Reintroduce boringcrypto images (#725)

* misc: build boringcrypto and cngcrypto images for Linux and Windows * docs: document boringcrypto images * Revert "docs: temporarily remove boringcrypto references (#97)" This reverts commit c9daa54. * Apply suggestions from code review Co-authored-by: Clayton Cornell <[email protected]> * docs: use BoringCrypto/CNGCrypto as proper spelling --------- Co-authored-by: Clayton Cornell <[email protected]>
grafana · May 1, 2024 · 22411f9 · 22411f9
1 parent 3dd7143
commit 22411f9
Show file tree

Hide file tree

Showing 8 changed files with 327 additions and 50 deletions.
diff --git a/.drone/drone.yml b/.drone/drone.yml
@@ -354,7 +354,7 @@ trigger:
 type: docker
 ---
 kind: pipeline
-name: Publish development Linux alloy container
+name: Publish Linux alloy-devel container
 platform:
   arch: amd64
   os: linux
@@ -371,10 +371,10 @@ steps:
   - mkdir -p $HOME/.docker
   - printenv GCR_CREDS > $HOME/.docker/config.json
   - docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
-  - docker buildx create --name multiarch-alloy-alloy-${DRONE_COMMIT_SHA} --driver
+  - docker buildx create --name multiarch-alloy-alloy-devel-${DRONE_COMMIT_SHA} --driver
     docker-container --use
   - ./tools/ci/docker-containers alloy-devel
-  - docker buildx rm multiarch-alloy-alloy-${DRONE_COMMIT_SHA}
+  - docker buildx rm multiarch-alloy-alloy-devel-${DRONE_COMMIT_SHA}
   environment:
     DOCKER_LOGIN:
       from_secret: docker_login
@@ -397,7 +397,50 @@ volumes:
   name: docker
 ---
 kind: pipeline
-name: Publish development Windows alloy container
+name: Publish Linux alloy-boringcrypto-devel container
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+  failure: ignore
+  image: grafana/alloy-build-image:v0.1.0
+  name: Configure QEMU
+  volumes:
+  - name: docker
+    path: /var/run/docker.sock
+- commands:
+  - mkdir -p $HOME/.docker
+  - printenv GCR_CREDS > $HOME/.docker/config.json
+  - docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
+  - docker buildx create --name multiarch-alloy-alloy-boringcrypto-devel-${DRONE_COMMIT_SHA}
+    --driver docker-container --use
+  - ./tools/ci/docker-containers alloy-boringcrypto-devel
+  - docker buildx rm multiarch-alloy-alloy-boringcrypto-devel-${DRONE_COMMIT_SHA}
+  environment:
+    DOCKER_LOGIN:
+      from_secret: docker_login
+    DOCKER_PASSWORD:
+      from_secret: docker_password
+    GCR_CREDS:
+      from_secret: gcr_admin
+  image: grafana/alloy-build-image:v0.1.0
+  name: Publish container
+  volumes:
+  - name: docker
+    path: /var/run/docker.sock
+trigger:
+  ref:
+  - refs/heads/main
+type: docker
+volumes:
+- host:
+    path: /var/run/docker.sock
+  name: docker
+---
+kind: pipeline
+name: Publish Windows alloy-devel container
 platform:
   arch: amd64
   os: windows
@@ -431,6 +474,40 @@ volumes:
   name: docker
 ---
 kind: pipeline
+name: Publish Windows alloy-cngcrypto-devel container
+platform:
+  arch: amd64
+  os: windows
+  version: "1809"
+steps:
+- commands:
+  - '& "C:/Program Files/git/bin/bash.exe" -c ''mkdir -p $HOME/.docker'''
+  - '& "C:/Program Files/git/bin/bash.exe" -c ''printenv GCR_CREDS > $HOME/.docker/config.json'''
+  - '& "C:/Program Files/git/bin/bash.exe" -c ''docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD'''
+  - '& "C:/Program Files/git/bin/bash.exe" -c ''./tools/ci/docker-containers-windows
+    alloy-cngcrypto-devel'''
+  environment:
+    DOCKER_LOGIN:
+      from_secret: docker_login
+    DOCKER_PASSWORD:
+      from_secret: docker_password
+    GCR_CREDS:
+      from_secret: gcr_admin
+  image: grafana/alloy-build-image:v0.1.0-windows
