devenv: Add Kani and extract shared installation scripts

cgwalters · cgwalters · commit d6f12dd19256 · 2026-01-26T18:42:01.000-05:00
Add Kani formal verification tool - a bounded model checker for Rust
that can verify safety properties and absence of undefined behavior.
Kani requires rustup because it bundles a specific nightly toolchain.

Also deduplicate the installation logic between c10s and debian
Containerfiles by extracting into shared shell scripts:

- fetch-tools.sh: Downloads bcvk and scorecard binaries
- install-rust.sh: Installs rustup/cargo system-wide to /usr/local
- install-kani.sh: Installs kani formal verification tool

Key changes:
- Add rustup symlink at $CARGO_HOME/bin/rustup (required for rustup's
  self-update check which looks for itself there)
- Add new 'kani' build stage that compiles kani-verifier and runs setup
- Set KANI_HOME=/usr/local/kani for system-wide installation
- Copy kani bundle (compiler, libraries, CBMC) to final image

The kani version is renovate-managed via the kaniversion ARG.

Assisted-by: OpenCode (Claude Sonnet 4)
Signed-off-by: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/devenv/.dockerignore b/devenv/.dockerignore
@@ -12,3 +12,6 @@
 !build-deps-debian.txt
 !build-deps-c10s.txt
 !devenv-init.sh
+!fetch-tools.sh
+!install-rust.sh
+!install-kani.sh
diff --git a/devenv/Containerfile.c10s b/devenv/Containerfile.c10s
@@ -30,59 +30,20 @@ FROM base as tools
 ARG bcvkversion=v0.9.0
 # renovate: datasource=github-releases depName=ossf/scorecard
 ARG scorecardversion=v5.1.1
-RUN <<EORUN
-set -xeuo pipefail
-arch=$(arch)
-
-rm -vrf /usr/local/bin/*
-
-# bcvk
-if test "${arch}" = x86_64; then
-  td=$(mktemp -d)
-  (
-    cd $td
-    target=bcvk-${arch}-unknown-linux-gnu
-    /bin/time -f '%E %C' curl -fLO https://github.com/bootc-dev/bcvk/releases/download/$bcvkversion/${target}.tar.gz
-    tar xvzf $target.tar.gz
-    mv $target /usr/local/bin/bcvk
-  )
-  rm -rf $td
-else
-  echo bcvk unavailable for $arch
-fi
-
-# scorecard (OpenSSF security scanner)
-td=$(mktemp -d)
-(
-  cd $td
-  # Map arch to scorecard naming convention
-  case "${arch}" in
-    x86_64) scarch=amd64 ;;
-    aarch64) scarch=arm64 ;;
-    *) echo "scorecard unavailable for $arch"; exit 0 ;;
-  esac
-  target=scorecard_${scorecardversion#v}_linux_${scarch}.tar.gz
-  /bin/time -f '%E %C' curl -fLO https://github.com/ossf/scorecard/releases/download/$scorecardversion/$target
-  tar xvzf $target
-  mv scorecard /usr/local/bin/scorecard
-)
-rm -rf $td
-EORUN
+COPY fetch-tools.sh /run/src/
+RUN bcvkversion=$bcvkversion scorecardversion=$scorecardversion /run/src/fetch-tools.sh
 
 FROM base as rust
-RUN <<EORUN
-set -xeuo pipefail
-# Setup rust; the idea here though is we install system-wide into /usr/local
-# as if it was packaged.
-export RUSTUP_HOME=/usr/local/rustup
-export CARGO_HOME=/usr/local/cargo
-# Install Rust system-wide
-curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile default
-# Move binaries to /usr/local/bin (system-managed, root-owned)
-mv /usr/local/cargo/bin/* /usr/local/bin/
-# Nothing really left here
-rm -vrf /usr/local/cargo/bin
-EORUN
+COPY install-rust.sh /run/src/
+RUN /run/src/install-rust.sh
+
+# Kani formal verification tool - requires rustup for toolchain management
+FROM rust as kani
+# renovate: datasource=crate depName=kani-verifier
+ARG kaniversion=0.67.0
+RUN dnf install -y gcc && dnf clean all
+COPY install-kani.sh /run/src/
+RUN kaniversion=$kaniversion /run/src/install-kani.sh
 
