From 4a29600d5ff7b9105c427a7a7752b77fbedc3afb Mon Sep 17 00:00:00 2001 From: ryan Date: Wed, 21 Feb 2024 15:24:03 -0500 Subject: [PATCH] initial commit --- Makefile | 69 +++++++++++++++++++++++++++++++ README.md | 25 ++++++++++++ packages/sui/Containerfile | 83 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 177 insertions(+) create mode 100644 Makefile create mode 100644 README.md create mode 100644 packages/sui/Containerfile diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..87ca066 --- /dev/null +++ b/Makefile @@ -0,0 +1,69 @@ +ifeq ($(NOCACHE), 1) +CACHE_BUST=$(shell date) +NOCACHE_FLAG=--no-cache +else +CACHE_BUST=0 +NOCACHE_FLAG= +endif +export CACHE_BUST +export NOCACHE_FLAG + +# Build package with chosen $(BUILDER) +# Supported BUILDERs: docker +# Usage: $(call build,core/$(NAME),$(VERSION),$(TARGET),$(EXTRA_ARGS)) +# Notes: +# - Packages are expected to use the following layer names in order: +# - "fetch": [optional] obtain any artifacts from the internet. +# - "build": [optional] do any required build work +# - "package": [required] scratch layer exporting artifacts for distribution +# - "test": [optional] define any tests +# - Packages may prefix layer names with "text-" if more than one is desired +# - VERSION will be set as a build-arg if defined, otherwise it is "latest" +# - TARGET defaults to "package" +# - EXTRA_ARGS will be blindly injected +# - packages may also define a "test" layer +# - the ulimit line is to workaround a bug in patch when the nofile limit is too large: +# https://savannah.gnu.org/bugs/index.php?62958 +# TODO: +# - try to disable networking on fetch layers with something like: +# $(if $(filter fetch,$(lastword $(subst -, ,$(TARGET)))),,--network=none) +# - actually output OCI files for each build (vs plain tar) +# - output manifest.txt of all tar/digest hashes for an easy git diff +# - support buildah and podman + +define build + $(eval NAME := $(1)) + $(eval VERSION := $(if $(2),$(2),latest)) + $(eval TARGET := $(if $(3),$(3),package)) + $(eval TEMPFILE := out/.$(notdir $(basename $@)).tmp.tar) + $(eval BUILD_CMD := \ + DOCKER_BUILDKIT=1 \ + BUILDKIT_MULTI_PLATFORM=1 \ + SOURCE_DATE_EPOCH=1 \ + docker \ + build \ + --ulimit nofile=2048:16384 \ + --tag sui \ + --build-arg CACHE_BUST="$(CACHE_BUST)" \ + --build-arg SOURCE_DATE_EPOCH=1 \ + --build-arg CORES=$(shell nproc --all) \ + --progress=plain \ + $(if $(filter latest,$(VERSION)),,--build-arg VERSION=$(VERSION)) \ + --output type=oci,rewrite-timestamp=true,force-compression=true,name=$(NAME),annotation.org.opencontainers.image.revision=$(REVISION),annotation.org.opencontainers.image.version=$(VERSION),tar=false,dest=out/$(NAME) \ + --target $(TARGET) \ + $(NOCACHE_FLAG) \ + -f packages/$(NAME)/Containerfile \ + packages/$(NAME) \ + ) + $(eval TIMESTAMP := $(shell TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")) + mkdir -p out/ \ + && echo $(TIMESTAMP) $(BUILD_CMD) start >> out/build.log \ + && rm -rf out/$(NAME) \ + && $(BUILD_CMD) \ + && echo $(TIMESTAMP) $(BUILD_CMD) end >> out/build.log; +endef + +.PHONY: sui +sui: out/sui/index.json +out/sui/index.json: packages/sui/Containerfile + $(call build,sui) diff --git a/README.md b/README.md new file mode 100644 index 0000000..8fee32f --- /dev/null +++ b/README.md @@ -0,0 +1,25 @@ +# Sui Reproducible Builds + +Uses the [StageX] software distribution for ensuring a reproducible toolchain. + +## Building + +```sh +make sui +``` + +## Starting Sui + +The Sui container can be imported by running: + +```sh +env -C out/sui tar -c . | docker load +``` + +To make sure Sui starts properly, run: + +```sh +docker run sui +``` + +The version should be printed. diff --git a/packages/sui/Containerfile b/packages/sui/Containerfile new file mode 100644 index 0000000..72b6f1a --- /dev/null +++ b/packages/sui/Containerfile @@ -0,0 +1,83 @@ +ARG RUST_VERSION=1.76.0 + +FROM scratch AS base +ENV NETWORK=mainnet +ENV VERSION=1.17.3 +# https://codeload.github.com/MystenLabs/sui/zip/refs/tags/mainnet-v1.17.3 +ENV SRC_SITE=https://codeload.github.com/MystenLabs/sui/tar.gz/refs/tags +ENV SRC_HASH=0ca2c1480c33b24849ee1fb95f70999aed2c68450c4f6ffac253eefaa91a82ed + +FROM base AS fetch +ADD --checksum=sha256:${SRC_HASH} ${SRC_SITE}/${NETWORK}-v${VERSION} sui.tar.gz + +FROM stagex/rust:${RUST_VERSION} AS rust +FROM fetch AS rust-fetch + +COPY --from=stagex/busybox . / +COPY --from=stagex/musl . / +COPY --from=rust . / + +COPY --from=stagex/gcc . / +COPY --from=stagex/llvm . / +COPY --from=stagex/libunwind . / +COPY --from=stagex/openssl . / +COPY --from=stagex/zlib . / + +# NOTE: Necessary for `cargo fetch`, but CA trust is not relied upon +COPY --from=stagex/ca-certificates . / + +# HACK: gcc puts things in /usr/lib64 +COPY --from=stagex/gcc /usr/lib64/* /usr/lib/ + +RUN --network=none <