brennen
/
blubber
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
121 Commits
2 Branches
713 KiB
Branch: zuultest
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'zuultest'
${ noResults }
blubber/config/variant.go

102 lines
2.7 KiB
Raw Permalink Normal View History

Support compilation to multi-stage Dockerfile Reorganized config type declarations. Added `RunConfig` for declaring working directory and unprivileged runtime user. A system for enforcing restrictions should probably be implemented for this. Implemented Dockerfile compiler, supporting multi-stage output in cases whether artifacts from other variants are configured.
7 years ago
Support `copies` config entry for multi-stage builds Summary: Support a `copies` variant config entry that will result in a multi-stage build, copying both shared library files and application directory from a previously defined variant. This is essentially a shorthand for two `artifacts` entries that are likely to be idiomatic to multi-stage build/prod configurations. Defined a new abstract `build.CopyFrom` instruction and corresponding `docker.DockerCopyFrom` instruction and refactored the writing of these Dockerfile lines to be accomplished using an `InstructionsForPhase` method on `config.ArtifactsConfig`. Implemented new support for `copies` configuration in `config.VariantConfig` and an `InstructionsForPhase` method that returns `build.CopyFrom` instructions for both the shared library and application directories. Fixes T174622 Depends on D759 Test Plan: Run `go test ./...`. Run `blubber blubber.example.yaml production` and ensure the right `COPY --from` lines are included for the final stage. Reviewers: thcipriani, mobrovac, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Maniphest Tasks: T174622 Differential Revision: https://phabricator.wikimedia.org/D768
7 years ago
Change import paths from Phabricator to Gerrit All import paths and other references to the previously Blubber repo in Phabricator have been changed to point to the new Gerrit project URL. Note that building or testing against this change will require you to move your working directory to `$GOPATH/src/gerrit.wikimedia.org/r/blubber`. Contribution documentation was updated to reflect the changes, and the `.arcvendor` submodule has been removed. Bug: T200452 Change-Id: I3ab23e420b2825e86e2bd7c9b3da9d4de23edaa1
6 years ago
Support `copies` config entry for multi-stage builds Summary: Support a `copies` variant config entry that will result in a multi-stage build, copying both shared library files and application directory from a previously defined variant. This is essentially a shorthand for two `artifacts` entries that are likely to be idiomatic to multi-stage build/prod configurations. Defined a new abstract `build.CopyFrom` instruction and corresponding `docker.DockerCopyFrom` instruction and refactored the writing of these Dockerfile lines to be accomplished using an `InstructionsForPhase` method on `config.ArtifactsConfig`. Implemented new support for `copies` configuration in `config.VariantConfig` and an `InstructionsForPhase` method that returns `build.CopyFrom` instructions for both the shared library and application directories. Fixes T174622 Depends on D759 Test Plan: Run `go test ./...`. Run `blubber blubber.example.yaml production` and ensure the right `COPY --from` lines are included for the final stage. Reviewers: thcipriani, mobrovac, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Maniphest Tasks: T174622 Differential Revision: https://phabricator.wikimedia.org/D768
7 years ago
Documented all exported types, functions, and interfaces Summary: Wrote inline documentation for all the things. Fixes T168000 Test Plan: Execute `godoc -http=:6060` and proofread all the things. Reviewers: thcipriani, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team, demon Tags: #release-engineering-team Maniphest Tasks: T168000 Differential Revision: https://phabricator.wikimedia.org/D841
7 years ago
Support compilation to multi-stage Dockerfile Reorganized config type declarations. Added `RunConfig` for declaring working directory and unprivileged runtime user. A system for enforcing restrictions should probably be implemented for this. Implemented Dockerfile compiler, supporting multi-stage output in cases whether artifacts from other variants are configured.
7 years ago
Unify `copies` and `artifacts` configuration Refactored `copies` configuration to allow for greater control over when and which both local build context files and variant artifacts are copied into the target image. The new configuration introduces a "local" keyword to signify when a `copies` entry should apply to the files from the local build context as opposed to files from another variant's image during a multi-stage build. variants: build: copies: - from: local source: ./src destination: . Note that with this change, the user must now explicitly define whether _any_ files should be copied in from the local build context. None will be copied in by default. To help keep configurations succinct, especially considering this new requirement, and to approximate the old `copies: variant`, a shorthand format and sane defaults for `source` and `destination` (depending whether `from` is "local" or a variant name) were implemented. variants: build: copies: [local] development: copies: - from: build - from: local source: ./config.dev.yaml destination: ./config.yaml The shorthand: copies: [ref, ...] # is equivalent to copies: [{ from: ref }, ...] And the following defaults are used when no `source` and `destination` are specified. copies: - from: local # defaults to - from: local source: . destination: . copies: - from: variant # defaults to two entries - from: variant source: /srv/app # the lives.in dir destination: /srv/app - from: variant source: /opt/local # the shared lib dir destination: /opt/local Bug: T211625 Change-Id: I4c4217905afc0762b6bd66ed594d43cc0486e3e2
