From b8274225fa6c1a61a04cac5c2f1be3a788f71f4d Mon Sep 17 00:00:00 2001 From: Pietro Abate Date: Tue, 3 Jun 2025 10:38:41 +0200 Subject: [PATCH 1/2] images: add scripts to download datadog-ci and sccache in debian packages images --- images/packages/debian-deps-build.Dockerfile | 23 ++++------ images/scripts/install_datadog_static.sh | 15 ++++-- images/scripts/install_sccache_static.sh | 48 ++++++++++++++++++++ 3 files changed, 67 insertions(+), 19 deletions(-) create mode 100755 images/scripts/install_sccache_static.sh diff --git a/images/packages/debian-deps-build.Dockerfile b/images/packages/debian-deps-build.Dockerfile index 9ca7093d8763..087736578d05 100644 --- a/images/packages/debian-deps-build.Dockerfile +++ b/images/packages/debian-deps-build.Dockerfile @@ -15,19 +15,17 @@ ENV BLST_PORTABLE=true ARG APT_PROXY ENV APT_PROXY=${APT_PROXY:-false} +COPY --chown=tezos:tezos \ + images/scripts/install_datadog_static.sh \ + images/scripts/install_sccache_static.sh \ + /tmp/ + # we trust sw distributors # We install sccache as a static binary because at the moment of writing # the package sccache is not available on ubuntu jammy #hadolint ignore=DL3008,DL3009 - RUN echo "Acquire::http::Proxy \"$APT_PROXY\";" > /etc/apt/apt.conf.d/01proxy && \ apt-get update && \ - ARCH=$(uname -m) && \ - case "$ARCH" in \ - x86_64) export PLATFORM="x64" ;; \ - aarch64) export PLATFORM="arm64" ;; \ - *) echo "Unsupported architecture: $ARCH" >&2; exit 1 ;; \ - esac && \ apt-get install --no-install-recommends -y bubblewrap \ rsync git m4 build-essential \ patch unzip curl wget ca-certificates \ @@ -40,13 +38,10 @@ RUN echo "Acquire::http::Proxy \"$APT_PROXY\";" > /etc/apt/apt.conf.d/01proxy && libsqlite3-dev libpq-dev \ lintian devscripts && \ apt-get clean && \ - rm -rf /var/lib/apt/lists/* && \ - curl -L --output sccache.tgz "https://github.com/mozilla/sccache/releases/download/v0.8.1/sccache-v0.8.1-$ARCH-unknown-linux-musl.tar.gz" && \ - tar zxvf sccache.tgz && \ - cp "sccache-v0.8.1-$ARCH-unknown-linux-musl/sccache" /usr/local/bin/sccache && \ - rm -Rf sccache* && \ - curl -L --fail "https://github.com/DataDog/datadog-ci/releases/download/v3.4.0/datadog-ci_linux-$PLATFORM" --output "/usr/local/bin/datadog-ci" && \ - chmod +x /usr/local/bin/datadog-ci + rm -rf /var/lib/apt/lists/* + +RUN /tmp/install_sccache_static.sh && \ + /tmp/install_datadog_static.sh COPY --link scripts/version.sh /root/tezos/scripts/ diff --git a/images/scripts/install_datadog_static.sh b/images/scripts/install_datadog_static.sh index 34b23aad6ddb..b184ae415933 100755 --- a/images/scripts/install_datadog_static.sh +++ b/images/scripts/install_datadog_static.sh @@ -4,17 +4,18 @@ set -euo pipefail -DATAGOG_RELEASE="${DATAGOG_RELEASE:-v3.4.0}" -EXPECTED_SHA256="${DATADOG_CI_SHA256:-94de024fe9826e7a4023cfa3ad60f3cf08310ffb2c061c2703a025bbb2532c5f}" +DATAGOG_RELEASE="v3.4.0" # Detect architecture ARCH=$(uname -m) case "$ARCH" in x86_64) PLATFORM="x64" + EXPECTED_SHA256="94de024fe9826e7a4023cfa3ad60f3cf08310ffb2c061c2703a025bbb2532c5f" ;; aarch64) PLATFORM="arm64" + EXPECTED_SHA256="b90082a9f0a363c17cb0945b4c26745c07d6756ff0239623b8074c5f35d65f45" ;; *) echo "Unsupported architecture: $ARCH" >&2 @@ -27,10 +28,12 @@ TARGET_PATH="/usr/local/bin/datadog-ci" TMP_FILE="$(mktemp)" # Download datadog-ci -echo "Downloading datadog-ci for $PLATFORM..." -curl -L -Ss --fail "https://github.com/DataDog/datadog-ci/releases/download/$DATAGOG_RELEASE/datadog-ci_linux-$PLATFORM" -o "$TMP_FILE" +URL="https://github.com/DataDog/datadog-ci/releases/download/$DATAGOG_RELEASE/datadog-ci_linux-$PLATFORM" +echo "Downloading datadog-ci for $PLATFORM $URL..." -DOWNLOADED_SHA256=$(sha256sum "$TMP_FILE" | awk '{print $1}') +curl -L -Ss --fail "$URL" -o "$TMP_FILE" + +DOWNLOADED_SHA256=$(sha256sum "$TMP_FILE" | cut -d ' ' -f1) if [[ "$DOWNLOADED_SHA256" != "$EXPECTED_SHA256" ]]; then echo "SHA256 mismatch!" echo "Expected: $EXPECTED_SHA256" @@ -43,3 +46,5 @@ mv "$TMP_FILE" "$TARGET_PATH" chmod +x "$TARGET_PATH" echo "datadog-ci installed successfully to $TARGET_PATH" + +/usr/local/bin/datadog-ci --version diff --git a/images/scripts/install_sccache_static.sh b/images/scripts/install_sccache_static.sh new file mode 100755 index 000000000000..87a55b62c493 --- /dev/null +++ b/images/scripts/install_sccache_static.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# Install the static glibc binary of sccache:$SCCACHE_RELEASE + +set -euo pipefail + +SCCACHE_RELEASE="${SCCACHE_RELEASE:-v0.8.1}" + +# Detect architecture +ARCH=$(uname -m) +case "$ARCH" in +x86_64) + PLATFORM="x86_64" + EXPECTED_SHA256="e0ee621fb16b6940666cd770b091c62cadafd3e062dd12e3a49d9caaff3b795f" + ;; +aarch64) + PLATFORM="aarch64" + EXPECTED_SHA256="452cef732b24415493a7c6bca6e13536eb9464593fa87c753b6b7cb4733e9c50" + ;; +*) + echo "Unsupported architecture: $ARCH" >&2 + exit 1 + ;; +esac + +# Define file path +TARGET_PATH="/usr/local/bin/sccache" +TMP_FILE="$(mktemp)" + +# Download sccache +echo "Downloading sccache-$SCCACHE_RELEASE for $PLATFORM..." +curl -L -o "$TMP_FILE" "https://github.com/mozilla/sccache/releases/download/$SCCACHE_RELEASE/sccache-$SCCACHE_RELEASE-$ARCH-unknown-linux-musl.tar.gz" + +DOWNLOADED_SHA256=$(sha256sum "$TMP_FILE" | cut -d ' ' -f1) +if [[ "$DOWNLOADED_SHA256" != "$EXPECTED_SHA256" ]]; then + echo "SHA256 mismatch!" + echo "Expected: $EXPECTED_SHA256" + echo "Got: $DOWNLOADED_SHA256" + rm -f "$TMP_FILE" + exit 1 +fi + +tar zxvf "$TMP_FILE" +cp "sccache-$SCCACHE_RELEASE-$ARCH-unknown-linux-musl/sccache" "$TARGET_PATH" +chmod +x "$TARGET_PATH" +rm -Rf "sccache-$SCCACHE_RELEASE-$ARCH-*" + +echo "sccache installed successfully to $TARGET_PATH" -- GitLab From 80cb864e04c11807d50fa879242d5039e340c05a Mon Sep 17 00:00:00 2001 From: Pietro Abate Date: Thu, 5 Jun 2025 12:45:28 +0200 Subject: [PATCH 2/2] packages: add kisscache to debian dependencies image --- images/packages/debian-deps-build.Dockerfile | 14 +++++- images/scripts/install_opam_static.sh | 47 ++++++++++++++++++++ scripts/install_build_deps.sh | 7 +++ 3 files changed, 66 insertions(+), 2 deletions(-) create mode 100755 images/scripts/install_opam_static.sh diff --git a/images/packages/debian-deps-build.Dockerfile b/images/packages/debian-deps-build.Dockerfile index 087736578d05..19dc6ed61602 100644 --- a/images/packages/debian-deps-build.Dockerfile +++ b/images/packages/debian-deps-build.Dockerfile @@ -18,6 +18,9 @@ ENV APT_PROXY=${APT_PROXY:-false} COPY --chown=tezos:tezos \ images/scripts/install_datadog_static.sh \ images/scripts/install_sccache_static.sh \ + images/scripts/install_opam_static.sh \ + scripts/kiss-fetch.sh \ + scripts/kiss-logs.sh \ /tmp/ # we trust sw distributors @@ -41,7 +44,8 @@ RUN echo "Acquire::http::Proxy \"$APT_PROXY\";" > /etc/apt/apt.conf.d/01proxy && rm -rf /var/lib/apt/lists/* RUN /tmp/install_sccache_static.sh && \ - /tmp/install_datadog_static.sh + /tmp/install_datadog_static.sh && \ + /tmp/install_opam_static.sh COPY --link scripts/version.sh /root/tezos/scripts/ @@ -66,8 +70,14 @@ COPY --link opam /root/tezos/ WORKDIR /root/tezos +ENV KISSCACHE="http://kisscache.kisscache.svc.cluster.local" +ENV OPAMFETCH="/tmp/kiss-fetch.sh" + #hadolint ignore=SC2154, SC1091 RUN . ./scripts/version.sh && \ eval $(opam env) && \ . "/root/.cargo/env" && \ - make build-deps + make build-deps && \ +# print kisscache stats + /tmp/kiss-logs.sh /tmp/kiss.log \ + && rm -f /tmp/kiss.log diff --git a/images/scripts/install_opam_static.sh b/images/scripts/install_opam_static.sh new file mode 100755 index 000000000000..14ffd1ba8852 --- /dev/null +++ b/images/scripts/install_opam_static.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +# Install the static opam binary from the official release with SHA256 verification + +set -eu + +OPAM_VERSION="${OPAM_VERSION:-2.3.0}" + +# Architecture detection +ARCH=$(uname -m) +case "$ARCH" in +i386 | i686 | x86_64) + PLATFORM="i686" + BINARY_URL="https://github.com/ocaml/opam/releases/download/${OPAM_VERSION}/opam-${OPAM_VERSION}-i686-linux" + EXPECTED_SHA256="fa64561eb1b3128a825dd4b8a4a6143d77485d2ab373ca393e948d9a62668afa" + ;; +aarch64) + PLATFORM="arm64" + BINARY_URL="https://github.com/ocaml/opam/releases/download/${OPAM_VERSION}/opam-${OPAM_VERSION}-arm64-linux" + EXPECTED_SHA256="c363d070b1771b6830c6806eb9fd5ff1a54d0fe97bf389cd2dff20b6d203b2ad" + ;; +*) + echo "Unsupported architecture: $ARCH" >&2 + exit 1 + ;; +esac + +TARGET_PATH="/usr/bin/opam" +TMP_FILE="$(mktemp)" + +echo "Downloading opam ${OPAM_VERSION} for $PLATFORM..." +curl -L -o "$TMP_FILE" "$BINARY_URL" + +DOWNLOADED_SHA256=$(sha256sum "$TMP_FILE" | cut -d ' ' -f1) +if [ "$DOWNLOADED_SHA256" != "$EXPECTED_SHA256" ]; then + echo "SHA256 mismatch!" + echo "Expected: $EXPECTED_SHA256" + echo "Got: $DOWNLOADED_SHA256" + rm -f "$TMP_FILE" + exit 1 +fi + +cp "$TMP_FILE" "$TARGET_PATH" +chmod +x "$TARGET_PATH" +rm -f "$TMP_FILE" + +echo "opam ${OPAM_VERSION} installed successfully to $TARGET_PATH" diff --git a/scripts/install_build_deps.sh b/scripts/install_build_deps.sh index dd85d64a4370..82fd31eb8d2d 100755 --- a/scripts/install_build_deps.sh +++ b/scripts/install_build_deps.sh @@ -25,6 +25,13 @@ else dev= fi +# if the variable is defined in the environment, re-export them for +# opam to pick them up. Otherwise they are ignored. +if [ -e "$KISSCACHE" ]; then + export KISSCACHE="$KISSCACHE" + export OPAMFETCH="$OPAMFETCH" +fi + # $OPAMSWITCH variable makes the following commands fail if the switch referred # to by it does not exist. Since we're going to create it later, for now let's # pretend it's not set. -- GitLab