Run tests on arm64 as well (GoogleContainerTools#600)

* Make distroless/base:{latest,nonroot,debug,debug-nonroot} multi-arch images. * Run tests on arm64 as well * chanseok feedback
ebb-earl-co · Oct 1, 2020 · 34b23ec · 34b23ec
1 parent c80be94
commit 34b23ec
Show file tree

Hide file tree

Showing 21 changed files with 335 additions and 150 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,18 +1,30 @@
 dist: bionic
 # Not technically required but suppresses 'Ruby' in Job status message.
+# This also lets us leverage GOARCH below.
 language: go
+jobs:
+  include:
+   - arch: amd64
+     env: CPU=k8
+   - arch: arm64
+     env: CPU=aarch64
 
 install:
   - export PATH=$PATH:$HOME/bin && mkdir -p $HOME/bin
+  - eval $(go env)
   # install bazelisk as bazel to install the appropriate bazel version
-  - wget https://github.com/bazelbuild/bazelisk/releases/download/v1.6.1/bazelisk-linux-amd64 && chmod +x bazelisk-linux-amd64 && mv bazelisk-linux-amd64 $HOME/bin/bazel
+  - wget https://github.com/bazelbuild/bazelisk/releases/download/v1.6.1/bazelisk-linux-${GOARCH} && chmod +x bazelisk-linux-${GOARCH} && mv bazelisk-linux-${GOARCH} $HOME/bin/bazel
 
 script:
-  - |
-    bazel clean --curses=no
-    bazel build --curses=no //package_manager:dpkg_parser.par
-    bazel build --curses=no //...
-    bazel test --curses=no --test_output=errors --test_timeout=900 //...
+  - bazel clean --curses=no
+  - bazel build --cpu=${CPU} --curses=no //package_manager:dpkg_parser.par
+  - bazel build --cpu=${CPU} --curses=no //...
+  # Build all targets tagged with our architecture:
+  - bazel build --cpu=${CPU} --curses=no $(bazel query 'attr("tags", "'${GOARCH}'", "//...")')
+  # Run all tests not tagged as "manual":
+  - bazel test  --cpu=${CPU} --curses=no --test_output=errors --test_timeout=900 //...
+  # Run all tests tagged with our architecture:
+  - bazel test  --cpu=${CPU} --curses=no --test_output=errors --test_timeout=900 $(bazel query 'attr("tags", "'${GOARCH}'", "//...")')
 
 notifications:
   email: false
diff --git a/BUILD b/BUILD
@@ -5,18 +5,18 @@ load("@io_bazel_rules_docker//container:container.bzl", "container_bundle")
 container_bundle(
     name = "all",
     images = {
-        "gcr.io/{PROJECT_ID}/base:latest": "//base:base_debian9",
-        "gcr.io/{PROJECT_ID}/base:nonroot": "//base:base_nonroot_debian9",
-        "gcr.io/{PROJECT_ID}/base:debug": "//base:debug_debian9",
-        "gcr.io/{PROJECT_ID}/base:debug-nonroot": "//base:debug_nonroot_debian9",
-        "gcr.io/{PROJECT_ID}/base-debian9:latest": "//base:base_debian9",
-        "gcr.io/{PROJECT_ID}/base-debian9:nonroot": "//base:base_nonroot_debian9",
-        "gcr.io/{PROJECT_ID}/base-debian9:debug": "//base:debug_debian9",
-        "gcr.io/{PROJECT_ID}/base-debian9:debug-nonroot": "//base:debug_nonroot_debian9",
-        "gcr.io/{PROJECT_ID}/base-debian10:latest": "//base:base_debian10",
-        "gcr.io/{PROJECT_ID}/base-debian10:nonroot": "//base:base_nonroot_debian10",
-        "gcr.io/{PROJECT_ID}/base-debian10:debug": "//base:debug_debian10",
-        "gcr.io/{PROJECT_ID}/base-debian10:debug-nonroot": "//base:debug_nonroot_debian10",
+        "gcr.io/{PROJECT_ID}/base:latest": "//base:base_root_amd64_debian9",
+        "gcr.io/{PROJECT_ID}/base:nonroot": "//base:base_nonroot_amd64_debian9",
+        "gcr.io/{PROJECT_ID}/base:debug": "//base:debug_root_amd64_debian9",
+        "gcr.io/{PROJECT_ID}/base:debug-nonroot": "//base:debug_nonroot_amd64_debian9",
+        "gcr.io/{PROJECT_ID}/base-debian9:latest": "//base:base_root_amd64_debian9",
+        "gcr.io/{PROJECT_ID}/base-debian9:nonroot": "//base:base_nonroot_amd64_debian9",
+        "gcr.io/{PROJECT_ID}/base-debian9:debug": "//base:debug_root_amd64_debian9",
+        "gcr.io/{PROJECT_ID}/base-debian9:debug-nonroot": "//base:debug_nonroot_amd64_debian9",
+        "gcr.io/{PROJECT_ID}/base-debian10:latest": "//base:base_root_amd64_debian10",
+        "gcr.io/{PROJECT_ID}/base-debian10:nonroot": "//base:base_nonroot_amd64_debian10",
+        "gcr.io/{PROJECT_ID}/base-debian10:debug": "//base:debug_root_amd64_debian10",
+        "gcr.io/{PROJECT_ID}/base-debian10:debug-nonroot": "//base:debug_nonroot_amd64_debian10",
         "gcr.io/{PROJECT_ID}/static:latest": "//base:static_root_amd64_debian9",
         "gcr.io/{PROJECT_ID}/static:nonroot": "//base:static_nonroot_amd64_debian9",
         "gcr.io/{PROJECT_ID}/static-debian9:latest": "//base:static_root_amd64_debian9",