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
6 years ago
Support compilation to multi-stage Dockerfile Reorganized config type declarations. Added `RunConfig` for declaring working directory and unprivileged runtime user. A system for enforcing restrictions should probably be implemented for this. Implemented Dockerfile compiler, supporting multi-stage output in cases whether artifacts from other variants are configured.
7 years ago
Documented all exported types, functions, and interfaces Summary: Wrote inline documentation for all the things. Fixes T168000 Test Plan: Execute `godoc -http=:6060` and proofread all the things. Reviewers: thcipriani, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team, demon Tags: #release-engineering-team Maniphest Tasks: T168000 Differential Revision: https://phabricator.wikimedia.org/D841
7 years ago
Create directory for common unprivileged app dependencies Summary: Establish `/opt/lib` as the location for installing application dependencies that are installed via unprivileged execution and from untrusted sources. The directory is created during the privileged build phase and owned by the unprivileged runtime user. Depends on D741 Test Plan: Run `go test ./...` or `arc unit`. Reviewers: thcipriani, mobrovac, mmodell, #release-engineering-team Reviewed By: thcipriani, mobrovac, mmodell, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D756
7 years ago
Unify `copies` and `artifacts` configuration Refactored `copies` configuration to allow for greater control over when and which both local build context files and variant artifacts are copied into the target image. The new configuration introduces a "local" keyword to signify when a `copies` entry should apply to the files from the local build context as opposed to files from another variant's image during a multi-stage build. variants: build: copies: - from: local source: ./src destination: . Note that with this change, the user must now explicitly define whether _any_ files should be copied in from the local build context. None will be copied in by default. To help keep configurations succinct, especially considering this new requirement, and to approximate the old `copies: variant`, a shorthand format and sane defaults for `source` and `destination` (depending whether `from` is "local" or a variant name) were implemented. variants: build: copies: [local] development: copies: - from: build - from: local source: ./config.dev.yaml destination: ./config.yaml The shorthand: copies: [ref, ...] # is equivalent to copies: [{ from: ref }, ...] And the following defaults are used when no `source` and `destination` are specified. copies: - from: local # defaults to - from: local source: . destination: . copies: - from: variant # defaults to two entries - from: variant source: /srv/app # the lives.in dir destination: /srv/app - from: variant source: /opt/local # the shared lib dir destination: /opt/local Bug: T211625 Change-Id: I4c4217905afc0762b6bd66ed594d43cc0486e3e2
6 years ago
Create directory for common unprivileged app dependencies Summary: Establish `/opt/lib` as the location for installing application dependencies that are installed via unprivileged execution and from untrusted sources. The directory is created during the privileged build phase and owned by the unprivileged runtime user. Depends on D741 Test Plan: Run `go test ./...` or `arc unit`. Reviewers: thcipriani, mobrovac, mmodell, #release-engineering-team Reviewed By: thcipriani, mobrovac, mmodell, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D756
7 years ago
Support compilation to multi-stage Dockerfile Reorganized config type declarations. Added `RunConfig` for declaring working directory and unprivileged runtime user. A system for enforcing restrictions should probably be implemented for this. Implemented Dockerfile compiler, supporting multi-stage output in cases whether artifacts from other variants are configured.
7 years ago
Support `copies` config entry for multi-stage builds Summary: Support a `copies` variant config entry that will result in a multi-stage build, copying both shared library files and application directory from a previously defined variant. This is essentially a shorthand for two `artifacts` entries that are likely to be idiomatic to multi-stage build/prod configurations. Defined a new abstract `build.CopyFrom` instruction and corresponding `docker.DockerCopyFrom` instruction and refactored the writing of these Dockerfile lines to be accomplished using an `InstructionsForPhase` method on `config.ArtifactsConfig`. Implemented new support for `copies` configuration in `config.VariantConfig` and an `InstructionsForPhase` method that returns `build.CopyFrom` instructions for both the shared library and application directories. Fixes T174622 Depends on D759 Test Plan: Run `go test ./...`. Run `blubber blubber.example.yaml production` and ensure the right `COPY --from` lines are included for the final stage. Reviewers: thcipriani, mobrovac, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Maniphest Tasks: T174622 Differential Revision: https://phabricator.wikimedia.org/D768
7 years ago
