targets/linux/deb/distro: bootstrap container when necessary

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

Author: invidian

targets/linux/deb/debian/common.go

@@ -27,6 +27,7 @@ var (
 	// base image.
 	basePackages = []string{
 		"ca-certificates",
+		"passwd",
 	}
 
 	targets = map[string]gwclient.BuildFunc{

targets/linux/deb/distro/container.go

@@ -10,7 +10,131 @@ import (
 	"github.com/project-dalec/dalec/targets"
 )
 
+type BuildDistrolessContainerInput struct {
+	Config *Config
+	Client gwclient.Client // Replace with interface.
+	Worker llb.State
+	SOpt   dalec.SourceOpts
+	Spec   *dalec.Spec
+	Target string
+	DebSt  llb.State // Why is this DebSt?
+	Opts   []llb.ConstraintsOpt
+}
+
+func BuildDistrolessContainer(ctx context.Context, input BuildDistrolessContainerInput) llb.State {
+	opts := append(input.Opts, frontend.IgnoreCache(input.Client), dalec.ProgressGroup("Build Container Image"))
+
+	// Those base repos come from distro configuration.
+	repos := dalec.GetExtraRepos(input.Config.ExtraRepos, "install")
+
+	// These are user specified via spec.
+	repos = append(repos, input.Spec.GetInstallRepos(input.Target)...)
+
+	withRepos := input.Config.RepoMounts(repos, input.SOpt, opts...)
+
+	debug := llb.Scratch().File(llb.Mkfile("debug", 0o644, []byte(`debug=2`)), opts...)
+	// This file makes dpkg give more verbose output which can be useful when things go awry.
+	debugOpt := llb.AddMount("/etc/dpkg/dpkg.cfg.d/99-dalec-debug", debug, llb.SourcePath("debug"), llb.Readonly)
+
+	// Distroless images are built from scratch.
+	baseImg := llb.Scratch().
+		File(llb.Mkfile("/apt.conf", 0o644, []byte(`Apt::Architecture "amd64";
+Apt::Architectures "amd64";
+Dir "/tmp/rootfs";
+Dir::Etc::TrustedParts "/etc/apt/trusted.gpg.d/";
+`)), opts...).
+		File(llb.Mkdir("/etc", 0o755), opts...).
+		File(llb.Mkdir("/etc/apt", 0o755), opts...).
+		File(llb.Mkfile("/etc/apt/sources.list", 0o644, []byte(`deb http://deb.debian.org/debian/ trixie main
+`)), opts...).
+		File(llb.Mkdir("/etc/apt/apt.conf.d", 0o755), opts...).
+		File(llb.Mkdir("/etc/apt/preferences.d", 0o755), opts...).
+		File(llb.Mkdir("/var", 0o755), opts...).
+		File(llb.Mkdir("/var/cache", 0o755), opts...).
+		File(llb.Mkdir("/var/lib", 0o755), opts...).
+		File(llb.Mkdir("/var/lib/dpkg", 0o755), opts...)
+
+	baseImg = input.Worker.Run(
+		dalec.WithConstraints(opts...),
+		withRepos,
+		debugOpt,
+		llb.AddEnv("DEBIAN_FRONTEND", "noninteractive"),
+		llb.AddEnv("APT_CONFIG", "/tmp/rootfs/apt.conf"),
+		dalec.ShArgs("set -x; apt-get update && apt-get --yes --download-only install '?essential' && for f in /tmp/rootfs/var/cache/apt/archives/*.deb; do dpkg-deb --extract \"$f\" /tmp/rootfs; done"),
+		frontend.IgnoreCache(input.Client, targets.IgnoreCacheKeyContainer),
+	).AddMount("/tmp/rootfs", baseImg).Run(
+		dalec.WithConstraints(opts...),
+		debugOpt,
+		llb.AddEnv("DEBIAN_FRONTEND", "noninteractive"),
+		dalec.ShArgs("dpkg --install --force-depends /var/cache/apt/archives/*.deb && rm -rf /var/cache/apt/archives/*.deb"),
+		frontend.IgnoreCache(input.Client, targets.IgnoreCacheKeyContainer),
+	).Root()
+
+	bi, err := input.Spec.GetSingleBase(input.Target)
+	if err != nil {
+		return dalec.ErrorState(llb.Scratch(), err)
+	}
+	if bi != nil {
+		baseImg = bi.ToState(input.SOpt, opts...)
+	}
+
+	opts = append(opts, dalec.ProgressGroup("Install spec package"))
+
+	// If we have base packages to install, create a meta-package to install them.
+	if len(input.Config.BasePackages) > 0 {
+		runtimePkgs := make(dalec.PackageDependencyList, len(input.Config.BasePackages))
+		for _, pkgName := range input.Config.BasePackages {
+			runtimePkgs[pkgName] = dalec.PackageConstraints{}
+		}
+		basePkgSpec := &dalec.Spec{
+			Name:        "dalec-deb-base-packages",
+			Packager:    "dalec",
+			Description: "Base Packages for Debian-based Distros",
+			Version:     "0.1",
+			Revision:    "1",
+			Dependencies: &dalec.PackageDependencies{
+				Runtime: runtimePkgs,
+			},
+		}
+
+		basePkg := input.Config.BuildPkg(ctx, input.Client, input.SOpt, basePkgSpec, input.Target, opts...)
+
+		// Update the base image to include the base packages.
+		// This may include things that are necessary to even install the debSt package.
+		// So this must be done separately from the debSt package.
+		opts := append(opts, dalec.ProgressGroup("Install base image packages"))
+		baseImg = baseImg.Run(
+			dalec.WithConstraints(opts...),
+			debugOpt,
+			InstallLocalPkg(basePkg, true, opts...),
+			dalec.WithMountedAptCache(input.Config.AptCachePrefix, opts...),
+		).Root()
+	}
+
+	return baseImg.Run(
+		dalec.WithConstraints(opts...),
+		withRepos,
+		debugOpt,
+		InstallLocalPkg(input.DebSt, true, opts...),
+		frontend.IgnoreCache(input.Client, targets.IgnoreCacheKeyContainer),
+	).Root().
+		With(dalec.InstallPostSymlinks(input.Spec.GetImagePost(input.Target), input.Worker, opts...))
+}
+
 func (c *Config) BuildContainer(ctx context.Context, client gwclient.Client, sOpt dalec.SourceOpts, spec *dalec.Spec, targetKey string, debSt llb.State, opts ...llb.ConstraintsOpt) llb.State {
+	if true {
+		return BuildDistrolessContainer(ctx, BuildDistrolessContainerInput{
+			Config: c,
+			Client: client,
+			Worker: c.Worker(sOpt, dalec.Platform(sOpt.TargetPlatform), dalec.WithConstraints(opts...)),
+			SOpt:   sOpt,
+			Spec:   spec,
+			Target: targetKey,
+			DebSt:  debSt,
+			Opts:   opts,
+		})
+	}
+
 	opts = append(opts, frontend.IgnoreCache(client), dalec.ProgressGroup("Build Container Image"))
 