diff --git a/WORKSPACE b/WORKSPACE
@@ -370,18 +370,25 @@ http_archive(
 
 # For the debug image
 http_file(
-    name = "busybox",
+    name = "busybox_amd64",
     executable = True,
     sha256 = "51fcb60efbdf3e579550e9ab893730df56b33d0cc928a2a6467bd846cdfef7d8",
     urls = ["https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-x86_64"],
 )
 
+http_file(
+    name = "busybox_arm64",
+    executable = True,
+    sha256 = "141adb1b625a6f44c4b114f76b4387b4ea4f7ab802b88eb40e0d2f6adcccb1c3",
+    urls = ["https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv8l"],
+)
+
 # Docker rules.
 http_archive(
     name = "io_bazel_rules_docker",
-    sha256 = "4521794f0fba2e20f3bf15846ab5e01d5332e587e9ce81629c7f96c793bb7036",
-    strip_prefix = "rules_docker-0.14.4",
-    urls = ["https://github.com/bazelbuild/rules_docker/archive/v0.14.4.tar.gz"],
+    sha256 = "cf53839c398e464b10ec2fbeb11aedb446f078c28e3b4ce372461bb105ef435c",
+    strip_prefix = "rules_docker-f8478e57ab7457e403fda474f06ac0bb120d92a7",
+    urls = ["https://github.com/bazelbuild/rules_docker/archive/f8478e57ab7457e403fda474f06ac0bb120d92a7.tar.gz"],
 )
 
 load(

diff --git a/base/BUILD b/base/BUILD
@@ -6,7 +6,6 @@ load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar")
 load("@io_bazel_rules_docker//contrib:group.bzl", "group_entry", "group_file")
 load("@io_bazel_rules_docker//contrib:passwd.bzl", "passwd_entry", "passwd_tar")
 load("@io_bazel_rules_docker//contrib:test.bzl", "container_test")
-load("@io_bazel_rules_go//go:def.bzl", "go_binary")
 
 NOBODY = 65534
 
@@ -101,13 +100,4 @@ pkg_tar(
     package_dir = "etc",
 )
 
-go_binary(
-    name = "check_certs",
-    srcs = ["testdata/check_certs.go"],
-    goarch = "amd64",
-    # Test image is linux based
-    goos = "linux",
-    pure = "on",
-)
-
 [distro_components(suffix) for suffix in DISTRO_SUFFIXES]
diff --git a/base/base.bzl b/base/base.bzl
@@ -4,6 +4,7 @@ load("@io_bazel_rules_docker//contrib:test.bzl", "container_test")
 load(":distro.bzl", "DISTRO_PACKAGES", "DISTRO_REPOSITORY")
 load("//cacerts:cacerts.bzl", "cacerts")
 load("//:checksums.bzl", "ARCHITECTURES")
+load("@io_bazel_rules_go//go:def.bzl", "go_binary")
 
 NONROOT = 65532
 
@@ -48,79 +49,107 @@ def distro_components(distro_suffix):
                 workdir = workdir,
             )
 