Unify `copies` and `artifacts` configuration Refactored `copies` configuration to allow for greater control over when and which both local build context files and variant artifacts are copied into the target image. The new configuration introduces a "local" keyword to signify when a `copies` entry should apply to the files from the local build context as opposed to files from another variant's image during a multi-stage build. variants: build: copies: - from: local source: ./src destination: . Note that with this change, the user must now explicitly define whether _any_ files should be copied in from the local build context. None will be copied in by default. To help keep configurations succinct, especially considering this new requirement, and to approximate the old `copies: variant`, a shorthand format and sane defaults for `source` and `destination` (depending whether `from` is "local" or a variant name) were implemented. variants: build: copies: [local] development: copies: - from: build - from: local source: ./config.dev.yaml destination: ./config.yaml The shorthand: copies: [ref, ...] # is equivalent to copies: [{ from: ref }, ...] And the following defaults are used when no `source` and `destination` are specified. copies: - from: local # defaults to - from: local source: . destination: . copies: - from: variant # defaults to two entries - from: variant source: /srv/app # the lives.in dir destination: /srv/app - from: variant source: /opt/local # the shared lib dir destination: /opt/local Bug: T211625 Change-Id: I4c4217905afc0762b6bd66ed594d43cc0486e3e2
6 years ago
Documented all exported types, functions, and interfaces Summary: Wrote inline documentation for all the things. Fixes T168000 Test Plan: Execute `godoc -http=:6060` and proofread all the things. Reviewers: thcipriani, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team, demon Tags: #release-engineering-team Maniphest Tasks: T168000 Differential Revision: https://phabricator.wikimedia.org/D841
7 years ago
Unify `copies` and `artifacts` configuration Refactored `copies` configuration to allow for greater control over when and which both local build context files and variant artifacts are copied into the target image. The new configuration introduces a "local" keyword to signify when a `copies` entry should apply to the files from the local build context as opposed to files from another variant's image during a multi-stage build. variants: build: copies: - from: local source: ./src destination: . Note that with this change, the user must now explicitly define whether _any_ files should be copied in from the local build context. None will be copied in by default. To help keep configurations succinct, especially considering this new requirement, and to approximate the old `copies: variant`, a shorthand format and sane defaults for `source` and `destination` (depending whether `from` is "local" or a variant name) were implemented. variants: build: copies: [local] development: copies: - from: build - from: local source: ./config.dev.yaml destination: ./config.yaml The shorthand: copies: [ref, ...] # is equivalent to copies: [{ from: ref }, ...] And the following defaults are used when no `source` and `destination` are specified. copies: - from: local # defaults to - from: local source: . destination: . copies: - from: variant # defaults to two entries - from: variant source: /srv/app # the lives.in dir destination: /srv/app - from: variant source: /opt/local # the shared lib dir destination: /opt/local Bug: T211625 Change-Id: I4c4217905afc0762b6bd66ed594d43cc0486e3e2
6 years ago
Documented all exported types, functions, and interfaces Summary: Wrote inline documentation for all the things. Fixes T168000 Test Plan: Execute `godoc -http=:6060` and proofread all the things. Reviewers: thcipriani, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team, demon Tags: #release-engineering-team Maniphest Tasks: T168000 Differential Revision: https://phabricator.wikimedia.org/D841
7 years ago
Support `copies` config entry for multi-stage builds Summary: Support a `copies` variant config entry that will result in a multi-stage build, copying both shared library files and application directory from a previously defined variant. This is essentially a shorthand for two `artifacts` entries that are likely to be idiomatic to multi-stage build/prod configurations. Defined a new abstract `build.CopyFrom` instruction and corresponding `docker.DockerCopyFrom` instruction and refactored the writing of these Dockerfile lines to be accomplished using an `InstructionsForPhase` method on `config.ArtifactsConfig`. Implemented new support for `copies` configuration in `config.VariantConfig` and an `InstructionsForPhase` method that returns `build.CopyFrom` instructions for both the shared library and application directories. Fixes T174622 Depends on D759 Test Plan: Run `go test ./...`. Run `blubber blubber.example.yaml production` and ensure the right `COPY --from` lines are included for the final stage. Reviewers: thcipriani, mobrovac, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Maniphest Tasks: T174622 Differential Revision: https://phabricator.wikimedia.org/D768
7 years ago
Fix application files/runtime permissions scheme Summary: Introduces new `lives` configuration that provides the name/UID/GID of the user that will own application files and installed dependencies. This new configuration is distinct from `runs` in that the former determines application file location ownership and the latter now only determines runtime process ownership. Default configuration has also been introduced for both config sections. In addition to the new configuration, a new `build.CopyAs` instruction has been introduced that ensures correct UID/GID ownership of files copied into the container image, and all unqualified `build.Copy` instructions are wrapped by the new `build.CopyAs` instruction using the UID/GID appropriate for the current build phase. A new `build.User` instruction is also introduced and injected into the build at the start of certain phases to enforce ownership of `build.Run` processes. This effective process/file ownership model is: PhasePrivileged - "root" PhasePrivilegedDropped - lives.as PhasePreInstall - lives.as PhaseInstall - lives.as PhasePostInstall - runs.as Fixes T187372 Test Plan: Run `go test ./...`. Reviewers: thcipriani, hashar, demon, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Subscribers: mmodell Tags: #release-engineering-team Maniphest Tasks: T187372 Differential Revision: https://phabricator.wikimedia.org/D984
