ci: create a distroless for elixir builder and base

build-trust · Nov 21, 2023 · 6cd0a47 · 6cd0a47
1 parent ec51986
commit 6cd0a47
Show file tree

Hide file tree

Showing 5 changed files with 203 additions and 0 deletions.
diff --git a/tools/docker/wolfi/README.md b/tools/docker/wolfi/README.md
@@ -0,0 +1,36 @@
+
+This folder contains yaml files to build a distroless wolfi image, to build a distroless image, you need to create a secret key which will be used to sign packages, to create a secret key, in the wolfi directory, call the below command to create a keypair
+```bash
+docker run --rm -v "${PWD}":/work cgr.dev/chainguard/melange keygen
+```
+
+Note, it is crucial we call the above command before building our packages and images.
+
+After generating a keypair, we can now build our elixir and erlang packages which will be used in our docker wolfi images, elixir package has the erlang package as a dependency, so we need to build the erlang package first, to build the erlang package, from the wolfi directory, call
+```bash
+docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build erlang_package.yaml --arch amd64 -k melange.rsa.pub --signing-key melange.rsa
+```
+
+To build the elixir package
+```bash
+docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build elixir_package.yaml --arch amd64 -k melange.rsa.pub --signing-key melange.rsa
+```
+
+After building the packages, we can now build our builder and base image, to build the builder image
+```bash
+docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build builder_image.yaml -k melange.rsa.pub ghcr.io/build-trust/ockam-elixir-builder:latest builder_image.tar
+```
+
+the command above builds the builder image and sets the image name as `ghcr.io/build-trust/ockam-elixir-builder:latest` and creates a `.tar` file which can be loaded as a docker image with the below command
+```bash
+docker load < builder_image.tar
+```
+
+To build the base image
+```bash
+docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build base_image.yaml -k melange.rsa.pub ghcr.io/build-trust/ockam-elixir-base:latest base_image.tar
+```
+to load the base image
+```bash
+docker load < base_image.tar
+```
diff --git a/tools/docker/wolfi/base_image.yaml b/tools/docker/wolfi/base_image.yaml
@@ -0,0 +1,23 @@
+# docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build base_image.yaml -k melange.rsa.pub ghcr.io/build-trust/ockam-elixir-base:latest base_image.tar
+# Builds the base image which comprises of tools to host elixir binaries and perform remote connection
+contents:
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  repositories:
+    - https://packages.wolfi.dev/os
+  packages:
+    - ca-certificates-bundle
+    - glibc
+    - bash
+    - ncurses
+    - ncurses-dev
+    - ncurses-terminfo-base
+    - glibc-dev
+    - openssl
+    - gcc
+    - py3.12-pip
+    - python-3.12
+    - postgresql-16-client
+
+archs:
+  - x86_64
diff --git a/tools/docker/wolfi/builder_image.yaml b/tools/docker/wolfi/builder_image.yaml
@@ -0,0 +1,32 @@
+# docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build builder_image.yaml -k melange.rsa.pub ghcr.io/build-trust/ockam-elixir-builder:latest builder_image.tar
+# Builds the builder image which comprises of tools to build elixir and rust binaries
+contents:
+  keyring:
+    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+  repositories:
+    - https://packages.wolfi.dev/os
+    - /work/packages
+  packages:
+    - ca-certificates-bundle
+    - build-base
+    - curl
+    - xz
+    - git
+    - bash
+    - ncurses
+    - ncurses-dev
+    - ncurses-terminfo-base
+    - libstdc++
+    - glibc
+    - glibc-dev
+    - gcc
+    - rustup
+    - zlib
+    - zlib-dev
+    - elixir-1_15
+    - erlang-24
+    - erlang-24-dev
+    - openssl
+
+archs:
+  - x86_64
diff --git a/tools/docker/wolfi/elixir_package.yaml b/tools/docker/wolfi/elixir_package.yaml
@@ -0,0 +1,45 @@
+# docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build elixir_package.yaml --arch amd64 -k melange.rsa.pub --signing-key melange.rsa
+# Builds a pinned version of the elixir package
+package:
+  name: elixir-1_14
+  version: 1.14.5
+  epoch: 0
+  description: General-purpose programming language and runtime environment
+  copyright:
+    - license: Apache-2.0
+  dependencies:
+    runtime:
+      - erlang-24
+
+environment:
+  contents:
+    keyring:
+      - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+    repositories:
+      - https://packages.wolfi.dev/os
+      - /work/packages
+    packages:
+      - glibc
+      - glib
+      - erlang-24
+      - erlang-24-dev
+      - ca-certificates-bundle
+      - build-base
+      - glibc-dev
+      - busybox
+      - gcc
+      - llvm-libcxx-16
+      - make
+      - sed
+
+pipeline:
+  - uses: fetch
+    with:
+      expected-sha256: 2ea249566c67e57f8365ecdcd0efd9b6c375f57609b3ac2de326488ac37c8ebd
+      uri: https://github.com/elixir-lang/elixir/archive/refs/tags/v${{package.version}}.tar.gz
+  - runs: |
+      # This is a hack to get elixir to compile on Alpine https://git.alpinelinux.org/aports/tree/community/elixir/APKBUILD?h=3.18-stable
+      sed -i 's/^.NOTPARALLEL: compile/.NOTPARALLEL:/' Makefile
+  - uses: autoconf/make
+  - uses: autoconf/make-install
+  - uses: strip
diff --git a/tools/docker/wolfi/erlang_package.yaml b/tools/docker/wolfi/erlang_package.yaml
@@ -0,0 +1,67 @@
+# docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build erlang_package.yaml --arch amd64 -k melange.rsa.pub --signing-key melange.rsa
+# Builds a pinned version of the erlang package
+package:
+  name: erlang-24
+  version: 24.3.4.11
+  epoch: 0
+  description: General-purpose programming language and runtime environment
+  copyright:
+    - license: Apache-2.0
+  dependencies:
+    runtime:
+      # mnesia depends on the ca-certificates bundle
+      - ca-certificates-bundle
+
+environment:
+  contents:
+    keyring:
+      - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+    repositories:
+      - https://packages.wolfi.dev/os
+    packages:
+      - busybox
+      - ca-certificates-bundle
+      - build-base
+      - automake
+      - autoconf
+      - perl-dev
+      - openssl-dev
+      - ncurses-dev
+      - zlib-dev
+
+pipeline:
+  - uses: fetch
+    with:
+      expected-sha256: 0e63cd975f126ae9f17c36062d63e8629bb984e013b18a8a13ad634035dc414f
+      uri: https://github.com/erlang/otp/releases/download/OTP-${{package.version}}/otp_src_${{package.version}}.tar.gz
+
+  - runs: |
+      export CPPFLAGS="-D_BSD_SOURCE $CPPFLAGS"
+
+      ./otp_build autoconf
+      ./configure \
+        --prefix=/usr \
+        --sysconfdir=/etc \
+        --mandir=/usr/share/man \
+        --infodir=/usr/share/info \
+        --host="$CHOST" \
+        --build="$CBUILD" \
+        --enable-threads \
+        --enable-shared-zlib \
+        --enable-ssl=dynamic-ssl-lib \
+        --enable-jit
+
+  - uses: autoconf/make
+
+  - uses: autoconf/make-install
+
+  - uses: strip
+
+subpackages:
+  - name: "erlang-24-dev"
+    description: "headers for erlang"
+    pipeline:
+      - uses: split/dev
+    dependencies:
+      runtime:
+        - erlang-24