 # This builds the image.
 # Build this using `just devenv-build-c10s` from the root of the repository.
@@ -100,10 +61,14 @@ RUN grep -vEe '^#' npm.txt | /bin/time -f '%E %C' xargs npm i -g
 
 # Copy in the binaries from our tools container image
 COPY --from=tools /usr/local/bin/* /usr/local/bin/
-COPY --from=rust /usr/local/bin/* /usr/local/bin/
-COPY --from=rust /usr/local/rustup /usr/local/rustup
+COPY --from=kani /usr/local/bin/* /usr/local/bin/
+COPY --from=kani /usr/local/rustup /usr/local/rustup
+# Kani bundle (compiler, libraries, CBMC) installed via KANI_HOME during setup
+COPY --from=kani /usr/local/kani /usr/local/kani
 # Point rustup at the system-wide installation, but let CARGO_HOME default to ~/.cargo
 ENV RUSTUP_HOME=/usr/local/rustup
+# Point Kani at the system-wide installation
+ENV KANI_HOME=/usr/local/kani
 # Setup for codespaces
 COPY devenv-init.sh /usr/local/bin/
 
diff --git a/devenv/Containerfile.debian b/devenv/Containerfile.debian
@@ -30,59 +30,20 @@ FROM base as tools
 ARG bcvkversion=v0.9.0
 # renovate: datasource=github-releases depName=ossf/scorecard
 ARG scorecardversion=v5.1.1
-RUN <<EORUN
-set -xeuo pipefail
-arch=$(arch)
-
-rm -vrf /usr/local/bin/*
-
-# bcvk
-if test "${arch}" = x86_64; then
-  td=$(mktemp -d)
-  (
-    cd $td
-    target=bcvk-${arch}-unknown-linux-gnu
-    /bin/time -f '%E %C' curl -fLO https://github.com/bootc-dev/bcvk/releases/download/$bcvkversion/${target}.tar.gz
-    tar xvzf $target.tar.gz
-    mv $target /usr/local/bin/bcvk
-  )
-  rm -rf $td
-else
-  echo bcvk unavailable for $arch
-fi
-
-# scorecard (OpenSSF security scanner)
-td=$(mktemp -d)
-(
-  cd $td
-  # Map arch to scorecard naming convention
-  case "${arch}" in
-    x86_64) scarch=amd64 ;;
-    aarch64) scarch=arm64 ;;
-    *) echo "scorecard unavailable for $arch"; exit 0 ;;
-  esac
-  target=scorecard_${scorecardversion#v}_linux_${scarch}.tar.gz
-  /bin/time -f '%E %C' curl -fLO https://github.com/ossf/scorecard/releases/download/$scorecardversion/$target
-  tar xvzf $target
-  mv scorecard /usr/local/bin/scorecard
-)
-rm -rf $td
-EORUN
+COPY fetch-tools.sh /run/src/
+RUN bcvkversion=$bcvkversion scorecardversion=$scorecardversion /run/src/fetch-tools.sh
 
 FROM base as rust
-RUN <<EORUN
-set -xeuo pipefail
-# Setup rust; the idea here though is we install system-wide into /usr/local
-# as if it was packaged.
-export RUSTUP_HOME=/usr/local/rustup
-export CARGO_HOME=/usr/local/cargo
-# Install Rust system-wide
-curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile default
-# Move binaries to /usr/local/bin (system-managed, root-owned)
-mv /usr/local/cargo/bin/* /usr/local/bin/
-# Nothing really left here
-rm -vrf /usr/local/cargo/bin
-EORUN
+COPY install-rust.sh /run/src/
+RUN /run/src/install-rust.sh
+
+# Kani formal verification tool - requires rustup for toolchain management
+FROM rust as kani
+# renovate: datasource=crate depName=kani-verifier
+ARG kaniversion=0.67.0
+RUN apt-get update && apt-get install -y --no-install-recommends gcc libc6-dev && rm -rf /var/lib/apt/lists/*
+COPY install-kani.sh /run/src/
+RUN kaniversion=$kaniversion /run/src/install-kani.sh
 
 # This builds the image.
 # Build this using `just devenv-build-debian` from the root of the repository.
@@ -100,10 +61,14 @@ RUN grep -vEe '^#' npm.txt | /bin/time -f '%E %C' xargs npm i -g
 