6 years ago
Fix ownership on artifact copies Summary: The implementation of D984 did not include enforcing ownership for `build.CopyFrom` instruction and so artifacts copied from one image to another via `copies:` were problematically owned as root. In order to fix this behavior: 1. `config.ArtifactConfig` `build.CopyFrom` instructions are now injected duration `build.PhaseInstall` 2. `config.VariantConfig` calls `build.ApplyUser` for these artifact instructions as well using the `runs.as` user 3. `build.CopyAs` was refactored to wrap any `build.Instruction` which should only really be used with `build.Copy` or `build.CopyFrom`. Test Plan: Run `go test ./...`. Run `blubber` against configuration with a variant that uses `copies` and verify that the `COPY --from` instructions also include a `--chown` flag. Reviewers: thcipriani, mmodell, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D1002
6 years ago
Smarter copies/sharedvolume/default behavior Summary: Defined new abstract `build.Volume` and corresponding `docker.DockerVolume` instructions. Refactored compilation of main `COPY` or `VOLUME` instruction for application files to use the new instructions and moved injection of these instructions out of the compiler and into `VariantConfig`. The latter can be smarter about the following cases: 1. When `copies` is set, simply depend on artifacts for the application files and do not copy anything from the build host. 2. When `sharedvolume` is `true`, inject a `build.Volume` instruction for the application working directory. 3. When neither of the above are set, copy application files from the host. Fixes T174623 Depends on D768 Test Plan: Run `go test ./...`. Run `blubber blubber.example.yaml production` and ensure: 1. The `prep` stage has a `COPY . .` instruction. 2. The final stage has no `COPY . .` instruction, only `COPY --from=prep` instructions. Reviewers: thcipriani, mobrovac, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, mobrovac, #release-engineering-team Tags: #release-engineering-team Maniphest Tasks: T174623 Differential Revision: https://phabricator.wikimedia.org/D769
7 years ago
Fix application files/runtime permissions scheme Summary: Introduces new `lives` configuration that provides the name/UID/GID of the user that will own application files and installed dependencies. This new configuration is distinct from `runs` in that the former determines application file location ownership and the latter now only determines runtime process ownership. Default configuration has also been introduced for both config sections. In addition to the new configuration, a new `build.CopyAs` instruction has been introduced that ensures correct UID/GID ownership of files copied into the container image, and all unqualified `build.Copy` instructions are wrapped by the new `build.CopyAs` instruction using the UID/GID appropriate for the current build phase. A new `build.User` instruction is also introduced and injected into the build at the start of certain phases to enforce ownership of `build.Run` processes. This effective process/file ownership model is: PhasePrivileged - "root" PhasePrivilegedDropped - lives.as PhasePreInstall - lives.as PhaseInstall - lives.as PhasePostInstall - runs.as Fixes T187372 Test Plan: Run `go test ./...`. Reviewers: thcipriani, hashar, demon, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Subscribers: mmodell Tags: #release-engineering-team Maniphest Tasks: T187372 Differential Revision: https://phabricator.wikimedia.org/D984
6 years ago
Fix ownership on artifact copies Summary: The implementation of D984 did not include enforcing ownership for `build.CopyFrom` instruction and so artifacts copied from one image to another via `copies:` were problematically owned as root. In order to fix this behavior: 1. `config.ArtifactConfig` `build.CopyFrom` instructions are now injected duration `build.PhaseInstall` 2. `config.VariantConfig` calls `build.ApplyUser` for these artifact instructions as well using the `runs.as` user 3. `build.CopyAs` was refactored to wrap any `build.Instruction` which should only really be used with `build.Copy` or `build.CopyFrom`. Test Plan: Run `go test ./...`. Run `blubber` against configuration with a variant that uses `copies` and verify that the `COPY --from` instructions also include a `--chown` flag. Reviewers: thcipriani, mmodell, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D1002
6 years ago
Fix application files/runtime permissions scheme Summary: Introduces new `lives` configuration that provides the name/UID/GID of the user that will own application files and installed dependencies. This new configuration is distinct from `runs` in that the former determines application file location ownership and the latter now only determines runtime process ownership. Default configuration has also been introduced for both config sections. In addition to the new configuration, a new `build.CopyAs` instruction has been introduced that ensures correct UID/GID ownership of files copied into the container image, and all unqualified `build.Copy` instructions are wrapped by the new `build.CopyAs` instruction using the UID/GID appropriate for the current build phase. A new `build.User` instruction is also introduced and injected into the build at the start of certain phases to enforce ownership of `build.Run` processes. This effective process/file ownership model is: PhasePrivileged - "root" PhasePrivilegedDropped - lives.as PhasePreInstall - lives.as PhaseInstall - lives.as PhasePostInstall - runs.as Fixes T187372 Test Plan: Run `go test ./...`. Reviewers: thcipriani, hashar, demon, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Subscribers: mmodell Tags: #release-engineering-team Maniphest Tasks: T187372 Differential Revision: https://phabricator.wikimedia.org/D984
