initial commit

Makefile

@@ -0,0 +1,69 @@
+ifeq ($(NOCACHE), 1)
+CACHE_BUST=$(shell date)
+NOCACHE_FLAG=--no-cache
+else
+CACHE_BUST=0
+NOCACHE_FLAG=
+endif
+export CACHE_BUST
+export NOCACHE_FLAG
+
+# Build package with chosen $(BUILDER)
+# Supported BUILDERs: docker
+# Usage: $(call build,core/$(NAME),$(VERSION),$(TARGET),$(EXTRA_ARGS))
+# Notes:
+# - Packages are expected to use the following layer names in order:
+#   - "fetch": [optional] obtain any artifacts from the internet.
+#   - "build": [optional] do any required build work
+#   - "package": [required] scratch layer exporting artifacts for distribution
+#   - "test": [optional] define any tests
+# - Packages may prefix layer names with "text-" if more than one is desired
+# - VERSION will be set as a build-arg if defined, otherwise it is "latest"
+# - TARGET defaults to "package"
+# - EXTRA_ARGS will be blindly injected
+# - packages may also define a "test" layer
+# - the ulimit line is to workaround a bug in patch when the nofile limit is too large:
+#      https://savannah.gnu.org/bugs/index.php?62958
+#  TODO:
+# - try to disable networking on fetch layers with something like:
+#   $(if $(filter fetch,$(lastword $(subst -, ,$(TARGET)))),,--network=none)
+# - actually output OCI files for each build (vs plain tar)
+# - output manifest.txt of all tar/digest hashes for an easy git diff
+# - support buildah and podman
+
+define build
+	$(eval NAME := $(1))
+	$(eval VERSION := $(if $(2),$(2),latest))
+	$(eval TARGET := $(if $(3),$(3),package))
+	$(eval TEMPFILE := out/.$(notdir $(basename $@)).tmp.tar)
+	$(eval BUILD_CMD := \
+		DOCKER_BUILDKIT=1 \
+		BUILDKIT_MULTI_PLATFORM=1 \
+		SOURCE_DATE_EPOCH=1 \
+		docker \
+			build \
+			--ulimit nofile=2048:16384 \
+			--tag sui \
+			--build-arg CACHE_BUST="$(CACHE_BUST)" \
+			--build-arg SOURCE_DATE_EPOCH=1 \
+			--build-arg CORES=$(shell nproc --all) \
+			--progress=plain \
+			$(if $(filter latest,$(VERSION)),,--build-arg VERSION=$(VERSION)) \
+			--output type=oci,rewrite-timestamp=true,force-compression=true,name=$(NAME),annotation.org.opencontainers.image.revision=$(REVISION),annotation.org.opencontainers.image.version=$(VERSION),tar=false,dest=out/$(NAME) \
+			--target $(TARGET) \
+			$(NOCACHE_FLAG) \
+			-f packages/$(NAME)/Containerfile \
+			packages/$(NAME) \
+	)
+	$(eval TIMESTAMP := $(shell TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ"))
+	mkdir -p out/ \
+	&& echo $(TIMESTAMP) $(BUILD_CMD) start >> out/build.log \
+	&& rm -rf out/$(NAME) \
+	&& $(BUILD_CMD) \
+	&& echo $(TIMESTAMP) $(BUILD_CMD) end >> out/build.log;
+endef
+
+.PHONY: sui
+sui: out/sui/index.json
+out/sui/index.json: packages/sui/Containerfile
+	$(call build,sui)

README.md

@@ -0,0 +1,25 @@
+# Sui Reproducible Builds
+
+Uses the [StageX] software distribution for ensuring a reproducible toolchain.
+
+## Building
+
+```sh
+make sui
+```
+
+## Starting Sui
+
+The Sui container can be imported by running:
+
+```sh
+env -C out/sui tar -c . | docker load
+```
+
+To make sure Sui starts properly, run:
+
+```sh
+docker run sui
+```
+
+The version should be printed.

packages/sui/Containerfile

@@ -0,0 +1,83 @@
+ARG RUST_VERSION=1.76.0
+
+FROM scratch AS base
+ENV NETWORK=mainnet
+ENV VERSION=1.17.3
+# https://codeload.github.com/MystenLabs/sui/zip/refs/tags/mainnet-v1.17.3
+ENV SRC_SITE=https://codeload.github.com/MystenLabs/sui/tar.gz/refs/tags
+ENV SRC_HASH=0ca2c1480c33b24849ee1fb95f70999aed2c68450c4f6ffac253eefaa91a82ed
+
+FROM base AS fetch
+ADD --checksum=sha256:${SRC_HASH} ${SRC_SITE}/${NETWORK}-v${VERSION} sui.tar.gz
+
+FROM stagex/rust:${RUST_VERSION} AS rust
+FROM fetch AS rust-fetch
+
+COPY --from=stagex/busybox . /
+COPY --from=stagex/musl . /
+COPY --from=rust . /
+
+COPY --from=stagex/gcc . /
+COPY --from=stagex/llvm . /
+COPY --from=stagex/libunwind . /
+COPY --from=stagex/openssl . /
+COPY --from=stagex/zlib . /
+
+# NOTE: Necessary for `cargo fetch`, but CA trust is not relied upon
+COPY --from=stagex/ca-certificates . /
+
+# HACK: gcc puts things in /usr/lib64 
+COPY --from=stagex/gcc /usr/lib64/* /usr/lib/
+
+RUN --network=none <<EOF
+set -eux
+tar xf sui.tar.gz
+mv sui-${NETWORK}-v${VERSION} sui
+EOF
+
+WORKDIR sui
+
+RUN cargo fetch
+
+FROM rust-fetch AS build
+
+# Rust build deps
+
+COPY --from=stagex/binutils . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/llvm . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+
+# Sui build deps
+
+COPY --from=stagex/clang . /
+COPY --from=stagex/linux-headers . /
+
+ENV RUST_BACKTRACE=1
+ENV RUSTFLAGS='-C target-feature=-crt-static -C codegen-units=1'
+ENV GIT_REVISION=d338ed98cbb7dd1e9de9340ae9486880dfcb389a
+
+RUN --network=none cargo build --frozen --release --bin sui-node
+
+FROM scratch AS install
+
+COPY --from=stagex/busybox . /
+
+COPY --from=stagex/busybox . /rootfs
+COPY --from=stagex/libunwind . /rootfs
+COPY --from=stagex/gcc . /rootfs
+COPY --from=stagex/musl . /rootfs
+
+# HACK: gcc puts things in /usr/lib64 
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
+
+COPY --from=build sui/target/release/sui-node /rootfs/usr/bin/sui-node
+RUN --network=none find /rootfs -exec touch -hcd "@0" "{}" +
+
+FROM scratch AS package
+
+COPY --from=install /rootfs /
+
+ENTRYPOINT ["/usr/bin/sui-node"]
+CMD ["--version"]