working stagex builds

Makefile

@@ -7,23 +7,26 @@ default: \
 	out/qos_enclave.tar
 
 out/qos_enclave.tar: \
+	build-base \
 	$(shell git ls-files \
-		src/qos_enclave \
 		src/init \
+		src/qos_enclave \
 		src/qos_core \
 		src/qos_aws \
 		src/qos_system \
 	)
 	$(call build)
 
 out/qos_host.tar: \
+	build-base \
 	$(shell git ls-files \
 		src/qos_host \
 		src/qos_core \
 	)
 	$(call build)
 
 out/qos_client.tar: \
+	build-base \
 	$(shell git ls-files \
 		src/qos_client \
 		src/qos_p256 \
@@ -34,6 +37,19 @@ out/qos_client.tar: \
 	)
 	$(call build)
 
+.PHONY: build-base
+build-base: out/build-base/index.json
+out/build-base/index.json: src/images/Containerfile
+	docker build \
+		--output "\
+			type=oci,\
+			tar=false,\
+			name=build_base,\
+			dest=out/build-base" \
+		--tag qos-local/build-base \
+		$(NOCACHE_FLAG) \
+		-f src/images/Containerfile \
+		src/
 
 ifeq ($(NOCACHE), 1)
 NOCACHE_FLAG=--no-cache
@@ -45,6 +61,8 @@ define build
 	$(eval package := $(notdir $(basename $@)))
 	docker build \
 		--tag $(REGISTRY)/$(package) \
+		--progress=plain \
+		--build-context "qos-local/build-base=oci-layout://./out/build-base" \
 		--output "\
 			type=oci,\
 			rewrite-timestamp=true,\

src/.dockerignore

@@ -0,0 +1,2 @@
+**/target/*
+**/cache/*

src/images/Containerfile

@@ -0,0 +1,50 @@
+FROM stagex/rust@sha256:e7a7a152ddf91ba4f2d6e426867c54ab43b76eef3f2a97dd0c3d9234090f3ce8 as rust
+FROM stagex/bash@sha256:39c6d22701e58c79548cf0601e72f85bb07bf30608827540e74db30220802430 as bash
+FROM stagex/coreutils@sha256:85341b2055493ff8bf3d90c9d4e7a5993e4dd7a1d11a06854f23e0434bb4abaa as coreutils
+FROM stagex/findutils@sha256:d0d30ce5d176fe2e40e93f707220ae6f54788ff14972005d1a51961c17f5294b as findutils
+FROM stagex/grep@sha256:565d7cc8257d45f19326b3ecbbc2dd3096b4a228977c91f4ed07a265faeb8b05 as grep
+FROM stagex/musl@sha256:27ca6026619beae07a1e7096caa7ac41b1403f5c1839ed4ff79b5aee3c409cec as musl
+FROM stagex/libunwind@sha256:422fe0a108d9f1253dd9694ce432aa195d49a3b60b1d977aa4e94024c7ac52bf as libunwind
+FROM stagex/openssl@sha256:f4e218dba1167008456899c5f19d9e1a1be17d4fc6fb6bb84d41b8eb477fd402 as openssl
+FROM stagex/zlib@sha256:d5df909418ef436e3dd23af397ba2b202bd72f45c81b0e161b507adc9e3e9b9c as zlib
+FROM stagex/ca-certificates@sha256:70c5136051c748fff0d1399101d082ecc204c1eb29d93da094ccf0d25f341121 as ca-certificates
+FROM stagex/binutils@sha256:9cc26e56cdfce106108a0f4c416a27967060d8d07c4da0cbc0e14fa87f7b1dfa as binutils
+FROM stagex/pkgconf@sha256:36fc4ed10a6e044d068aa7316e72588dbd365be4eb0271a84cf632521dbd8a09 as pkgconf
+FROM stagex/git@sha256:3a2853fa2fa725f7f02565e24f508912b33223e49bed915e55a5d3f85548d190 as git
+FROM stagex/gen_initramfs@sha256:6d323df1291bfd26e3a1db33065cbec1c44d397dd6b0f23b2f25c0f8c9f7ce76 as gen_initramfs
+FROM stagex/eif_build@sha256:94a4dd467e6f5e7a9967a538179e40737b9b4ff8007219aebbc6e96089a545c7 as eif_build
+FROM stagex/llvm@sha256:9dfc53795c89295da52719959f96df9122e0b921da6283c7bd7a582749545b1d as llvm
+FROM stagex/pcsc-lite@sha256:818ee8367335a47109ec5464bfb8c4a313a25909c430176d543619b75a6c339a as pcsc-lite
+FROM stagex/file@sha256:8ce66c0574777bca83c8297b74372e0be7a6cc5d2b7e21061391726ad6d6d406 as file
+FROM stagex/gcc@sha256:bb550daddcf95acdce9999e359e3ffb1c497916aea41bdd0cae1d6a5a908b4b9 as gcc
+FROM stagex/linux-nitro@sha256:dd38b784ea9f8f0757e549194d078cccde9d6aed46915df2be9086880693fb17 as linux-nitro
+
+FROM scratch as base
+ENV TARGET=x86_64-unknown-linux-musl
+ENV RUSTFLAGS="-C target-feature=+crt-static"
+ENV CARGOFLAGS="--locked --no-default-features --release --target ${TARGET}"
+ENV OPENSSL_STATIC=true
+COPY --from=bash /bin/bash /bin/sh
+COPY --from=coreutils . /
+COPY --from=findutils . /
+COPY --from=grep . /
+COPY --from=musl . /
+COPY --from=libunwind . /
+COPY --from=openssl . /
+COPY --from=zlib . /
+COPY --from=ca-certificates . /
+COPY --from=binutils . /
+COPY --from=pkgconf . /
+COPY --from=git . /
+COPY --from=rust . /
+COPY --from=gen_initramfs . /
+COPY --from=eif_build . /
+COPY --from=llvm . /
+COPY --from=pcsc-lite . /
+COPY --from=file . /
+COPY --from=gcc . /
+COPY --from=gcc /usr/lib64/* /usr/lib/
+COPY --from=linux-nitro /bzImage .
+COPY --from=linux-nitro /nsm.ko .
+COPY --from=linux-nitro /linux.config .
+RUN mkdir /tmp