+  name: Build containers
+  volumes:
+  - name: docker
+    path: //./pipe/docker_engine/
+trigger:
+  ref:
+  - refs/heads/main
+type: docker
+volumes:
+- host:
+    path: //./pipe/docker_engine/
+  name: docker
+---
+kind: pipeline
 name: Publish Linux alloy container
 platform:
   arch: amd64
@@ -474,6 +551,49 @@ volumes:
   name: docker
 ---
 kind: pipeline
+name: Publish Linux alloy-boringcrypto container
+platform:
+  arch: amd64
+  os: linux
+steps:
+- commands:
+  - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+  failure: ignore
+  image: grafana/alloy-build-image:v0.1.0
+  name: Configure QEMU
+  volumes:
+  - name: docker
+    path: /var/run/docker.sock
+- commands:
+  - mkdir -p $HOME/.docker
+  - printenv GCR_CREDS > $HOME/.docker/config.json
+  - docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
+  - docker buildx create --name multiarch-alloy-alloy-boringcrypto-${DRONE_COMMIT_SHA}
+    --driver docker-container --use
+  - ./tools/ci/docker-containers alloy-boringcrypto
+  - docker buildx rm multiarch-alloy-alloy-boringcrypto-${DRONE_COMMIT_SHA}
+  environment:
+    DOCKER_LOGIN:
+      from_secret: docker_login
+    DOCKER_PASSWORD:
+      from_secret: docker_password
+    GCR_CREDS:
+      from_secret: gcr_admin
+  image: grafana/alloy-build-image:v0.1.0
+  name: Publish container
+  volumes:
+  - name: docker
+    path: /var/run/docker.sock
+trigger:
+  ref:
+  - refs/tags/v*
+type: docker
+volumes:
+- host:
+    path: /var/run/docker.sock
+  name: docker
+---
+kind: pipeline
 name: Publish Windows alloy container
 platform:
   arch: amd64
@@ -507,8 +627,43 @@ volumes:
     path: //./pipe/docker_engine/
   name: docker
 ---
+kind: pipeline
+name: Publish Windows alloy-cngcrypto container
+platform:
+  arch: amd64
+  os: windows
+  version: "1809"
+steps:
+- commands:
+  - '& "C:/Program Files/git/bin/bash.exe" -c ''mkdir -p $HOME/.docker'''
+  - '& "C:/Program Files/git/bin/bash.exe" -c ''printenv GCR_CREDS > $HOME/.docker/config.json'''
+  - '& "C:/Program Files/git/bin/bash.exe" -c ''docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD'''
+  - '& "C:/Program Files/git/bin/bash.exe" -c ''./tools/ci/docker-containers-windows
+    alloy-cngcrypto'''
+  environment:
+    DOCKER_LOGIN:
+      from_secret: docker_login
+    DOCKER_PASSWORD:
+      from_secret: docker_password
+    GCR_CREDS:
+      from_secret: gcr_admin
+  image: grafana/alloy-build-image:v0.1.0-windows
+  name: Build containers
+  volumes:
+  - name: docker
+    path: //./pipe/docker_engine/
+trigger:
+  ref:
+  - refs/tags/v*
+type: docker
+volumes:
+- host:
+    path: //./pipe/docker_engine/
+  name: docker
+---
 depends_on:
-- Publish development Linux alloy container
+- Publish Linux alloy-devel container
+- Publish Linux alloy-boringcrypto-devel container
 image_pull_secrets:
 - dockerconfigjson
 kind: pipeline
@@ -555,7 +710,9 @@ type: docker
 ---
 depends_on:
 - Publish Linux alloy container
+- Publish Linux alloy-boringcrypto container
 - Publish Windows alloy container
+- Publish Windows alloy-cngcrypto container
 image_pull_secrets:
 - dockerconfigjson
 kind: pipeline
@@ -713,6 +870,6 @@ kind: secret
 name: updater_private_key
 ---
 kind: signature
-hmac: eef3ddde1e027f6c8c113bf748036cb79961708262d651193c231096cda5260d
+hmac: 883a9a5afd22cd78dd7b0cbe53b2523ebc4afe148272c9d0df2754d036d17319
 
 ...
diff --git a/.drone/pipelines/publish.jsonnet b/.drone/pipelines/publish.jsonnet
@@ -6,11 +6,17 @@ local ghTokenFilename = '/drone/src/gh-token.txt';
 // job_names gets the list of job names for use in depends_on.
 local job_names = function(jobs) std.map(function(job) job.name, jobs);
 