 	baseImg := llb.Image(c.DefaultOutputImage, llb.WithMetaResolver(sOpt.Resolver), dalec.WithConstraints(opts...))

targets/linux/deb/distro/container_test.go

@@ -24,6 +24,7 @@ func Test_Building_container(t *testing.T) {
 		t.Parallel()
 
 		c := &Config{
+			ImageRef:           "foo",
 			DefaultOutputImage: "foo",
 		}
 
@@ -49,24 +50,37 @@ func Test_Building_container(t *testing.T) {
 
 		ctx := t.Context()
 
-		state := c.BuildContainer(ctx, client, dalec.SourceOpts{}, spec, "target", llb.State{})
+		sopt := dalec.SourceOpts{
+			GetContext: func(string, ...llb.LocalOption) (*llb.State, error) {
+				return nil, nil
+			},
+		}
+
+		state := c.BuildContainer(ctx, client, sopt, spec, "target", llb.State{})
 
 		ops, err := test.LLBOpsFromState(ctx, state)
 		if err != nil {
 			t.Fatalf("failed to get llb ops from state: %v", err)
 		}
 
-		if len(ops) == 0 {
-			t.Fatalf("expected at least one llb op, got none")
-		}
+		specPackageImageSourceFound := false
 
-		s := ops[0].Op.GetSource()
-		if s == nil {
-			t.Fatalf("expected source op, got nil")
+		for _, op := range ops {
+			s := op.Op.GetSource()
+
+			if s == nil || op.OpMetadata.ProgressGroup.Name != "Build Container Image" {
+				continue
+			}
+
+			specPackageImageSourceFound = true
+
+			if !strings.Contains(s.Identifier, expectedRef) {
+				t.Fatalf("expected source identifier to contain %q, got %q", expectedRef, s.Identifier)
+			}
 		}
 
-		if !strings.Contains(s.Identifier, expectedRef) {
-			t.Fatalf("expected source identifier to contain %q, got %q", expectedRef, s.Identifier)
+		if !specPackageImageSourceFound {
+			t.Fatalf("Expected to find spec package source in llb ops")
 		}
 	})
 
@@ -78,6 +92,7 @@ func Test_Building_container(t *testing.T) {
 		expectedRef := "foo"
 
 		c := &Config{
+			ImageRef:           "foo",
 			DefaultOutputImage: expectedRef,
 		}
 
@@ -89,7 +104,13 @@ func Test_Building_container(t *testing.T) {
 
 		ctx := t.Context()
 
-		state := c.BuildContainer(ctx, client, dalec.SourceOpts{}, spec, "target", llb.State{})
+		sopt := dalec.SourceOpts{
+			GetContext: func(string, ...llb.LocalOption) (*llb.State, error) {
+				return nil, nil
+			},
+		}
+
+		state := c.BuildContainer(ctx, client, sopt, spec, "target", llb.State{})
 
 		ops, err := test.LLBOpsFromState(ctx, state)
 		if err != nil {
@@ -119,6 +140,7 @@ func Test_Building_container(t *testing.T) {
 			extraInstallRepo := "extra-install-repo"
 
 			c := &Config{
+				ImageRef:           "foo",
 				DefaultOutputImage: "foo",
 				ExtraRepos: []dalec.PackageRepositoryConfig{
 					{
@@ -150,7 +172,12 @@ func Test_Building_container(t *testing.T) {
 
 			ctx := t.Context()
 