-    container_image(
-        name = "base" + distro_suffix,
-        base = ":static_root_amd64" + distro_suffix,
-        debs = [
-            DISTRO_PACKAGES["amd64"][distro_suffix]["libc6"],
-            DISTRO_PACKAGES["amd64"][distro_suffix]["libssl1.1"],
-            DISTRO_PACKAGES["amd64"][distro_suffix]["openssl"],
-        ],
-    )
+            container_image(
+                name = "base_" + user + "_" + arch + distro_suffix,
+                architecture = arch,
+                base = ":static_" + user + "_" + arch + distro_suffix,
+                debs = [
+                    DISTRO_PACKAGES[arch][distro_suffix]["libc6"],
+                    DISTRO_PACKAGES[arch][distro_suffix]["libssl1.1"],
+                    DISTRO_PACKAGES[arch][distro_suffix]["openssl"],
+                ],
+            )
 
-    # A debug image with busybox available.
-    container_image(
-        name = "debug" + distro_suffix,
-        base = ":base" + distro_suffix,
-        directory = "/",
-        entrypoint = ["/busybox/sh"],
-        env = {"PATH": "$$PATH:/busybox"},
-        tars = ["//experimental/busybox:busybox.tar"],
-    )
+            # A debug image with busybox available.
+            container_image(
+                name = "debug_" + user + "_" + arch + distro_suffix,
+                architecture = arch,
+                base = ":base_" + user + "_" + arch + distro_suffix,
+                directory = "/",
+                entrypoint = ["/busybox/sh"],
+                env = {"PATH": "$$PATH:/busybox"},
+                tars = ["//experimental/busybox:busybox_" + arch + ".tar"],
+            )
 
-    container_image(
-        name = "base_nonroot" + distro_suffix,
-        base = ":base" + distro_suffix,
-        user = "%d" % NONROOT,
-        workdir = "/home/nonroot",
-    )
+        ##########################################################################################
+        # Check that we can overlay a pure Go binary on a static base to check certificates
+        ##########################################################################################
+        go_binary(
+            name = "check_certs_" + arch + distro_suffix,
+            srcs = ["testdata/check_certs.go"],
+            goarch = arch,
+            # Test image is linux based
+            goos = "linux",
+            pure = "on",
+        )
 
-    container_image(
-        name = "debug_nonroot" + distro_suffix,
-        base = ":debug" + distro_suffix,
-        user = "%d" % NONROOT,
-        workdir = "/home/nonroot",
-    )
+        container_image(
+            name = "check_certs_image_" + arch + distro_suffix,
+            base = "//base:static_root_" + arch + distro_suffix,
+            files = [":check_certs_" + arch + distro_suffix],
+            symlinks = {
+                "/check_certs": "check_certs_" + arch + distro_suffix,
+            },
+            visibility = ["//visibility:private"],
+        )
 
-    container_test(
-        name = "debug" + distro_suffix + "_test",
-        configs = ["testdata/debug.yaml"],
-        image = ":debug" + distro_suffix,
-    )
+        container_test(
+            name = "static_" + arch + distro_suffix + "_test",
+            configs = ["testdata/static.yaml"],
+            image = ":check_certs_image_" + arch + distro_suffix,
+            tags = ["manual", arch],
+        )
 
-    container_test(
-        name = "base" + distro_suffix + "_test",
-        configs = ["testdata/base.yaml"],
-        image = ":base" + distro_suffix,
-    )
+        ##########################################################################################
+        # Check that we can invoke openssl in the base image to check certificates.
+        ##########################################################################################
+        container_test(
+            name = "openssl_" + arch + distro_suffix + "_test",
+            configs = ["testdata/certs.yaml"],
+            image = ":base_root_" + arch + distro_suffix,
+            tags = ["manual", arch],
+        )
 
-    container_image(
-        name = "check_certs_image" + distro_suffix,
-        base = "//base:base" + distro_suffix,
-        files = [":check_certs"],
-        visibility = ["//visibility:private"],
-    )
+        ##########################################################################################
+        # Check for common base files.
+        ##########################################################################################
+        container_test(
+            name = "base_" + arch + distro_suffix + "_test",
+            configs = ["testdata/base.yaml"],
+            image = ":base_root_" + arch + distro_suffix,
+            tags = ["manual", arch],
+        )
 
