMG_VERSIONED" /opt/relay.src.zip > relay.src.zip
-          docker run --rm --entrypoint tar "$IMG_VERSIONED" -cf - /lib/x86_64-linux-gnu > libs.tar
+          docker run --rm --entrypoint cat "${GHCR_DOCKER_IMAGE}:${REVISION}" /opt/relay.debug.zip > relay.debug.zip
+          docker run --rm --entrypoint cat "${GHCR_DOCKER_IMAGE}:${REVISION}" /opt/relay.src.zip > relay.src.zip
+          docker run --rm --entrypoint tar "${GHCR_DOCKER_IMAGE}:${REVISION}" -cf - /lib/x86_64-linux-gnu > libs.tar
 
           # debugging for mysterious "Couldn't write tracker file" issue:
           (env | grep runner) || true
@@ -329,7 +444,7 @@ jobs:
             /home/runner/.gsutil/tracker-files/upload_TRACKER_*.rc.zip__JSON.url \
           || true
           gsutil -m cp -L gsutil.log ./libs.tar ./relay-debug.zip ./relay.src.zip ./release-name \
-            "gs://dicd-team-devinfra-cd--relay/deployment-assets/$REVISION/${{ matrix.image_name }}/" || status=$? && status=$?
+            "gs://dicd-team-devinfra-cd--relay/deployment-assets/${REVISION}/${{ matrix.image_name }}/" || status=$? && status=$?
           cat gsutil.log
           exit "$status"
 
@@ -397,7 +512,7 @@ jobs:
     name: Sentry-Relay Integration Tests
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    needs: build
+    needs: build-docker
 
     # Skip redundant checks for library releases
     if: "!startsWith(github.ref, 'refs/heads/release-library/')"
@@ -429,14 +544,6 @@ jobs:
           kafka: true
           symbolicator: true
 
-      - name: Download Docker Image
-        uses: actions/download-artifact@v3
-        with:
-          name: relay-docker-image
-
-      - name: Import Docker Image
-        run: docker load -i relay-docker-image.tgz
-
       - name: Run Sentry integration tests
         working-directory: sentry
         env:
@@ -445,28 +552,3 @@ jobs:
           echo "Testing against ${RELAY_TEST_IMAGE}"
           make test-relay-integration
 
-  publish-to-dockerhub:
-    name: Publish Relay to DockerHub
-    needs: build
-    runs-on: ubuntu-20.04
-    if: ${{ (github.ref_name == 'master') }}
-    steps:
-      - uses: actions/checkout@v4
-      - timeout-minutes: 20
-        run: until docker pull "ghcr.io/getsentry/relay:${{ github.sha }}" 2>/dev/null; do sleep 10; done
-      - name: Push built docker image
-        shell: bash
-        run: |
-          IMAGE_URL="ghcr.io/getsentry/relay:${{ github.sha }}"
-          docker login --username=sentrybuilder --password ${{ secrets.DOCKER_HUB_RW_TOKEN }}
-          # We push 3 tags to Dockerhub:
-          # first, the full sha of the commit
-          docker tag "$IMAGE_URL" getsentry/relay:${GITHUB_SHA}
-          docker push getsentry/relay:${GITHUB_SHA}
-          # second, the short sha of the commit
-          SHORT_SHA=$(git rev-parse --short "$GITHUB_SHA")
-          docker tag "$IMAGE_URL" getsentry/relay:${SHORT_SHA}
-          docker push getsentry/relay:${SHORT_SHA}
-          # finally, nightly
-          docker tag "$IMAGE_URL" getsentry/relay:nightly
-          docker push getsentry/relay:nightly
@@ -24,6 +24,7 @@
 
 - Emit gauges for total and self times for spans. ([#3448](https://github.com/getsentry/relay/pull/3448))
 - Collect exclusive_time_light metrics for `cache.*` spans. ([#3466](https://github.com/getsentry/relay/pull/3466))
+- Build and publish ARM docker images for Relay. ([#3272](https://github.com/getsentry/relay/pull/3272)).
 