6 years ago
Fix ownership on artifact copies Summary: The implementation of D984 did not include enforcing ownership for `build.CopyFrom` instruction and so artifacts copied from one image to another via `copies:` were problematically owned as root. In order to fix this behavior: 1. `config.ArtifactConfig` `build.CopyFrom` instructions are now injected duration `build.PhaseInstall` 2. `config.VariantConfig` calls `build.ApplyUser` for these artifact instructions as well using the `runs.as` user 3. `build.CopyAs` was refactored to wrap any `build.Instruction` which should only really be used with `build.Copy` or `build.CopyFrom`. Test Plan: Run `go test ./...`. Run `blubber` against configuration with a variant that uses `copies` and verify that the `COPY --from` instructions also include a `--chown` flag. Reviewers: thcipriani, mmodell, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D1002
6 years ago
Fix application files/runtime permissions scheme Summary: Introduces new `lives` configuration that provides the name/UID/GID of the user that will own application files and installed dependencies. This new configuration is distinct from `runs` in that the former determines application file location ownership and the latter now only determines runtime process ownership. Default configuration has also been introduced for both config sections. In addition to the new configuration, a new `build.CopyAs` instruction has been introduced that ensures correct UID/GID ownership of files copied into the container image, and all unqualified `build.Copy` instructions are wrapped by the new `build.CopyAs` instruction using the UID/GID appropriate for the current build phase. A new `build.User` instruction is also introduced and injected into the build at the start of certain phases to enforce ownership of `build.Run` processes. This effective process/file ownership model is: PhasePrivileged - "root" PhasePrivilegedDropped - lives.as PhasePreInstall - lives.as PhaseInstall - lives.as PhasePostInstall - runs.as Fixes T187372 Test Plan: Run `go test ./...`. Reviewers: thcipriani, hashar, demon, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Subscribers: mmodell Tags: #release-engineering-team Maniphest Tasks: T187372 Differential Revision: https://phabricator.wikimedia.org/D984
6 years ago
Smarter copies/sharedvolume/default behavior Summary: Defined new abstract `build.Volume` and corresponding `docker.DockerVolume` instructions. Refactored compilation of main `COPY` or `VOLUME` instruction for application files to use the new instructions and moved injection of these instructions out of the compiler and into `VariantConfig`. The latter can be smarter about the following cases: 1. When `copies` is set, simply depend on artifacts for the application files and do not copy anything from the build host. 2. When `sharedvolume` is `true`, inject a `build.Volume` instruction for the application working directory. 3. When neither of the above are set, copy application files from the host. Fixes T174623 Depends on D768 Test Plan: Run `go test ./...`. Run `blubber blubber.example.yaml production` and ensure: 1. The `prep` stage has a `COPY . .` instruction. 2. The final stage has no `COPY . .` instruction, only `COPY --from=prep` instructions. Reviewers: thcipriani, mobrovac, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, mobrovac, #release-engineering-team Tags: #release-engineering-team Maniphest Tasks: T174623 Differential Revision: https://phabricator.wikimedia.org/D769
7 years ago
Fix ownership on artifact copies Summary: The implementation of D984 did not include enforcing ownership for `build.CopyFrom` instruction and so artifacts copied from one image to another via `copies:` were problematically owned as root. In order to fix this behavior: 1. `config.ArtifactConfig` `build.CopyFrom` instructions are now injected duration `build.PhaseInstall` 2. `config.VariantConfig` calls `build.ApplyUser` for these artifact instructions as well using the `runs.as` user 3. `build.CopyAs` was refactored to wrap any `build.Instruction` which should only really be used with `build.Copy` or `build.CopyFrom`. Test Plan: Run `go test ./...`. Run `blubber` against configuration with a variant that uses `copies` and verify that the `COPY --from` instructions also include a `--chown` flag. Reviewers: thcipriani, mmodell, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D1002
6 years ago
Fix application files/runtime permissions scheme Summary: Introduces new `lives` configuration that provides the name/UID/GID of the user that will own application files and installed dependencies. This new configuration is distinct from `runs` in that the former determines application file location ownership and the latter now only determines runtime process ownership. Default configuration has also been introduced for both config sections. In addition to the new configuration, a new `build.CopyAs` instruction has been introduced that ensures correct UID/GID ownership of files copied into the container image, and all unqualified `build.Copy` instructions are wrapped by the new `build.CopyAs` instruction using the UID/GID appropriate for the current build phase. A new `build.User` instruction is also introduced and injected into the build at the start of certain phases to enforce ownership of `build.Run` processes. This effective process/file ownership model is: PhasePrivileged - "root" PhasePrivilegedDropped - lives.as PhasePreInstall - lives.as PhaseInstall - lives.as PhasePostInstall - runs.as Fixes T187372 Test Plan: Run `go test ./...`. Reviewers: thcipriani, hashar, demon, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Subscribers: mmodell Tags: #release-engineering-team Maniphest Tasks: T187372 Differential Revision: https://phabricator.wikimedia.org/D984
