dotnet-framework-docker/eng/docker-tools/templates/steps/init-imagebuilder.yml at f30ee4123ea5731aadd7b32ca4801e1af1235db0 · dotnet-docker-bot/dotnet-framework-docker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# ImageBuilder setup steps for Docker Tools pipelines. Handles:
# - Custom init steps (when provided by caller)
# - Default pull-based setup (Linux containerized, Windows native executable)
# - appsettings.json generation for publish configuration
parameters:
- name: dockerClientOS
  type: string
  values:
  - linux
  - windows

- name: publishConfig
  type: object
  default: null

- name: condition
  type: string
  default: "true"

- name: customInitSteps
  type: stepList
  default: []

steps:
# Custom ImageBuilder setup (e.g., bootstrap from source)
- ${{ if gt(length(parameters.customInitSteps), 0) }}:
  # Set dockerClientOS variable so custom setup steps can use it
  - script: echo "##vso[task.setvariable variable=dockerClientOS]${{ parameters.dockerClientOS }}"
    displayName: Set dockerClientOS variable
    condition: and(succeeded(), ${{ parameters.condition }})
  - ${{ parameters.customInitSteps }}
# Default: Pull pre-built ImageBuilder image
- ${{ else }}:
  - ${{ if eq(parameters.dockerClientOS, 'linux') }}:
    - powershell: $(engDockerToolsPath)/Pull-Image.ps1 $(imageNames.imageBuilder)
      displayName: Pull Image Builder
      condition: and(succeeded(), ${{ parameters.condition }})
  - ${{ if eq(parameters.dockerClientOS, 'windows') }}:
    # Windows: Extract ImageBuilder executable from container image
    # Windows containers don't support Docker socket mounting, so we run
    # ImageBuilder as a native executable rather than in a container
    - powershell: $(engDockerToolsPath)/Invoke-WithRetry.ps1 "docker pull $(imageNames.imageBuilder)"
      displayName: Pull Image Builder
      condition: and(succeeded(), ${{ parameters.condition }})
    - script: docker create --name setupImageBuilder-$(Build.BuildId)-$(System.JobId) $(imageNames.imageBuilder)
      displayName: Create Setup Container
      condition: and(succeeded(), ${{ parameters.condition }})
    - script: >
        docker cp
        setupImageBuilder-$(Build.BuildId)-$(System.JobId):/image-builder
        $(Build.BinariesDirectory)/.Microsoft.DotNet.ImageBuilder
      displayName: Copy Image Builder
      condition: and(succeeded(), ${{ parameters.condition }})
    - script: docker rm -f setupImageBuilder-$(Build.BuildId)-$(System.JobId)
      displayName: Cleanup Setup Container
      condition: and(always(), ${{ parameters.condition }})
      continueOnError: true

# Generate appsettings.json with publish configuration for ImageBuilder to read
- template: /eng/docker-tools/templates/steps/generate-appsettings.yml@self
  parameters:
    publishConfig: ${{ parameters.publishConfig }}
    artifactStagingDirectory: $(artifactsPath)
    condition: ${{ parameters.condition }}

# On Linux, build the "withrepo" image that includes the repo's source code.
# The withrepo image layers the checked-out repository into the ImageBuilder
# container at /repo, so ImageBuilder can access manifests and Dockerfiles
- ${{ if eq(parameters.dockerClientOS, 'linux') }}:
  - script: >-
      docker build
      -t $(imageNames.imageBuilder.withrepo)
      --build-arg IMAGE=$(imageNames.imageBuilder)
      -f $(engDockerToolsPath)/Dockerfile.WithRepo .
    displayName: Build Image for Image Builder
    condition: and(succeeded(), ${{ parameters.condition }})
  # Define runImageBuilderCmd and runAuthedImageBuilderCmd variables
  # These are the primary interface for downstream ImageBuilder invocations:
  # - runImageBuilderCmd: For operations that don't need Azure DevOps auth
  # - runAuthedImageBuilderCmd: Passes OIDC tokens for ACR/Azure operations
  # The commands mount Docker socket (for building images) and artifact directory
  - task: PowerShell@2
    displayName: Define ImageBuilder Command Variables
    condition: and(succeeded(), ${{ parameters.condition }})
    inputs:
      targetType: 'inline'
      script: |
        $imageBuilderImageName = "$(imageNames.imageBuilder.withrepo)"
        Write-Host "##vso[task.setvariable variable=imageBuilderImageName]$imageBuilderImageName"