 ## 24.4.1
 

@@ -0,0 +1,12 @@
+[build]
+pre-build = [
+    # Use azure mirrors for faster downloads.
+    "sed -i -e 's/archive.archive.ubuntu.com/azure.archive.ubuntu.com/' /etc/apt/sources.list",
+    "sed -i -e 's/security.archive.ubuntu.com/azure.archive.ubuntu.com/' /etc/apt/sources.list",
+    "apt-get update && apt-get --assume-yes install libclang-8-dev clang-8",
+    "curl -sL https://sentry.io/get-cli/ | sh",
+]
+
+[target.aarch64-unknown-linux-gnu]
+# We're using a nightly `cross`, let's still use a stable image.
+image = "ghcr.io/cross-rs/aarch64-unknown-linux-gnu:0.2.5"
@@ -1,5 +1,7 @@
 FROM debian:bookworm-slim
 
+ARG TARGETPLATFORM
+
 RUN apt-get update \
   && apt-get install -y ca-certificates gosu curl --no-install-recommends \
   && apt-get clean \
@@ -20,8 +22,10 @@ WORKDIR /work
 
 EXPOSE 3000
 
-COPY ./relay-bin /bin/relay
-COPY relay-debug.zip relay.src.zip /opt/
+COPY $TARGETPLATFORM/relay /bin/relay
+RUN chmod +x /bin/relay
+COPY $TARGETPLATFORM/relay.debug.zip /opt/relay.debug.zip
+COPY $TARGETPLATFORM/relay.src.zip /opt/relay.src.zip
 
 COPY ./docker-entrypoint.sh /
 ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]

@@ -24,15 +24,15 @@ release: setup-git ## build production binary of the relay with debug info
 .PHONY: release
 
 build-linux-release: setup-git ## build linux release of the relay
-	cd relay && cargo build --release --locked $(if ${RELAY_FEATURES}, --features ${RELAY_FEATURES}) --target=${TARGET}
+	cd relay && cargo build --release --locked $(if ${RELAY_FEATURES}, --features ${RELAY_FEATURES})
 	objcopy --only-keep-debug target/${TARGET}/release/relay{,.debug}
 	objcopy --strip-debug --strip-unneeded target/${TARGET}/release/relay
 	objcopy --add-gnu-debuglink target/${TARGET}/release/relay{.debug,}
 .PHONY: build-linux-release
 
 collect-source-bundle: setup-git ## copy the built relay binary to current folder and collects debug bundles
 	mv target/${TARGET}/release/relay ./relay-bin
-	zip relay-debug.zip target/${TARGET}/release/relay.debug
+	zip relay.debug.zip target/${TARGET}/release/relay.debug
 	sentry-cli --version
 	sentry-cli difutil bundle-sources target/${TARGET}/release/relay.debug
 	mv target/${TARGET}/release/relay.src.zip ./relay.src.zip

@@ -4,10 +4,6 @@
 
 **NOTE:** This applies only if you have an **ARM based Apple M1**!
 
-If you have another type of machine, please use
-[scripts/docker-build-linux.sh](scripts/docker-build-linux.sh) to compile
-`relay` for using it as an AWS Lambda extension.
-
 Follow these steps below on your Apple M1 machine to compile relay to be
 run in the AWS Lambda execution environment.
 

@@ -31,13 +31,13 @@ fi
 echo 'Downloading debug info, source bundle, system symbols...'
 gsutil cp \
   "gs://dicd-team-devinfra-cd--relay/deployment-assets/${REVISION}/${NAME}/release-name" \
-  "gs://dicd-team-devinfra-cd--relay/deployment-assets/${REVISION}/${NAME}/relay-debug.zip" \
+  "gs://dicd-team-devinfra-cd--relay/deployment-assets/${REVISION}/${NAME}/relay.debug.zip" \
   "gs://dicd-team-devinfra-cd--relay/deployment-assets/${REVISION}/${NAME}/relay.src.zip" \
   "gs://dicd-team-devinfra-cd--relay/deployment-assets/${REVISION}/${NAME}/libs.tar" \
   .
 
 echo 'Uploading debug information and source bundle...'
-sentry-cli upload-dif ./relay-debug.zip ./relay.src.zip
+sentry-cli upload-dif ./relay.debug.zip ./relay.src.zip
 
 echo 'Uploading system symbols...'
 tar xf libs.tar