-local linux_containers = ['alloy'];
-local windows_containers = ['alloy'];
+local linux_containers = [
+  { devel: 'alloy-devel', release: 'alloy' },
+  { devel: 'alloy-boringcrypto-devel', release: 'alloy-boringcrypto' },
+];
+local windows_containers = [
+  { devel: 'alloy-devel', release: 'alloy' },
+  { devel: 'alloy-cngcrypto-devel', release: 'alloy-cngcrypto' },
+];
 
 local linux_containers_dev_jobs = std.map(function(container) (
-  pipelines.linux('Publish development Linux %s container' % container) {
+  pipelines.linux('Publish Linux %s container' % container.devel) {
     trigger: {
       ref: ['refs/heads/main'],
     },
@@ -45,11 +51,11 @@ local linux_containers_dev_jobs = std.map(function(container) (
         'docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD',
 
         // Create a buildx worker for our cross platform builds.
-        'docker buildx create --name multiarch-alloy-%s-${DRONE_COMMIT_SHA} --driver docker-container --use' % container,
+        'docker buildx create --name multiarch-alloy-%s-${DRONE_COMMIT_SHA} --driver docker-container --use' % container.devel,
 
-        './tools/ci/docker-containers %s-devel' % container,
+        './tools/ci/docker-containers %s' % container.devel,
 
-        'docker buildx rm multiarch-alloy-%s-${DRONE_COMMIT_SHA}' % container,
+        'docker buildx rm multiarch-alloy-%s-${DRONE_COMMIT_SHA}' % container.devel,
       ],
     }],
     volumes: [{
@@ -60,7 +66,7 @@ local linux_containers_dev_jobs = std.map(function(container) (
 ), linux_containers);
 
 local windows_containers_dev_jobs = std.map(function(container) (
-  pipelines.windows('Publish development Windows %s container' % container) {
+  pipelines.windows('Publish Windows %s container' % container.devel) {
     trigger: {
       ref: ['refs/heads/main'],
     },
@@ -80,7 +86,7 @@ local windows_containers_dev_jobs = std.map(function(container) (
         pipelines.windows_command('mkdir -p $HOME/.docker'),
         pipelines.windows_command('printenv GCR_CREDS > $HOME/.docker/config.json'),
         pipelines.windows_command('docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD'),
-        pipelines.windows_command('./tools/ci/docker-containers-windows %s-devel' % container),
+        pipelines.windows_command('./tools/ci/docker-containers-windows %s' % container.devel),
       ],
     }],
     volumes: [{
@@ -91,7 +97,7 @@ local windows_containers_dev_jobs = std.map(function(container) (
 ), windows_containers);
 
 local linux_containers_jobs = std.map(function(container) (
-  pipelines.linux('Publish Linux %s container' % container) {
+  pipelines.linux('Publish Linux %s container' % container.release) {
     trigger: {
       ref: ['refs/tags/v*'],
     },
@@ -126,11 +132,11 @@ local linux_containers_jobs = std.map(function(container) (
         'docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD',
 
         // Create a buildx worker for our cross platform builds.
-        'docker buildx create --name multiarch-alloy-%s-${DRONE_COMMIT_SHA} --driver docker-container --use' % container,
+        'docker buildx create --name multiarch-alloy-%s-${DRONE_COMMIT_SHA} --driver docker-container --use' % container.release,
 
-        './tools/ci/docker-containers %s' % container,
+        './tools/ci/docker-containers %s' % container.release,
 
-        'docker buildx rm multiarch-alloy-%s-${DRONE_COMMIT_SHA}' % container,
+        'docker buildx rm multiarch-alloy-%s-${DRONE_COMMIT_SHA}' % container.release,
       ],
     }],
     volumes: [{
@@ -142,7 +148,7 @@ local linux_containers_jobs = std.map(function(container) (
 
 
 local windows_containers_jobs = std.map(function(container) (
-  pipelines.windows('Publish Windows %s container' % container) {
+  pipelines.windows('Publish Windows %s container' % container.release) {
     trigger: {
       ref: ['refs/tags/v*'],
     },
@@ -162,7 +168,7 @@ local windows_containers_jobs = std.map(function(container) (
         pipelines.windows_command('mkdir -p $HOME/.docker'),
         pipelines.windows_command('printenv GCR_CREDS > $HOME/.docker/config.json'),
         pipelines.windows_command('docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD'),
-        pipelines.windows_command('./tools/ci/docker-containers-windows %s' % container),
+        pipelines.windows_command('./tools/ci/docker-containers-windows %s' % container.release),
       ],
     }],
     volumes: [{