6 years ago
Provide a `runs.insecurely` to be used with test variants Summary: Use cases involving running of test suites and doc generation require more liberal ownership and read/write permission to application files. When `runs.insecurely` is set to `true`, the effective runtime user will be `lives.as`, the same user that owns the application files and installed dependencies. D999 is a complement to this change to allow restrictions on this and other potentially sensitive configuration. Depends on D999, D1002 Test Plan: Run `go test ./...`. Reviewers: thcipriani, mmodell, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D1003
6 years ago
Generalize instructions for entrypoint and working directory Summary: Introduce new `build.EntryPoint` and `build.WorkingDirectory` instructions to allow configuration to inject them instead of hard coding their generation in the Docker compiler. Simplified the Docker compiler to simply iterate over build phases as returned by a new function `build.Phases()`. Depends on D990 Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D991
6 years ago
Fix application files/runtime permissions scheme Summary: Introduces new `lives` configuration that provides the name/UID/GID of the user that will own application files and installed dependencies. This new configuration is distinct from `runs` in that the former determines application file location ownership and the latter now only determines runtime process ownership. Default configuration has also been introduced for both config sections. In addition to the new configuration, a new `build.CopyAs` instruction has been introduced that ensures correct UID/GID ownership of files copied into the container image, and all unqualified `build.Copy` instructions are wrapped by the new `build.CopyAs` instruction using the UID/GID appropriate for the current build phase. A new `build.User` instruction is also introduced and injected into the build at the start of certain phases to enforce ownership of `build.Run` processes. This effective process/file ownership model is: PhasePrivileged - "root" PhasePrivilegedDropped - lives.as PhasePreInstall - lives.as PhaseInstall - lives.as PhasePostInstall - runs.as Fixes T187372 Test Plan: Run `go test ./...`. Reviewers: thcipriani, hashar, demon, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Subscribers: mmodell Tags: #release-engineering-team Maniphest Tasks: T187372 Differential Revision: https://phabricator.wikimedia.org/D984
6 years ago
Comment about copies config expansion inefficiency Change-Id: Ife4de5ec0e150e54e9d69d3741fddb77691c61b2
5 years ago
Unify `copies` and `artifacts` configuration Refactored `copies` configuration to allow for greater control over when and which both local build context files and variant artifacts are copied into the target image. The new configuration introduces a "local" keyword to signify when a `copies` entry should apply to the files from the local build context as opposed to files from another variant's image during a multi-stage build. variants: build: copies: - from: local source: ./src destination: . Note that with this change, the user must now explicitly define whether _any_ files should be copied in from the local build context. None will be copied in by default. To help keep configurations succinct, especially considering this new requirement, and to approximate the old `copies: variant`, a shorthand format and sane defaults for `source` and `destination` (depending whether `from` is "local" or a variant name) were implemented. variants: build: copies: [local] development: copies: - from: build - from: local source: ./config.dev.yaml destination: ./config.yaml The shorthand: copies: [ref, ...] # is equivalent to copies: [{ from: ref }, ...] And the following defaults are used when no `source` and `destination` are specified. copies: - from: local # defaults to - from: local source: . destination: . copies: - from: variant # defaults to two entries - from: variant source: /srv/app # the lives.in dir destination: /srv/app - from: variant source: /opt/local # the shared lib dir destination: /opt/local Bug: T211625 Change-Id: I4c4217905afc0762b6bd66ed594d43cc0486e3e2
6 years ago
Fix ownership on artifact copies Summary: The implementation of D984 did not include enforcing ownership for `build.CopyFrom` instruction and so artifacts copied from one image to another via `copies:` were problematically owned as root. In order to fix this behavior: 1. `config.ArtifactConfig` `build.CopyFrom` instructions are now injected duration `build.PhaseInstall` 2. `config.VariantConfig` calls `build.ApplyUser` for these artifact instructions as well using the `runs.as` user 3. `build.CopyAs` was refactored to wrap any `build.Instruction` which should only really be used with `build.Copy` or `build.CopyFrom`. Test Plan: Run `go test ./...`. Run `blubber` against configuration with a variant that uses `copies` and verify that the `COPY --from` instructions also include a `--chown` flag. Reviewers: thcipriani, mmodell, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D1002
6 years ago