 # Copy in the binaries from our tools container image
 COPY --from=tools /usr/local/bin/* /usr/local/bin/
-COPY --from=rust /usr/local/bin/* /usr/local/bin/
-COPY --from=rust /usr/local/rustup /usr/local/rustup
+COPY --from=kani /usr/local/bin/* /usr/local/bin/
+COPY --from=kani /usr/local/rustup /usr/local/rustup
+# Kani bundle (compiler, libraries, CBMC) installed via KANI_HOME during setup
+COPY --from=kani /usr/local/kani /usr/local/kani
 # Point rustup at the system-wide installation, but let CARGO_HOME default to ~/.cargo
 ENV RUSTUP_HOME=/usr/local/rustup
+# Point Kani at the system-wide installation
+ENV KANI_HOME=/usr/local/kani
 # Setup for codespaces
 COPY devenv-init.sh /usr/local/bin/
 
diff --git a/devenv/fetch-tools.sh b/devenv/fetch-tools.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# Fetch architecture-independent binary tools into /usr/local/bin
+# This script is shared between c10s and debian container builds.
+set -xeuo pipefail
+
+# Required environment variables (passed as build ARGs)
+: "${bcvkversion:?bcvkversion is required}"
+: "${scorecardversion:?scorecardversion is required}"
+
+arch=$(arch)
+
+rm -vrf /usr/local/bin/*
+
+# bcvk
+if test "${arch}" = x86_64; then
+  td=$(mktemp -d)
+  (
+    cd $td
+    target=bcvk-${arch}-unknown-linux-gnu
+    /bin/time -f '%E %C' curl -fLO https://github.com/bootc-dev/bcvk/releases/download/$bcvkversion/${target}.tar.gz
+    tar xvzf $target.tar.gz
+    mv $target /usr/local/bin/bcvk
+  )
+  rm -rf $td
+else
+  echo bcvk unavailable for $arch
+fi
+
+# scorecard (OpenSSF security scanner)
+td=$(mktemp -d)
+(
+  cd $td
+  # Map arch to scorecard naming convention
+  case "${arch}" in
+    x86_64) scarch=amd64 ;;
+    aarch64) scarch=arm64 ;;
+    *) echo "scorecard unavailable for $arch"; exit 0 ;;
+  esac
+  target=scorecard_${scorecardversion#v}_linux_${scarch}.tar.gz
+  /bin/time -f '%E %C' curl -fLO https://github.com/ossf/scorecard/releases/download/$scorecardversion/$target
+  tar xvzf $target
+  mv scorecard /usr/local/bin/scorecard
+)
+rm -rf $td
diff --git a/devenv/install-kani.sh b/devenv/install-kani.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# Install Kani formal verification tool
+# This script is shared between c10s and debian container builds.
+# Prerequisites: rustup must already be installed (via install-rust.sh)
+set -xeuo pipefail
+
+# Required environment variable (passed as build ARG)
+: "${kaniversion:?kaniversion is required}"
+
+export RUSTUP_HOME=/usr/local/rustup
+export CARGO_HOME=/usr/local/cargo
+export PATH="/usr/local/bin:$PATH"
+
+# Install Kani to a system-wide location so all users can access it
+export KANI_HOME=/usr/local/kani
+
+# Install kani-verifier
+/bin/time -f '%E %C' cargo install --locked kani-verifier --version $kaniversion
+
+# Run kani setup - downloads bundle and installs required nightly toolchain
+/bin/time -f '%E %C' /usr/local/cargo/bin/cargo-kani setup
+
+# Move kani binaries to /usr/local/bin, keep rustup symlink
+mv /usr/local/cargo/bin/cargo-kani /usr/local/cargo/bin/kani /usr/local/bin/
diff --git a/devenv/install-rust.sh b/devenv/install-rust.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Install Rust system-wide into /usr/local
+# This script is shared between c10s and debian container builds.
+set -xeuo pipefail
+
+export RUSTUP_HOME=/usr/local/rustup
+export CARGO_HOME=/usr/local/cargo
+
+# Install Rust system-wide
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile default
+
+# Move binaries to /usr/local/bin (system-managed, root-owned)
+mv /usr/local/cargo/bin/* /usr/local/bin/
+
+# Recreate bin directory with symlink to rustup - rustup's self-update check
+# looks for itself at $CARGO_HOME/bin/rustup
+mkdir -p /usr/local/cargo/bin
+ln -sf /usr/local/bin/rustup /usr/local/cargo/bin/rustup
