merge: #2900

2900: feat: deadpool docker implementation r=sprutton1 a=sprutton1

Super naive implementation of running cyclone in containers. Tons of refactoring work could happen here, but this is enough to get things working. Tests pass! Please crush me with feedback, this is still pretty new to me.

Co-authored-by: Scott Prutton <[email protected]>

Cargo.toml

@@ -51,6 +51,7 @@ async-trait = "0.1.68"
 axum = { version = "0.6.18", features = ["macros", "multipart", "ws"] }
 base64 = "0.21.0"
 blake3 = "1.3.3"
+bollard = "0.15.0"
 bytes = "1.4.0"
 chrono = { version = "0.4.24", features = ["serde"] }
 clap = { version = "4.2.7", features = ["derive", "color", "env", "wrap_help"] }

bin/cyclone/BUCK

@@ -1,4 +1,30 @@
-load("@prelude-si//:macros.bzl", "rust_binary")
+load(
+    "@prelude-si//:macros.bzl",
+    "docker_image",
+    "export_file",
+    "rust_binary",
+    "shellcheck",
+    "shfmt_check",
+    "test_suite",
+)
+
+test_suite(
+    name = "check-lint",
+    tests = [
+        ":check-lint-rust-bin",
+        ":check-lint-rust-unit",
+        ":check-lint-shell",
+    ],
+)
+
+test_suite(
+    name = "check-format",
+    tests = [
+        ":check-format-rust",
+        ":check-format-shell",
+    ],
+)
+
 
 rust_binary(
     name = "cyclone",
@@ -11,3 +37,28 @@ rust_binary(
     ],
     srcs = glob(["src/**/*.rs"]),
 )
+
+export_file(
+    name = "docker-entrypoint.sh",
+)
+
+shfmt_check(
+    name = "check-format-shell",
+    srcs = [":docker-entrypoint.sh"],
+)
+
+shellcheck(
+    name = "check-lint-shell",
+    srcs = [":docker-entrypoint.sh"],
+)
+
+docker_image(
+    name = "image",
+    image_name = "cyclone",
+    flake_lock = "//:flake.lock",
+    build_deps = [
+        "//bin/cyclone:docker-entrypoint.sh",
+        "//bin/cyclone:cyclone",
+        "//bin/lang-js:bin",
+    ]
+)

bin/cyclone/Dockerfile

@@ -0,0 +1,69 @@
+###########################################################################
+# Builder Stage: cyclone
+###########################################################################
+# hadolint ignore=DL3007
+FROM nixos/nix:latest AS builder-cyclone
+ARG BIN=cyclone
+
+COPY . /workdir
+WORKDIR /workdir
+
+RUN set -eux; \
+    nix \
+        --extra-experimental-features "nix-command flakes impure-derivations ca-derivations" \
+        --option filter-syscalls false \
+        build \
+        ".#$BIN";
+
+RUN mkdir -p /tmp/nix-store-closure /tmp/local-bin
+# hadolint ignore=SC2046
+RUN cp -R $(nix-store --query --requisites result/) /tmp/nix-store-closure
+# hadolint ignore=SC2046
+RUN ln -snf $(nix-store --query result/)/bin/* /tmp/local-bin/
+
+###########################################################################
+# Builder Stage: lang-js
+###########################################################################
+# hadolint ignore=DL3007
+FROM nixos/nix:latest AS builder-lang-js
+ARG BIN=lang-js
+
+COPY . /workdir
+WORKDIR /workdir
+
+RUN set -eux; \
+    nix \
+        --extra-experimental-features "nix-command flakes impure-derivations ca-derivations" \
+        --option filter-syscalls false \
+        build \
+        ".#$BIN";
+
+RUN mkdir -p /tmp/nix-store-closure /tmp/local-bin
+# hadolint ignore=SC2046
+RUN cp -R $(nix-store --query --requisites result/) /tmp/nix-store-closure
+# hadolint ignore=SC2046
+RUN ln -snf $(nix-store --query result/)/bin/* /tmp/local-bin/
+
+###########################################################################
+# Final Stage
+###########################################################################
+FROM alpine:3 AS final
+ARG BIN=cyclone
+
+# hadolint ignore=DL3018
+RUN set -eux; \
+    apk add --no-cache runuser; \
+    adduser -D app; \
+    for dir in /run /etc /usr/local/etc /home/app/.config; do \
+        mkdir -pv "$dir/$BIN"; \
+    done;
+
+WORKDIR /run/$BIN
+COPY --from=builder-cyclone /tmp/nix-store-closure /nix/store
+COPY --from=builder-cyclone /tmp/local-bin/* /usr/local/bin/
+COPY --from=builder-lang-js /tmp/nix-store-closure /nix/store
+COPY --from=builder-lang-js /tmp/local-bin/* /usr/local/bin/
+
+ENTRYPOINT [ \
+  "/sbin/runuser", "-u", "app", "--", "/usr/local/bin/cyclone" \
+]

bin/cyclone/docker-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+# shellcheck disable=SC3043
+set -eu
+
+main() {
+  exec /usr/local/bin/.cyclone "$@"
+}
+
+main "$@"

lib/deadpool-cyclone/BUCK

@@ -6,10 +6,12 @@ rust_library(
         "//lib/cyclone-client:cyclone-client",
         "//lib/cyclone-core:cyclone-core",
         "//third-party/rust:async-trait",
+        "//third-party/rust:bollard",
         "//third-party/rust:deadpool",
         "//third-party/rust:derive_builder",
         "//third-party/rust:futures",
         "//third-party/rust:nix",
+        "//third-party/rust:rand",
         "//third-party/rust:remain",
         "//third-party/rust:serde",
         "//third-party/rust:tempfile",

lib/deadpool-cyclone/Cargo.toml

@@ -7,12 +7,14 @@ publish = false
 
 [dependencies]
 async-trait = { workspace = true }
+bollard = { workspace = true }
 cyclone-client = { path = "../cyclone-client" }
 cyclone-core = { path = "../cyclone-core" }
 deadpool = { workspace = true }
 derive_builder = { workspace = true }
 futures = { workspace = true }
 nix = { workspace = true }
+rand = {workspace = true }
 remain = { workspace = true }
 serde = { workspace = true }
 tempfile = { workspace = true }

lib/deadpool-cyclone/src/instance/cyclone.rs

@@ -6,7 +6,7 @@ pub use local_http::{
 };
 pub use local_uds::{
     LocalUdsInstance, LocalUdsInstanceError, LocalUdsInstanceSpec, LocalUdsInstanceSpecBuilder,
-    LocalUdsSocketStrategy,
+    LocalUdsRuntimeStrategy, LocalUdsSocketStrategy,
 };
 
 mod local_http;