Fix application files/runtime permissions scheme Summary: Introduces new `lives` configuration that provides the name/UID/GID of the user that will own application files and installed dependencies. This new configuration is distinct from `runs` in that the former determines application file location ownership and the latter now only determines runtime process ownership. Default configuration has also been introduced for both config sections. In addition to the new configuration, a new `build.CopyAs` instruction has been introduced that ensures correct UID/GID ownership of files copied into the container image, and all unqualified `build.Copy` instructions are wrapped by the new `build.CopyAs` instruction using the UID/GID appropriate for the current build phase. A new `build.User` instruction is also introduced and injected into the build at the start of certain phases to enforce ownership of `build.Run` processes. This effective process/file ownership model is: PhasePrivileged - "root" PhasePrivilegedDropped - lives.as PhasePreInstall - lives.as PhaseInstall - lives.as PhasePostInstall - runs.as Fixes T187372 Test Plan: Run `go test ./...`. Reviewers: thcipriani, hashar, demon, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Subscribers: mmodell Tags: #release-engineering-team Maniphest Tasks: T187372 Differential Revision: https://phabricator.wikimedia.org/D984
6 years ago
Smarter copies/sharedvolume/default behavior Summary: Defined new abstract `build.Volume` and corresponding `docker.DockerVolume` instructions. Refactored compilation of main `COPY` or `VOLUME` instruction for application files to use the new instructions and moved injection of these instructions out of the compiler and into `VariantConfig`. The latter can be smarter about the following cases: 1. When `copies` is set, simply depend on artifacts for the application files and do not copy anything from the build host. 2. When `sharedvolume` is `true`, inject a `build.Volume` instruction for the application working directory. 3. When neither of the above are set, copy application files from the host. Fixes T174623 Depends on D768 Test Plan: Run `go test ./...`. Run `blubber blubber.example.yaml production` and ensure: 1. The `prep` stage has a `COPY . .` instruction. 2. The final stage has no `COPY . .` instruction, only `COPY --from=prep` instructions. Reviewers: thcipriani, mobrovac, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, mobrovac, #release-engineering-team Tags: #release-engineering-team Maniphest Tasks: T174623 Differential Revision: https://phabricator.wikimedia.org/D769
7 years ago
Fix ownership on artifact copies Summary: The implementation of D984 did not include enforcing ownership for `build.CopyFrom` instruction and so artifacts copied from one image to another via `copies:` were problematically owned as root. In order to fix this behavior: 1. `config.ArtifactConfig` `build.CopyFrom` instructions are now injected duration `build.PhaseInstall` 2. `config.VariantConfig` calls `build.ApplyUser` for these artifact instructions as well using the `runs.as` user 3. `build.CopyAs` was refactored to wrap any `build.Instruction` which should only really be used with `build.Copy` or `build.CopyFrom`. Test Plan: Run `go test ./...`. Run `blubber` against configuration with a variant that uses `copies` and verify that the `COPY --from` instructions also include a `--chown` flag. Reviewers: thcipriani, mmodell, hashar, #release-engineering-team, demon Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D1002
6 years ago
Smarter copies/sharedvolume/default behavior Summary: Defined new abstract `build.Volume` and corresponding `docker.DockerVolume` instructions. Refactored compilation of main `COPY` or `VOLUME` instruction for application files to use the new instructions and moved injection of these instructions out of the compiler and into `VariantConfig`. The latter can be smarter about the following cases: 1. When `copies` is set, simply depend on artifacts for the application files and do not copy anything from the build host. 2. When `sharedvolume` is `true`, inject a `build.Volume` instruction for the application working directory. 3. When neither of the above are set, copy application files from the host. Fixes T174623 Depends on D768 Test Plan: Run `go test ./...`. Run `blubber blubber.example.yaml production` and ensure: 1. The `prep` stage has a `COPY . .` instruction. 2. The final stage has no `COPY . .` instruction, only `COPY --from=prep` instructions. Reviewers: thcipriani, mobrovac, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, mobrovac, #release-engineering-team Tags: #release-engineering-team Maniphest Tasks: T174623 Differential Revision: https://phabricator.wikimedia.org/D769
7 years ago
Support `copies` config entry for multi-stage builds Summary: Support a `copies` variant config entry that will result in a multi-stage build, copying both shared library files and application directory from a previously defined variant. This is essentially a shorthand for two `artifacts` entries that are likely to be idiomatic to multi-stage build/prod configurations. Defined a new abstract `build.CopyFrom` instruction and corresponding `docker.DockerCopyFrom` instruction and refactored the writing of these Dockerfile lines to be accomplished using an `InstructionsForPhase` method on `config.ArtifactsConfig`. Implemented new support for `copies` configuration in `config.VariantConfig` and an `InstructionsForPhase` method that returns `build.CopyFrom` instructions for both the shared library and application directories. Fixes T174622 Depends on D759 Test Plan: Run `go test ./...`. Run `blubber blubber.example.yaml production` and ensure the right `COPY --from` lines are included for the final stage. Reviewers: thcipriani, mobrovac, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Maniphest Tasks: T174622 Differential Revision: https://phabricator.wikimedia.org/D768
7 years ago
 