-    container_test(
-        name = "certs" + distro_suffix + "_test",
-        configs = ["testdata/certs.yaml"],
-        image = ":check_certs_image" + distro_suffix,
-    )
+        ##########################################################################################
+        # Check for busybox
+        ##########################################################################################
+        container_test(
+            name = "debug_" + arch + distro_suffix + "_test",
+            configs = ["testdata/debug.yaml"],
+            image = ":debug_root_" + arch + distro_suffix,
+            tags = ["manual", arch],
+        )
 
-    container_test(
-        name = "base_release" + distro_suffix + "_test",
-        configs = ["testdata/" + distro_suffix[1:] + ".yaml"],
-        image = ":base" + distro_suffix,
-    )
+        ##########################################################################################
+        # Check the /etc/os-release contents.
+        ##########################################################################################
+        container_test(
+            name = "base_release_" + arch + distro_suffix + "_test",
+            configs = ["testdata/" + distro_suffix[1:] + ".yaml"],
+            image = ":base_root_" + arch + distro_suffix,
+            tags = ["manual", arch],
+        )
 
-    container_test(
-        name = "debug_release" + distro_suffix + "_test",
-        configs = ["testdata/" + distro_suffix[1:] + ".yaml"],
-        image = ":debug" + distro_suffix,
-    )
+        container_test(
+            name = "debug_release_" + arch + distro_suffix + "_test",
+            configs = ["testdata/" + distro_suffix[1:] + ".yaml"],
+            image = ":debug_root_" + arch + distro_suffix,
+            tags = ["manual", arch],
+        )
 
-    container_test(
-        name = "static_release" + distro_suffix + "_test",
-        configs = ["testdata/" + distro_suffix[1:] + ".yaml"],
-        image = ":static_root_amd64" + distro_suffix,
-    )
+        container_test(
+            name = "static_release_" + arch + distro_suffix + "_test",
+            configs = ["testdata/" + distro_suffix[1:] + ".yaml"],
+            image = ":static_root_" + arch + distro_suffix,
+            tags = ["manual", arch],
+        )
diff --git a/base/testdata/certs.yaml b/base/testdata/certs.yaml
@@ -1,9 +1,5 @@
 schemaVersion: "1.0.0"
 commandTests:
-# Check that Go programs can read the certificates
-- name: certs
-  command: ["/check_certs"]
-  exitCode: 0
 # Check that libssl finds the certificates
 - name: openssl verify google
   command: ["openssl", "s_client", "-strict", "-verify_return_error", "-connect", "www.google.com:443"]

diff --git a/base/testdata/static.yaml b/base/testdata/static.yaml
@@ -0,0 +1,6 @@
+schemaVersion: "1.0.0"
+commandTests:
+# Check that Go programs can read the certificates
+- name: certs
+  command: ["/check_certs"]
+  exitCode: 0
diff --git a/cc/BUILD b/cc/BUILD
@@ -4,15 +4,19 @@ load("//base:distro.bzl", "DISTRO_PACKAGES", "DISTRO_SUFFIXES")
 load("@io_bazel_rules_docker//container:container.bzl", "container_image")
 
 # An image for C/C++ programs
-[[container_image(
-    name = ("cc" if (not mode) else mode[1:]) + distro_suffix,
-    base = "//base" + (mode if mode else ":base") + distro_suffix,
-    debs = [
-        DISTRO_PACKAGES["amd64"][distro_suffix]["libgcc1"],
-        DISTRO_PACKAGES["amd64"][distro_suffix]["libgomp1"],
-        DISTRO_PACKAGES["amd64"][distro_suffix]["libstdc++6"],
-    ],
-) for mode in [
-    "",
-    ":debug",
-]] for distro_suffix in DISTRO_SUFFIXES]
+[
+    container_image(
+        name = ("cc" if (not mode) else mode[1:]) + distro_suffix,
+        base = "//base" + (mode if mode else ":base") + "_root_amd64" + distro_suffix,
+        debs = [
+            DISTRO_PACKAGES["amd64"][distro_suffix]["libgcc1"],
+            DISTRO_PACKAGES["amd64"][distro_suffix]["libgomp1"],
+            DISTRO_PACKAGES["amd64"][distro_suffix]["libstdc++6"],
+        ],
+    )
+    for mode in [
+        "",
+        ":debug",
+    ]
+    for distro_suffix in DISTRO_SUFFIXES
+]