src/images/qos_client/Containerfile

@@ -0,0 +1,20 @@
+FROM qos-local/build-base as base
+ADD . /src
+
+FROM base as build
+ENV PCSC_LIB_NAME=static=pcsclite
+RUN --mount=type=cache,target=/src/qos_client/cache/cargo <<-EOF
+	set -eux
+	env -C /src/qos_client cargo build --features smartcard ${CARGOFLAGS}
+    cp /src/target/${TARGET}/release/qos_client /
+    file /qos_client | grep "static-pie"
+EOF
+
+FROM base as install
+WORKDIR /rootfs
+COPY --from=build /qos_client .
+RUN find . -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs .
+ENTRYPOINT ["/qos_client"]

src/images/qos_enclave/Containerfile

@@ -1,89 +1,57 @@
-FROM scratch as base
-ENV TARGET=x86_64-unknown-linux-musl
-ENV RUSTFLAGS="-C target-feature=+crt-static"
-ENV CARGOFLAGS="--locked --no-default-features --release --target ${TARGET}"
-ENV OPENSSL_STATIC=true
+FROM qos-local/build-base as base
+ADD . /src
 
-FROM base as fetch
-ADD qos_enclave qos_enclave
+FROM base as build-qos_enclave
+RUN --mount=type=cache,target=/src/qos_enclave/cache/cargo <<-EOF
+	set -eux
+	env -C /src/qos_enclave cargo build ${CARGOFLAGS}
+	cp /src/qos_enclave/target/${TARGET}/release/qos_enclave /
+    file /qos_enclave | grep "static-pie"
+EOF
+
+FROM base as build-init
+RUN --mount=type=cache,target=/src/init/cache/cargo <<-EOF
+	set -eux
+	env -C /src/init cargo build ${CARGOFLAGS}
+	cp /src/init/target/${TARGET}/release/init /
+    file /init | grep "static-pie"
+EOF
 
