initial commit

This commit is contained in:
RyanSquared 2024-02-21 15:15:49 -05:00
commit a68b113768
Signed by untrusted user who does not match committer: ryan
GPG Key ID: 8E401478A3FBEF72
3 changed files with 177 additions and 0 deletions

69
Makefile Normal file
View File

@ -0,0 +1,69 @@
ifeq ($(NOCACHE), 1)
CACHE_BUST=$(shell date)
NOCACHE_FLAG=--no-cache
else
CACHE_BUST=0
NOCACHE_FLAG=
endif
export CACHE_BUST
export NOCACHE_FLAG
# Build package with chosen $(BUILDER)
# Supported BUILDERs: docker
# Usage: $(call build,core/$(NAME),$(VERSION),$(TARGET),$(EXTRA_ARGS))
# Notes:
# - Packages are expected to use the following layer names in order:
# - "fetch": [optional] obtain any artifacts from the internet.
# - "build": [optional] do any required build work
# - "package": [required] scratch layer exporting artifacts for distribution
# - "test": [optional] define any tests
# - Packages may prefix layer names with "text-" if more than one is desired
# - VERSION will be set as a build-arg if defined, otherwise it is "latest"
# - TARGET defaults to "package"
# - EXTRA_ARGS will be blindly injected
# - packages may also define a "test" layer
# - the ulimit line is to workaround a bug in patch when the nofile limit is too large:
# https://savannah.gnu.org/bugs/index.php?62958
# TODO:
# - try to disable networking on fetch layers with something like:
# $(if $(filter fetch,$(lastword $(subst -, ,$(TARGET)))),,--network=none)
# - actually output OCI files for each build (vs plain tar)
# - output manifest.txt of all tar/digest hashes for an easy git diff
# - support buildah and podman
define build
$(eval NAME := $(1))
$(eval VERSION := $(if $(2),$(2),latest))
$(eval TARGET := $(if $(3),$(3),package))
$(eval TEMPFILE := out/.$(notdir $(basename $@)).tmp.tar)
$(eval BUILD_CMD := \
DOCKER_BUILDKIT=1 \
BUILDKIT_MULTI_PLATFORM=1 \
SOURCE_DATE_EPOCH=1 \
docker \
build \
--ulimit nofile=2048:16384 \
--tag sui \
--build-arg CACHE_BUST="$(CACHE_BUST)" \
--build-arg SOURCE_DATE_EPOCH=1 \
--build-arg CORES=$(shell nproc --all) \
--progress=plain \
$(if $(filter latest,$(VERSION)),,--build-arg VERSION=$(VERSION)) \
--output type=oci,rewrite-timestamp=true,force-compression=true,name=$(NAME),annotation.org.opencontainers.image.revision=$(REVISION),annotation.org.opencontainers.image.version=$(VERSION),tar=false,dest=out/$(NAME) \
--target $(TARGET) \
$(NOCACHE_FLAG) \
-f packages/$(NAME)/Containerfile \
packages/$(NAME) \
)
$(eval TIMESTAMP := $(shell TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ"))
mkdir -p out/ \
&& echo $(TIMESTAMP) $(BUILD_CMD) start >> out/build.log \
&& rm -rf out/$(NAME) \
&& $(BUILD_CMD) \
&& echo $(TIMESTAMP) $(BUILD_CMD) end >> out/build.log;
endef
.PHONY: sui
sui: out/sui/index.json
out/sui/index.json: packages/sui/Containerfile
$(call build,sui)

25
README.md Normal file
View File

@ -0,0 +1,25 @@
# Sui Reproducible Builds
Uses the [StageX] software distribution for ensuring a reproducible toolchain.
## Building
```sh
make sui
```
## Starting Sui
The Sui container can be imported by running:
```sh
env -C out/sui tar -c . | docker load
```
To make sure Sui starts properly, run:
```sh
docker run sui
```
The version should be printed.

View File

@ -0,0 +1,83 @@
ARG RUST_VERSION=1.76.0
FROM scratch AS base
ENV NETWORK=mainnet
ENV VERSION=1.17.3
# https://codeload.github.com/MystenLabs/sui/zip/refs/tags/mainnet-v1.17.3
ENV SRC_SITE=https://codeload.github.com/MystenLabs/sui/tar.gz/refs/tags
ENV SRC_HASH=0ca2c1480c33b24849ee1fb95f70999aed2c68450c4f6ffac253eefaa91a82ed
FROM base AS fetch
ADD --checksum=sha256:${SRC_HASH} ${SRC_SITE}/${NETWORK}-v${VERSION} sui.tar.gz
FROM stagex/rust:${RUST_VERSION} AS rust
FROM fetch AS rust-fetch
COPY --from=stagex/busybox . /
COPY --from=stagex/musl . /
COPY --from=rust . /
COPY --from=stagex/gcc . /
COPY --from=stagex/llvm . /
COPY --from=stagex/libunwind . /
COPY --from=stagex/openssl . /
COPY --from=stagex/zlib . /
# NOTE: Necessary for `cargo fetch`, but CA trust is not relied upon
COPY --from=stagex/ca-certificates . /
# HACK: gcc puts things in /usr/lib64
COPY --from=stagex/gcc /usr/lib64/* /usr/lib/
RUN --network=none <<EOF
set -eux
tar xf sui.tar.gz
mv sui-${NETWORK}-v${VERSION} sui
EOF
WORKDIR sui
RUN cargo fetch
FROM rust-fetch AS build
# Rust build deps
COPY --from=stagex/binutils . /
COPY --from=stagex/gcc . /
COPY --from=stagex/llvm . /
COPY --from=stagex/make . /
COPY --from=stagex/musl . /
# Sui build deps
COPY --from=stagex/clang . /
COPY --from=stagex/linux-headers . /
ENV RUST_BACKTRACE=1
ENV RUSTFLAGS='-C target-feature=-crt-static -C codegen-units=1'
ENV GIT_REVISION=d338ed98cbb7dd1e9de9340ae9486880dfcb389a
RUN --network=none cargo build --frozen --release --bin sui-node
FROM scratch AS install
COPY --from=stagex/busybox . /
COPY --from=stagex/busybox . /rootfs
COPY --from=stagex/libunwind . /rootfs
COPY --from=stagex/gcc . /rootfs
COPY --from=stagex/musl . /rootfs
# HACK: gcc puts things in /usr/lib64
COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
COPY --from=build sui/target/release/sui-node /rootfs/usr/bin/sui-node
RUN --network=none find /rootfs -exec touch -hcd "@0" "{}" +
FROM scratch AS package
COPY --from=install /rootfs /
ENTRYPOINT ["/usr/bin/sui-node"]
CMD ["--version"]