hack: update test dockerfiles to buildkit

[tonistiigi]

Signed-off-by: Tonis Tiigi [email protected]

[tonistiigi]

The main issue atm is that although the new dockerfile allows getting fast incremental builds, multi-platform releases of everything and integration test image very quickly there is no way to quickly run that image with privileges like the tests require. Only docker currently can do that, but docker does not have support for releasing the multi-arch release images needed in CI.

The options are:
a) load the integration test-integration image into Docker in CI. It is slow but ok for ci as it only happens once. For local development, we can use moby+buildkit by default.
b) Add more one-off execution features to buildkit. I think this is needed/useful for lots of things but don't have a specific plan yet.
c) Wait/carry #570 and execute in Dockerfile (or b)
d) Integrate with containerd in CI and try to use ctr. Probably complicated for local cases.
e) Build some stages twice in CI. Only release is done with buildctl.

Tend to think a is the best option atm.

@AkihiroSuda @tiborvass

[AkihiroSuda]

what's this?

[tonistiigi]

Its the rootless-base stage that built for all platforms so we can use cross-compilation on top of it. I can add a build arg to switch between this image and direct stage. eg. https://github.com/tonistiigi/copy/blob/master/Dockerfile#L3

[tonistiigi]

btw, rootlesskit multi-platform is currently blocked with moby/datakit#638

[AkihiroSuda]

wow, didn't notice rootlesskit was vendoring datakit

[AkihiroSuda]

why do we need the copy binary for rootless?

[tonistiigi]

Only if node can run apk an all platforms. What travis can't. The difference is that tonistiigi/buildkit:rootless-base is already multi-platform so any node can add the missing binaries on top of that.

Also, FROM --platform=$TARGETPLATFORM alpine AS rootless-base is the same as FROM alpine AS rootless-base.

 # docker run --rm mplatform/mquery tonistiigi/buildkit:rootless-base
Image: tonistiigi/buildkit:rootless-base
 * Manifest List: Yes
 * Supported platforms:
   - linux/amd64
   - linux/arm/v6
   - linux/arm/v7
   - linux/arm64/undefined
   - linux/ppc64le
   - linux/s390x

[AkihiroSuda]

What travis can't.

Doesn't qemu-user binfmt work on Travis?

[tonistiigi]

Emulation is not that stable that we could trust it in here. Especially on power/s390x. Also, I'd expect this script to run anywhere, without requiring special setup or a new kernel.

[tonistiigi]

(haven't really tested if emultaion works at all on travis)

[AkihiroSuda]

Could you add the following stuff to the comment lines of the Dockerfile:

• image digest for reproducibility
• how you built the image
• background (can be just a link to this GitHub issue thread)

[AkihiroSuda]

where's dockerfile for xx?

[tonistiigi]

https://github.com/tonistiigi/xx/blob/master/golang/Dockerfile

[AkihiroSuda]

d843aadf00d72082fd7a31572ef018d1e792535f

[AkihiroSuda]

Can we experiment ADD git:// source op?

[tonistiigi]

Maybe FROM git:// ?

[AkihiroSuda]

a) load the integration test-integration image into Docker in CI. It is slow but ok for ci as it only happens once. For local development, we can use moby+buildkit by default.

does nightly dind work?
https://hub.docker.com/r/tianon/docker-master/
https://github.com/tianon/dockerfiles/tree/master/docker-master

[tonistiigi]

@AkihiroSuda With option a we can use any version of Docker. We would use buildctl to build everything and Docker only for running the test-integration image. For the opposite case, no version of moby currently supports building multi-platform images and it probably will not land before the containerd storage is integrated.

[tonistiigi]

delete this stage (duplicate)

[tonistiigi]

@AkihiroSuda Something really strange going on with rootless worker here that maybe you can look into. The new integration test image is based on stretch and it seems impossible to get it to pass before a timeout is reached. The oci-rootless tests are ~20x slower than before and I can reproduce locally with single tests. As soon as I switch the test stage to alpine the problem goes away and tests are fast again. Added a separate commit that patches alpine, to test the slow version just remove that commit.

data in https://gist.github.com/tonistiigi/a6f95f2527c8f284c3efa61bc8b4a972

[AkihiroSuda]

This is because of

buildkit/util/testutil/integration/util.go

Line 55 in e87d816

case <-time.After(20 * time.Second):

, but not sure why SIGTERM does not work here..

[AkihiroSuda]

Could be some weird difference across Alpine sudo and Debian sudo

[AkihiroSuda]

LGTM

[AkihiroSuda]

Mergeable?

[tonistiigi]

@AkihiroSuda No, I'll still try to get rid of the alpine commit so we don't need to have two stacks of go.

[tonistiigi]

@AkihiroSuda @tiborvass Ready now

[tiborvass]

$progressFlag should also go to docker build

[tonistiigi]

CONTINUOUS_INTEGRATION is only set with buildctl

[tiborvass]

I don't understand this case $buildmode within the *) of a case $buildmode. Bad refactoring or am I missing something?

[tonistiigi]

the * case is longer than inner switch

[tiborvass]

duplicate

[AkihiroSuda]

indentation seems broken.

I'm not sure whether there is gofmt-equivalent for bash, but emacs can indent shell scripts with C-x h M-x indent.

[AkihiroSuda]

Probably, we can just lock the root with passwd -l root: https://github.com/genuinetools/img/blob/151b4506829bd7f52f5ba83aa99a3fd08709554a/Dockerfile#L53