  1. package config
  2. 

  3. import (
  4. 	"gerrit.wikimedia.org/r/blubber/build"
  5. )
  6. 

  7. // VariantConfig holds configuration fields for each defined build variant.

  8. //

  9. type VariantConfig struct {
  10. 	Includes     []string     `json:"includes" validate:"dive,variantref"`
  11. 	Copies       CopiesConfig `json:"copies" validate:"omitempty,unique,dive"`
  12. 	CommonConfig `json:",inline"`
  13. }
  14. 

  15. // Merge takes another VariantConfig and overwrites this struct's fields.

  16. //

  17. func (vc *VariantConfig) Merge(vc2 VariantConfig) {
  18. 	vc.Copies.Merge(vc2.Copies)
  19. 	vc.CommonConfig.Merge(vc2.CommonConfig)
  20. }
  21. 

  22. // InstructionsForPhase injects build instructions related to dropping

  23. // priviledge and the application entrypoint, then it delegates to its common

  24. // and copies configurations. It also enforces the correct UID/GID on all copy

  25. // instructions returned from deeper config structs.

  26. //

  27. // PhasePrivileged

  28. //

  29. // Ensure the process and file owner is root.

  30. //

  31. // PhasePrivilegeDropped

  32. //

  33. // Ensure the process and file owner is the "lives.as" user.

  34. //

  35. // PhasePreInstall

  36. //

  37. // Ensure the process and file owner is the "lives.as" user.

  38. //

  39. // PhaseInstall

  40. //

  41. // Ensure the process and file owner is the "lives.as" user.

  42. //

  43. // PhasePostInstall

  44. //

  45. // Ensure the process and file owner is the "runs.as" user, unless configured

  46. // to run insecurely as the "lives.as" user. Finally, sets the application

  47. // entrypoint.

  48. //

  49. func (vc *VariantConfig) InstructionsForPhase(phase build.Phase) []build.Instruction {
  50. 	instructions := vc.CommonConfig.InstructionsForPhase(phase)
  51. 

  52. 	var switchUser string
  53. 	var uid, gid uint
  54. 

  55. 	switch phase {
  56. 	case build.PhasePrivileged:
  57. 		switchUser = "root"
  58. 

  59. 	case build.PhasePrivilegeDropped:
  60. 		switchUser = vc.Lives.As
  61. 		uid, gid = vc.Lives.UID, vc.Lives.GID
  62. 

  63. 	case build.PhasePreInstall:
  64. 		uid, gid = vc.Lives.UID, vc.Lives.GID
  65. 

  66. 	case build.PhaseInstall:
  67. 		uid, gid = vc.Lives.UID, vc.Lives.GID
  68. 

  69. 	case build.PhasePostInstall:
  70. 		if vc.Runs.Insecurely.True {
  71. 			uid, gid = vc.Lives.UID, vc.Lives.GID
  72. 		} else {
  73. 			switchUser = vc.Runs.As
  74. 			uid, gid = vc.Runs.UID, vc.Runs.GID
  75. 		}
  76. 

  77. 		if len(vc.EntryPoint) > 0 {
  78. 			instructions = append(instructions, build.EntryPoint{vc.EntryPoint})
  79. 		}
  80. 	}
  81. 

  82. 	// CopiesConfig may not implement InstructionsForPhase for all possible

  83. 	// phases, which makes the expansion of it here less than efficient, but to

  84. 	// assume which phases it does implement would result in gross coupling

  85. 	instructions = append(instructions, vc.Copies.Expand(vc.Lives.In).InstructionsForPhase(phase)...)
  86. 

  87. 	if switchUser != "" {
  88. 		instructions = append(
  89. 			[]build.Instruction{
  90. 				build.User{switchUser},
  91. 				build.Home(switchUser),
  92. 			},
  93. 			instructions...,
  94. 		)
  95. 	}
  96. 

  97. 	if uid != 0 {
  98. 		instructions = build.ApplyUser(uid, gid, instructions)
  99. 	}
  100. 

  101. 	return instructions
  102. }