-FROM fetch as build
-COPY --from=stagex/bash /bin/bash /bin/sh
-COPY --from=stagex/coreutils . /
-COPY --from=stagex/findutils . /
-COPY --from=stagex/musl . /
-COPY --from=stagex/libunwind . /
-COPY --from=stagex/openssl . /
-COPY --from=stagex/zlib . /
-COPY --from=stagex/ca-certificates . /
-COPY --from=stagex/binutils . /
-COPY --from=stagex/pkgconf . /
-COPY --from=stagex/git . /
-COPY --from=stagex/rust . /
-COPY --from=stagex/cpio . /
-COPY --from=stagex/gen_initramfs . /
-COPY --from=stagex/eif_build . /
-COPY --from=stagex/llvm . /
-COPY --from=stagex/gcc . /
-COPY --from=stagex/gcc /usr/lib64/* /usr/lib/
-RUN mkdir /tmp
-WORKDIR qos_enclave
-RUN cargo build ${CARGOFLAGS}
-WORKDIR init
-RUN cargo build ${CARGOFLAGS}
+FROM base as build-eif
 WORKDIR /build_cpio
-COPY /init/target/${TARGET}/release/init .
-COPY --from=stagex/linux-nitro nsm.ko .
+COPY --from=build-init /init .
 COPY <<-EOF initramfs.list
-dir  /dev                          0755 0 0
-dir  /dev/shm                      0755 0 0
-dir  /dev/pts                      0755 0 0
-nod  /dev/console                  0600 0 0 c 5 1
-dir  /sys                          0755 0 0
-dir  /usr                          0755 0 0
-dir  /run                          0755 0 0
-dir  /tmp                          0755 0 0
-dir  /etc                          0755 0 0
-dir  /proc                         0755 0 0
-dir  /bin                          0755 0 0
-dir  /sbin                         0755 0 0
-dir  /usr/bin                      0755 0 0
-dir  /usr/sbin                     0755 0 0
-file /init     /build_cpio/init    0755 0 0
-file /nsm.ko   /build_cpio/nsm.ko  0755 0 0
-EOF
-RUN <<-EOF
-	mkdir usr
-	cp /usr/bin/gen_init_cpio usr/
-	gen_initramfs -o rootfs.cpio initramfs.list
-	cpio -itv < rootfs.cpio
+	file /init     init    0755 0 0
+	file /nsm.ko   /nsm.ko 0755 0 0
+	dir  /run              0755 0 0
+	dir  /tmp              0755 0 0
+	dir  /etc              0755 0 0
+	dir  /bin              0755 0 0
+	dir  /sbin             0755 0 0
+	dir  /proc             0755 0 0
+	dir  /sys              0755 0 0
+	dir  /usr              0755 0 0
+	dir  /usr/bin          0755 0 0
+	dir  /usr/sbin         0755 0 0
+	dir  /dev              0755 0 0
+	dir  /dev/shm          0755 0 0
+	dir  /dev/pts          0755 0 0
+	nod  /dev/console      0600 0 0 c 5 1
 EOF
+RUN gen_initramfs -o rootfs.cpio initramfs.list
 WORKDIR /build_eif
-COPY --from=stagex/linux-nitro /bzImage .
-COPY --from=stagex/linux-nitro /linux.config .
 RUN eif_build \
-		--kernel bzImage \
-		--kernel_config linux.config \
-		--ramdisk /build_cpio/rootfs.cpio \
-		--pcrs_output nitro.pcrs \
-		--output nitro.eif \
-		--cmdline '\
-			reboot=k \
-			initrd=0x2000000,3228672 \
-			root=/dev/ram0 \
-			panic=1 \
-			pci=off \
-			nomodules \
-			console=ttyS0 \
-			i8042.noaux \
-			i8042.nomux \
-			i8042.nopnp \
-			i8042.dumbkbd'
+	--kernel /bzImage \
+	--kernel_config /linux.config \
+	--ramdisk /build_cpio/rootfs.cpio \
+	--pcrs_output nitro.pcrs \
+	--output /nitro.eif \
+	--cmdline 'reboot=k initrd=0x2000000,3228672 root=/dev/ram0 panic=1 pci=off nomodules console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd'
 
-FROM build as install
+FROM base as install
 WORKDIR /rootfs
-COPY --from=build /qos_enclave/target/${TARGET}/release/qos_enclave .
-COPY --from=build /build_eif/nitro.eif .
+COPY --from=build-eif /nitro.eif .
+COPY --from=build-qos_enclave /qos_enclave .
 RUN find . -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/images/qos_host/Containerfile

@@ -0,0 +1,19 @@
+FROM qos-local/build-base as base
+ADD . /src
+
+FROM base as build
+RUN --mount=type=cache,target=/src/qos_host/cache/cargo <<-EOF
+	set -eux
+	env -C /src/qos_host cargo build --features vm ${CARGOFLAGS}
+    cp /src/target/${TARGET}/release/qos_host /
+    file /qos_host | grep "static-pie"
+EOF
+
+FROM base as install
+WORKDIR /rootfs
+COPY --from=build /qos_host .
+RUN find . -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs .
+ENTRYPOINT ["/qos_host"]