        $dockerRunBaseCmd = @(
          "docker run --rm"
        )

        $dockerRunArgs = @(
          "-v /var/run/docker.sock:/var/run/docker.sock"
          "-v $(Build.ArtifactStagingDirectory):$(artifactsPath)"
          "-w /repo"
          "$(imageBuilderDockerRunExtraOptions)"
        )

        $authedDockerRunArgs = @(
          "-e", 'SYSTEM_ACCESSTOKEN'
          "-e", 'SYSTEM_OIDCREQUESTURI'
        )

        $dockerRunCmd = $dockerRunBaseCmd + $dockerRunArgs
        $authedDockerRunCmd = $dockerRunBaseCmd + $authedDockerRunArgs + $dockerRunArgs

        # Base commands without image name for templates that need to insert
        # extra docker run args before the image name (e.g. signing)
        $runImageBuilderBaseCmd = $($dockerRunCmd -join ' ')
        $runAuthedImageBuilderBaseCmd = $($authedDockerRunCmd -join ' ')

        Write-Host "##vso[task.setvariable variable=runImageBuilderBaseCmd]$runImageBuilderBaseCmd"
        Write-Host "##vso[task.setvariable variable=runAuthedImageBuilderBaseCmd]$runAuthedImageBuilderBaseCmd"

        # Full commands with image name for direct invocation by other templates
        $runImageBuilderCmd = "$runImageBuilderBaseCmd $imageBuilderImageName"
        $runAuthedImageBuilderCmd = "$runAuthedImageBuilderBaseCmd $imageBuilderImageName"

        Write-Host "##vso[task.setvariable variable=runImageBuilderCmd]$runImageBuilderCmd"
        Write-Host "##vso[task.setvariable variable=runAuthedImageBuilderCmd]$runAuthedImageBuilderCmd"

# On Windows, point to the extracted executable path
# Both runImageBuilderCmd and runAuthedImageBuilderCmd are the same because
# Windows runs natively and inherits environment variables automatically
- ${{ if eq(parameters.dockerClientOS, 'windows') }}:
  - task: PowerShell@2
    displayName: Define runImageBuilderCmd Variables
    condition: and(succeeded(), ${{ parameters.condition }})
    inputs:
      targetType: 'inline'
      script: |
        $runImageBuilderCmd = "$(Build.BinariesDirectory)\.Microsoft.DotNet.ImageBuilder\Microsoft.DotNet.ImageBuilder.exe"
        Write-Host "##vso[task.setvariable variable=runImageBuilderCmd]$runImageBuilderCmd"
        Write-Host "##vso[task.setvariable variable=runAuthedImageBuilderCmd]$runImageBuilderCmd"
        # On Windows the base commands are the same as the full commands since
        # there is no container image name to append
        Write-Host "##vso[task.setvariable variable=runImageBuilderBaseCmd]$runImageBuilderCmd"
        Write-Host "##vso[task.setvariable variable=runAuthedImageBuilderBaseCmd]$runImageBuilderCmd"
        # Set imageBuilderImageName to empty - on Windows there is no container image
        # since ImageBuilder runs as a native exe. run-imagebuilder.yml appends this
        # variable to the command line, so it must be defined (but empty) to avoid
        # leaving an unexpanded $(imageBuilderImageName) literal in the script.
        Write-Host "##vso[task.setvariable variable=imageBuilderImageName]"