diff --git a/flake.nix b/flake.nix index c9f504d0d..61cca9bca 100644 --- a/flake.nix +++ b/flake.nix @@ -320,6 +320,18 @@ os = "linux"; }; }; + toolchain-buck2 = buildImage { + name = "toolchain-buck2"; + # imageDigest and sha256 are generated by toolchain-buck2.sh for non-reproducible builds. + fromImage = pullImage { + imageName = "localhost:5001/toolchain-buck2"; + imageDigest = ""; # DO NOT COMMIT BUCK2 IMAGE_DIGEST VALUE + sha256 = ""; # DO NOT COMMIT BUCK2 SHA256 VALUE + tlsVerify = false; + arch = "amd64"; + os = "linux"; + }; + }; in rec { _module.args.pkgs = let nixpkgs-patched = (import self.inputs.nixpkgs {inherit system;}).applyPatches { @@ -370,6 +382,7 @@ nativelink-worker-lre-java = createWorker lre-java; nativelink-worker-siso-chromium = createWorker siso-chromium; nativelink-worker-toolchain-drake = createWorker toolchain-drake; + nativelink-worker-toolchain-buck2 = createWorker toolchain-buck2; nativelink-worker-buck2-toolchain = buck2-toolchain; image = nativelink-image; } diff --git a/tools/toolchain-buck2/Dockerfile b/tools/toolchain-buck2/Dockerfile new file mode 100644 index 000000000..f4adad8bd --- /dev/null +++ b/tools/toolchain-buck2/Dockerfile @@ -0,0 +1,40 @@ +# Copyright 2022-2024 The NativeLink Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ubuntu:jammy-20240212 +# https://hub.docker.com/layers/library/ubuntu/jammy-20240212/images/sha256-9089166d0211acd54441bb6a532f69e0038287edf625d62fda94784df7f07474 +FROM ubuntu:22.04@sha256:f9d633ff6640178c2d0525017174a688e2c1aef28f0a0130b26bd5554491f0da AS dependencies +# hadolint ignore=DL3009,DL3015 +RUN apt-get update && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y \ + git=1:2.34.1-1ubuntu1.11 \ + ca-certificates=20230311ubuntu0.22.04.1 \ + curl=7.81.0-1ubuntu1.17 \ + xz-utils=5.2.5-2ubuntu1 \ + python3=3.10.6-1~22.04.1 \ + unzip=6.0-26ubuntu3.2 && \ + update-ca-certificates + +RUN curl -L https://go.dev/dl/go1.23.0.linux-amd64.tar.gz -o go1.23.0.linux-amd64.tar.gz && \ + rm -rf /usr/local/go && \ + tar -C /usr/local -xzf go1.23.0.linux-amd64.tar.gz && \ + rm go1.23.0.linux-amd64.tar.gz + +# hadolint ignore=SC1091,DL4006 +RUN curl -sL -o nix-installer https://install.determinate.systems/nix/nix-installer-x86_64-linux && \ + chmod +x nix-installer && \ + ./nix-installer install linux --init none --no-confirm && \ + . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && \ + nix develop github:facebook/buck2/d76c189ed6092d7b53506b9411241680923d593b && \ + echo "export PATH=\"$(nix develop github:facebook/buck2/d76c189ed6092d7b53506b9411241680923d593b --command env | grep '^PATH=' | cut -d '=' -f 2-):/usr/local/go/bin\"" > /etc/profile.d/set_path.sh diff --git a/tools/toolchain-buck2/toolchain-buck2.sh b/tools/toolchain-buck2/toolchain-buck2.sh new file mode 100755 index 000000000..1f9b0cf85 --- /dev/null +++ b/tools/toolchain-buck2/toolchain-buck2.sh @@ -0,0 +1,119 @@ +#!/usr/bin/env bash +# Copyright 2022-2024 The NativeLink Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Creates a custom toolchain for building https://github.com/facebook/buck2 +# source tree and pushing it to Amazon Elastic Container Registry (ECR). + +set -xeuo pipefail + +ECR=${ECR:?Error: ECR is not set} +ECR_PROFILE=${ECR_PROFILE:?Error: ECR_PROFILE is not set} +ECR_USER=${ECR_USER:?Error: ECR_USER is not set} +ECR_REGION=${ECR_REGION:?Error: ECR_REGION is not set} +BUILDX_NO_CACHE=${BUILDX_NO_CACHE:-true} +ECR_PUBLISH=${ECR_PUBLISH:-true} + +SRC_ROOT=$(git