-			ops, err := test.LLBOpsFromState(ctx, c.BuildContainer(ctx, &testClient{}, dalec.SourceOpts{}, &dalec.Spec{}, "target", llb.State{}))
+			sopt := dalec.SourceOpts{
+				GetContext: func(string, ...llb.LocalOption) (*llb.State, error) {
+					return nil, nil
+				},
+			}
+			ops, err := test.LLBOpsFromState(ctx, c.BuildContainer(ctx, &testClient{}, sopt, &dalec.Spec{}, "target", llb.State{}))
 			if err != nil {
 				t.Fatalf("failed to get llb ops from state: %v", err)
 			}
@@ -190,6 +217,7 @@ func Test_Building_container(t *testing.T) {
 			aptCachePrefix := "apt-cache-prefix"
 
 			c := &Config{
+				ImageRef:           "foo",
 				DefaultOutputImage: "foo",
 				VersionID:          "bar",
 				ContextRef:         "distro-context-ref",
@@ -200,9 +228,7 @@ func Test_Building_container(t *testing.T) {
 
 			sopt := dalec.SourceOpts{
 				GetContext: func(string, ...llb.LocalOption) (*llb.State, error) {
-					s := llb.Scratch()
-
-					return &s, nil
+					return nil, nil
 				},
 			}
 
@@ -255,6 +281,7 @@ func Test_Building_container(t *testing.T) {
 			t.Parallel()
 
 			c := &Config{
+				ImageRef:           "foo",
 				DefaultOutputImage: "foo",
 				BasePackages:       []string{"base-package-1"},
 				VersionID:          "bar",
@@ -265,9 +292,7 @@ func Test_Building_container(t *testing.T) {
 
 			sopt := dalec.SourceOpts{
 				GetContext: func(string, ...llb.LocalOption) (*llb.State, error) {
-					s := llb.Scratch()
-
-					return &s, nil
+					return nil, nil
 				},
 			}
 
@@ -278,12 +303,16 @@ func Test_Building_container(t *testing.T) {
 				t.Fatalf("failed to get llb ops from state: %v", err)
 			}
 
+			execOpFound := false
+
 			for _, op := range ops {
 				e := op.Op.GetExec()
 				if e == nil || op.OpMetadata.ProgressGroup.Name != "Install base image packages" {
 					continue
 				}
 
+				execOpFound = true
+
 				for _, v := range e.Meta.Env {
 					s := strings.Split(v, "=")
 					if len(s) != 2 {
@@ -304,13 +333,18 @@ func Test_Building_container(t *testing.T) {
 				}
 			}
 
+			if !execOpFound {
+				t.Fatalf("Exec op for installing base packages not found")
+			}
+
 			t.Fatalf("Expected DALEC_UPGRADE to be set when installing base packages")
 		})
 
 		t.Run("before_installing_spec_package", func(t *testing.T) {
 			t.Parallel()
 
 			c := &Config{
+				ImageRef:           "foo",
 				DefaultOutputImage: "foo",
 				BasePackages:       []string{"base-package-1"},
 				VersionID:          "bar",
@@ -321,9 +355,7 @@ func Test_Building_container(t *testing.T) {
 
 			sopt := dalec.SourceOpts{
 				GetContext: func(string, ...llb.LocalOption) (*llb.State, error) {
-					s := llb.Scratch()
-
-					return &s, nil
+					return nil, nil
 				},
 			}
 
@@ -385,6 +417,7 @@ func Test_Building_container(t *testing.T) {
 			aptCachePrefix := "apt-cache-prefix"
 
 			c := &Config{
+				ImageRef:           "foo",
 				DefaultOutputImage: "foo",
 				BasePackages:       []string{"base-package-1"},
 				VersionID:          "bar",
@@ -396,9 +429,7 @@ func Test_Building_container(t *testing.T) {
 
 			sopt := dalec.SourceOpts{
 				GetContext: func(string, ...llb.LocalOption) (*llb.State, error) {
-					s := llb.Scratch()
-
-					return &s, nil
+					return nil, nil
 				},
 			}
 
@@ -411,12 +442,16 @@ func Test_Building_container(t *testing.T) {
 
 			aptCacheFound := false
 
+			execOpFound := false
+
 			for _, op := range ops {
 				e := op.Op.GetExec()
 				if e == nil || op.OpMetadata.ProgressGroup.Name != "Install base image packages" {
 					continue
 				}
 
+				execOpFound = true
+
 				for _, mount := range e.Mounts {
 					if mount.Dest == "/var/cache/apt" {
 						aptCacheFound = true
@@ -438,6 +473,10 @@ func Test_Building_container(t *testing.T) {
 				}
 			}
 
+			if !execOpFound {
+				t.Fatalf("Exec op for installing base packages not found")
+			}
+
 			if !aptCacheFound {
 				t.Fatalf("Apt cache mount not found before installing base packages")
 			}