Skip to content

Commit a8a3436

Browse files
committed
Add some explanatory comments around the various docker images we use.
Change-Id: I33867840df49ac3146f8bfac6fd5001635bf73a4
1 parent 827f73a commit a8a3436

File tree

6 files changed

+41
-2
lines changed

6 files changed

+41
-2
lines changed

Dockerfile

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
# Docker image we use to run CI. Build with scripts/docker_build.
2+
# Open a shell to this image with scripts/docker_sh.
13
# Use a fixed snapshot of the base image to create a deterministic environment.
24
# Snapshot tags can be found at https://hub.docker.com/_/debian/tags
35
ARG image_digest=sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33

WORKSPACE

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -252,21 +252,35 @@ oci_register_toolchains(
252252

253253
load("@rules_oci//oci:pull.bzl", "oci_pull")
254254

255+
# This is the base docker image we use to bundle example apps like hello world
256+
# trusted apps. We don't build these, we pull them from the existing repo.
257+
#
258+
# E.g.: //oak_containers/examples/hello_world/trusted_app:bundle . You can find
259+
# these images at: gcr.io/distroless/cc-debian12 . We do not need root access
260+
# so you can search with ":nonroot" (gcr.io/distroless/cc-debian12:nonroot) or
261+
# "latest" (gcr.io/distroless/cc-debian12:latest). Note files tagged as ".sig"
262+
# or ".att" do not contain images. You can find a given digest (like the one
263+
# below) at http://gcr.io/distroless/cc-debian12@{digest} where {digest}
264+
# includes the "sha256:" bit.
255265
oci_pull(
256266
name = "distroless_cc_debian12",
257267
digest = "sha256:6714977f9f02632c31377650c15d89a7efaebf43bab0f37c712c30fc01edb973",
258268
image = "gcr.io/distroless/cc-debian12",
259269
platforms = ["linux/amd64"],
260270
)
261271

272+
# System image for Oak Containers
273+
# We build these (see oak_containers/system_image) and push them to the repo below before
274+
# this snippet can pull them.
262275
# This image is based on debian:stable-20240612
263276
oci_pull(
264277
name = "oak_containers_sysimage_base",
265278
digest = "sha256:4844b899dcb44420d368bfe24dca856d01a8483d6976fbee292227f601d69940",
266279
image = "europe-west2-docker.pkg.dev/oak-ci/oak-containers-sysimage-base/oak-containers-sysimage-base",
267280
)
268281

269-
# This image is based on debian:stable-20240612
282+
# Same as previous, for Nvidia GPU support (see
283+
# oak_containers/system_image/README.md). Based on debian:stable-20240612 .
270284
oci_pull(
271285
name = "oak_containers_nvidia_sysimage_base",
272286
digest = "sha256:9e69576783ad3c0a420bcb978dec53da5de6fd1a304b9b0f9d6c6bc6f188e894",

oak_containers/system_image/Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
# Deprecated - use base_image.Dockerfile or nvidia version, see README.md.
12
# debian:stable-20240612
23
ARG debian_snapshot=sha256:26878d0d3aa5e1980d6f8060b4af32fc48b8edeb1fc4d2d074a13a04b17c95f2
34
FROM debian@${debian_snapshot}

oak_containers/system_image/README.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@
66

77
# System Image Build Tools
88

9+
We use this Docker image to build the base system image for Oak Containers.
10+
911
## Full System Image Tools
1012

1113
`build-old.sh` and `Dockerfile`
@@ -56,6 +58,13 @@ How this works:
5658

5759
5. `oci_runtime_bundle` exports the bundle to a tarball that we can use.
5860

61+
## Sysroot
62+
63+
We use this to get a full, consistent set of libraries, tools and compilers, and
64+
extract them to make a sysroot. The plan is to plug this sysroot into Bazel to
65+
get a consistent toolchain. This image is not used to run anything at the
66+
moment.
67+
5968
# Current Issues/Improvements
6069

6170
- The bazel version should eventually be full bazel, and not require running any

oak_containers/system_image/base_image.Dockerfile

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
1-
# debian:stable-20240612
1+
# System Image for Oak Containers. Contains base Debian plus binaries and
2+
# configs to run Oak. This MUST be based on a stable Debian image.
3+
# debian:stable-20240612 - https://hub.docker.com/_/debian/tags
24
ARG debian_snapshot=sha256:26878d0d3aa5e1980d6f8060b4af32fc48b8edeb1fc4d2d074a13a04b17c95f2
35
FROM debian@${debian_snapshot}
46

@@ -8,10 +10,14 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
810
# This takes advantage of the fact that the base image contains the snapshot
911
# URL as a comment in /etc/apt/sources.list.d/debian.sources, with a switch
1012
# to snapshot-cloudflare in case it has higher availability.
13+
# NOTE: Using snapshot-cloudflare may cause issues in future image bases.
14+
# If you get errors like b/365523488#comment60, remove the following block.
15+
# Tracking: b/369706690.
1116
RUN sed -i -e '/^URIs/d' \
1217
-e '/^# http:\/\/snapshot/{s/#/URIs:/;s/snapshot/snapshot-cloudflare/}' \
1318
-e '/^Signed-By/a\Check-Valid-Until: no' \
1419
/etc/apt/sources.list.d/debian.sources
20+
1521
RUN apt-get --yes update \
1622
&& apt-get install --yes --no-install-recommends \
1723
systemd systemd-sysv dbus udev runc \

oak_containers/system_image/sysroot.Dockerfile

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
1+
# Builds a Docker image from which we can extract a sysroot.
2+
3+
# At the moment we don't use this image to run anything - only to copy out
4+
# the sysroot (essesntially, C libraries and tools). The goal is to plug this
5+
# sysroot into Bazel C toolchains so as to align compiler and library versions
6+
# at build time (Bazel) and at runtime (e.g. containers system image).
7+
18
# The expectation is that we build `base_image.Dockerfile` before this one.
29
# hadolint ignore=DL3007
310
FROM oak-containers-sysimage-base:latest

0 commit comments

Comments
 (0)