rev-parse --show-toplevel) +FLAKE_NIX_FILE="${SRC_ROOT}/flake.nix" +echo "WARNING: This script will modify and revert the flake.nix" +sleep 3 + +function ecr_login() { + aws ecr get-login-password --profile ${ECR_PROFILE} --region ${ECR_REGION} | \ + docker login --username ${ECR_USER} --password-stdin ${ECR} +} + +# Build a base image for buck2 actions. +# Base image is published to the local docker engine +# from the Dockerfile. +docker buildx build --no-cache=${BUILDX_NO_CACHE} \ + --platform linux/amd64 \ + -t localhost:5001/toolchain-buck2:latest \ + --push \ + ${SRC_ROOT}/tools/toolchain-buck2 + +# Parse out the repo digests sha hash to be used as image digest. +FULL_IMAGE_PATH=$(docker inspect localhost:5001/toolchain-buck2:latest | jq '.[].RepoDigests[0]') +IMAGE_DIGEST=$(echo $FULL_IMAGE_PATH | awk -F'[@"]' '{print $3}') +if [ -z "$IMAGE_DIGEST" ]; then + echo "Unable to parse RepoDigests" + exit 1 +fi + +# Capture unpatched flake file for test. +ORIGINAL_FLAKE_CONTENT=$(cat "${FLAKE_NIX_FILE}") + +# Patch flake.nix with image digest. +sed -i -E "s|imageDigest = \"\"; # DO NOT COMMIT BUCK2 IMAGE_DIGEST VALUE|imageDigest = \"${IMAGE_DIGEST}\"; # DO NOT COMMIT BUCK2 IMAGE_DIGEST VALUE|" "${FLAKE_NIX_FILE}" + +# Bail if flake wasn't updated +PATCHED_FLAKE_CONTENT=$(cat "${FLAKE_NIX_FILE}") +if [ "$ORIGINAL_FLAKE_CONTENT" == "$PATCHED_FLAKE_CONTENT" ]; then + echo "No changes were made to ${FLAKE_NIX_FILE}" + exit 1 +else + echo "Changes made" + pushd $SRC_ROOT + git --no-pager diff "${FLAKE_NIX_FILE}" + sleep 3 + popd +fi + +# Get the sha256 value, this will fail due to empty string in the sha256 field. +set +o pipefail +SHA256_HASH=$( + nix run .#nativelink-worker-toolchain-buck2.copyTo \ + docker://localhost:5001/nativelink-toolchain-buck2:latest \ + -- --dest-tls-verify=false 2>&1 | \ + grep "got:" | \ + grep -o 'sha256-[^[:space:]]*' +) +set -o pipefail + +# Capture unpatched flake file for test. +ORIGINAL_FLAKE_CONTENT=$(cat "${FLAKE_NIX_FILE}") + +# Patch flake.nix with sha256 value. +sed -i -E "s|sha256 = \"\"; # DO NOT COMMIT BUCK2 SHA256 VALUE|sha256 = \"${SHA256_HASH}\"; # DO NOT COMMIT BUCK2 SHA256 VALUE|" "${FLAKE_NIX_FILE}" + +# Bail if flake wasn't updated. +PATCHED_FLAKE_CONTENT=$(cat "${FLAKE_NIX_FILE}") +if [ "$ORIGINAL_FLAKE_CONTENT" == "$PATCHED_FLAKE_CONTENT" ]; then + echo "No changes were made to ${FLAKE_NIX_FILE}" + exit 1 +else + echo "Changes made" + pushd $SRC_ROOT + git --no-pager diff "${FLAKE_NIX_FILE}" + sleep 3 + popd +fi + +# Add worker specific files and configurations. +nix run .#nativelink-worker-toolchain-buck2.copyTo \ + docker://localhost:5001/nativelink-toolchain-buck2:latest \ + -- \ + --dest-tls-verify=false + +# Publish image to ECR. +if [ "$ECR_PUBLISH" = "true" ]; then + ecr_login + nix run .#nativelink-worker-toolchain-buck2.copyTo ${ECR} +else + echo "Skipping ECR publishing" +fi + +# Restore changes. +git restore "${FLAKE_NIX_FILE}" diff --git a/tools/toolchain-drake/toolchain-drake.sh b/tools/toolchain-drake/toolchain-drake.sh index 7bc8fd4fd..d92b4c345 100755 --- a/tools/toolchain-drake/toolchain-drake.sh +++ b/tools/toolchain-drake/toolchain-drake.sh @@ -1,4 +1,20 @@ #!/usr/bin/env bash +# Copyright 2022-2024 The NativeLink Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Creates a custom toolchain for building https://github.com/RobotLocomotion/drake +# source tree and pushing it to Amazon Elastic Container Registry (ECR). set -xeuo pipefail