From 78890ce0e537c54546c1a0fb0401c8afa6731620 Mon Sep 17 00:00:00 2001 From: Guillermo Perez Date: Sat, 16 Sep 2023 03:34:41 -0400 Subject: [PATCH] inject sccache in the docker image --- ci/install-sccache-tarball.sh | 44 ++++++++++++++++++++++++++++++ docker/centrifuge-chain/Dockerfile | 39 ++++++++++++++++---------- 2 files changed, 68 insertions(+), 15 deletions(-) create mode 100644 ci/install-sccache-tarball.sh diff --git a/ci/install-sccache-tarball.sh b/ci/install-sccache-tarball.sh new file mode 100644 index 0000000000..3230dea1ec --- /dev/null +++ b/ci/install-sccache-tarball.sh @@ -0,0 +1,44 @@ +#!/bin/bash +set -eux +# Define URLs and file names +URL="https://github.com/mozilla/sccache/releases/download/v0.5.4/" +TARBALL_URL="${URL}/sccache-v0.5.4-aarch64-unknown-linux-musl.tar.gz" +CHECKSUM_URL="${URL}/sccache-v0.5.4-aarch64-unknown-linux-musl.tar.gz.sha256" +TARBALL_FILENAME="sccache.tar.gz" +CHECKSUM_FILENAME="sccache.sha256" + +# Define the target directory where you want to extract the binary +TARGET_DIR="/usr/local/cargo/bin" + +# Download the tarball and checksum +echo "Downloading tarball..." +curl -L "$TARBALL_URL" -o "$TARBALL_FILENAME" + +echo "Downloading checksum..." +curl -L "$CHECKSUM_URL" -o "$CHECKSUM_FILENAME" + +# Verify the checksum +echo "Verifying checksum..." +EXPECTED_SHA256=$(cat "$CHECKSUM_FILENAME" | awk '{print $1}') +ACTUAL_SHA256=$(sha256sum "$TARBALL_FILENAME" | awk '{print $1}') + +if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then + echo "Checksum verification failed. Aborting." + rm "$TARBALL_FILENAME" "$CHECKSUM_FILENAME" + exit 1 +fi + +# Extract the tarball +echo "Extracting tarball..." +mkdir sccache +tar -vxzf sccache.tar.gz -C ./sccache/ --strip-components 1 + +# Copy the sccache binary to the target directory +echo "Copying sccache binary to $TARGET_DIR" +cp "sccache/sccache" "$TARGET_DIR/" + +# Clean up downloaded files and extracted folder +rm "$TARBALL_FILENAME" "$CHECKSUM_FILENAME" +rm -rf "sccache" + +echo "Installation completed successfully." diff --git a/docker/centrifuge-chain/Dockerfile b/docker/centrifuge-chain/Dockerfile index 8c604f6a08..d9a9709d3a 100644 --- a/docker/centrifuge-chain/Dockerfile +++ b/docker/centrifuge-chain/Dockerfile @@ -2,7 +2,7 @@ # https://github.com/paritytech/polkadot-sdk/blob/master/docker/dockerfiles/polkadot/polkadot_injected_release.Dockerfile # ToDo: create a CI/builder image with preloaded tools -FROM docker.io/library/ubuntu:22.04 as builder +FROM --platform=linux/amd64 docker.io/library/ubuntu:22.04 as builder # Defaults ENV RUST_BACKTRACE 1 @@ -21,26 +21,32 @@ FROM docker.io/library/ubuntu:22.04 as builder libclang-dev \ protobuf-compiler \ curl - - RUN curl https://sh.rustup.rs -sSf | sh -s -- -y - ENV PATH="${PATH}:/root/.cargo/bin" - + + ENV RUSTUP_HOME=/usr/local/rustup \ + CARGO_HOME=/usr/local/cargo \ + PATH=/usr/local/cargo/bin:$PATH +# install rustup, use minimum components + RUN curl -L "https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init" \ + -o rustup-init; \ + chmod +x rustup-init; \ + ./rustup-init -y --no-modify-path --profile minimal --default-toolchain stable; \ + rm rustup-init; +# install sccache + COPY ./ci/install-sccache-tarball.sh ./ + RUN chmod +x install-sccache-tarball.sh && \ + ./install-sccache-tarball.sh + # BUILD COPY . centrifuge-chain WORKDIR /centrifuge-chain - RUN echo $(ls -l /centrifuge-chain/) - RUN \ - rustup-init -y --profile minimal --default-toolchain stable; \ - cargo install sccache; - RUN rustup default $RUST_TOOLCHAIN && \ rustup target add wasm32-unknown-unknown --toolchain $RUST_TOOLCHAIN - # RUN cargo build "--release" --features=${FEATURES} + RUN cargo build "--release" --features=${FEATURES} # ===== SECOND STAGE ====== # ToDo: create a secure image as a base for the binary -FROM docker.io/library/ubuntu:22.04 +FROM --platform=linux/amd64 docker.io/library/ubuntu:22.04 LABEL io.centrifuge.image.authors="guillermo@k-f.co" \ io.centrifuge.image.vendor="Centrifuge" \ @@ -67,13 +73,16 @@ FROM docker.io/library/ubuntu:22.04 # RUN mv /usr/share/ca* /tmp && \ # rm -rf /usr/share/* && \ # mv /tmp/ca-certificates /usr/share/ + # minimize the attack surface - # rm -rf /usr/bin /usr/sbin /usr/lib/python* && \ + # RUN rm -rf /usr/bin /usr/sbin /usr/lib/python* + + RUN apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* ; RUN mkdir -p /root/.local/share/centrifuge-chain && \ ln -s /root/.local/share/centrifuge-chain /data - - + +ENV RUST_BACKTRACE 1 USER centrifuge EXPOSE 30333 9933 9944 VOLUME ["/data"]