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,12 @@ Main (unreleased)
 
 - (_Public preview_) Add support for setting GOMEMLIMIT based on cgroup setting. (@mattdurham)
 
+- (_Public preview_) Introduce `boringcrypto` and `cngcrypto` Docker images.
+  These Docker images are tagged with the `-boringcrypto` (for Linux) and
+  `-cngcrypto` (for Windows) suffixes. `boringcrypto` support is only available
+  on AMD64 and ARM64, while `cngcrypto` support is only available on AMD64.
+  (@rfratto, @mattdurham)
+
 ### Enhancements
 
 - Update `prometheus.exporter.kafka` with the following functionalities (@wildum):

diff --git a/Dockerfile.windows b/Dockerfile.windows
@@ -1,6 +1,7 @@
 FROM grafana/alloy-build-image:v0.1.0-windows as builder
 ARG VERSION
 ARG RELEASE_BUILD=1
+ARG GO_TAGS
 
 COPY . /src/alloy
 WORKDIR /src/alloy
@@ -11,7 +12,7 @@ SHELL ["cmd", "/S", "/C"]
 # we can before moving on to the next step.
 RUN ""C:\Program Files\git\bin\bash.exe" -c "RELEASE_BUILD=${RELEASE_BUILD} VERSION=${VERSION} make generate-ui && rm -rf web/ui/node_modules && yarn cache clean --all""
 
-RUN ""C:\Program Files\git\bin\bash.exe" -c "RELEASE_BUILD=${RELEASE_BUILD} VERSION=${VERSION} GO_TAGS='builtinassets' make alloy""
+RUN ""C:\Program Files\git\bin\bash.exe" -c "RELEASE_BUILD=${RELEASE_BUILD} VERSION=${VERSION} GO_TAGS="builtinassets ${GO_TAGS}" make alloy""
 # In this case, we're separating the clean command from make alloy to avoid an issue where access to some mod cache
 # files is denied immediately after make alloy, for example:
 # "go: remove C:\go\pkg\mod\golang.org\[email protected]\bin\go.exe: Access is denied."

diff --git a/docs/sources/get-started/install/docker.md b/docs/sources/get-started/install/docker.md
@@ -50,6 +50,20 @@ Make sure you pass `--server.http.listen-addr=0.0.0.0:12345` as an argument as s
 If you don't pass this argument, the [debugging UI][UI] won't be available outside of the Docker container.
 {{< /admonition >}}
 
+### BoringCrypto images
+
+{{< admonition type="note" >}}
+BoringCrypto support is in _Public preview_ and is only available on AMD64 and ARM64 platforms.
+{{< /admonition >}}
+
+BoringCrypto images are published with every release starting with version
+1.1:
+
+* The latest BoringCrypto image is published as `grafana/alloy:boringcrypto`.
+* A specific version of the BoringCrypto image is published as
+  `grafana/alloy:<VERSION>-boringcrypto`, such as
+  `grafana/alloy:v1.1.0-boringcrypto`.
+
 ## Run a Windows Docker container
 
 To run {{< param "PRODUCT_NAME" >}} as a Windows Docker container, run the following command in a terminal window:
@@ -75,6 +89,20 @@ Make sure you pass `--server.http.listen-addr=0.0.0.0:12345` as an argument as s
 If you don't pass this argument, the [debugging UI][UI] won't be available outside of the Docker container.
 {{< /admonition >}}
 
+### CNGCrypto images
+
+{{< admonition type="note" >}}
+CNGCrypto support is in _Public preview_ and is only available on AMD64 platforms.
+{{< /admonition >}}
+
+CNGCrypto images are published with every release starting with version
+1.1:
+
+* The latest CNGCrypto image is published as `grafana/alloy:nanoserver-1809-cngcrypto`.
+* A specific version of the CNGCrypto image is published as
+  `grafana/alloy:<VERSION>-nanoserver-1809-cngcrypto`, such as
+  `grafana/alloy:v1.1.0-nanoserver-1809-cngcrypto`.
+
 ## Verify
 
 To verify that {{< param "PRODUCT_NAME" >}} is running successfully, navigate to <http://localhost:12345> and make sure the {{< param "PRODUCT_NAME" >}} [UI][] loads without error.