1
0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2024-12-29 04:50:03 +01:00

build system: simplify docker image pinning

It turns out that the ID mechanics of docker are even more crazy than
realized before: On Linux (x86_64) they use a different SHA256 when
referring to a locally installed image than when referring to the
same image at dockerhub. On Mac OS (Apple Silicon), the use the repo
SHA256 also when referring to the local image.

Instead of increasing the complexity of the current solution even more
by covering both cases, we now use
`docker.io/riot/riotbuild@sha256:<SHA256_OF_DOCKERHUB_IMAGE>` to refer
to a specific docker image, which hopefully works across systems.

Instead of pulling the image explicitly, we now can rely on docker
to do so automatically if the pinned image is not found locally. As
a result, the knob to disable automatic pulling has been dropped.

Fixes https://github.com/RIOT-OS/RIOT/issues/20853
This commit is contained in:
Marian Buschsieweke 2024-09-29 16:22:05 +02:00 committed by Marian Buschsieweke
parent 85172eda49
commit e960a19f24
No known key found for this signature in database
GPG Key ID: 758BD52517F79C41
3 changed files with 7 additions and 39 deletions

View File

@ -382,20 +382,12 @@ check_tests_application_path() {
} }
check_pinned_docker_version_is_up_to_date() { check_pinned_docker_version_is_up_to_date() {
local pinned_digest
local pinned_repo_digest local pinned_repo_digest
local upstream_digest
local upstream_repo_digest local upstream_repo_digest
pinned_digest="$(awk '/^DOCKER_TESTED_IMAGE_ID := (.*)$/ { print substr($0, index($0, $3)); exit }' "$RIOTMAKE/docker.inc.mk")"
pinned_repo_digest="$(awk '/^DOCKER_TESTED_IMAGE_REPO_DIGEST := (.*)$/ { print substr($0, index($0, $3)); exit }' "$RIOTMAKE/docker.inc.mk")" pinned_repo_digest="$(awk '/^DOCKER_TESTED_IMAGE_REPO_DIGEST := (.*)$/ { print substr($0, index($0, $3)); exit }' "$RIOTMAKE/docker.inc.mk")"
# not using docker and jq here but a python script to not have to install # not using docker and jq here but a python script to not have to install
# more stuff for the static test docker image # more stuff for the static test docker image
IFS=' ' read -r upstream_digest upstream_repo_digest <<< "$("$RIOTTOOLS/buildsystem_sanity_check/get_dockerhub_digests.py" "riot/riotbuild")" IFS=' ' read -r upstream_repo_digest <<< "$("$RIOTTOOLS/buildsystem_sanity_check/get_dockerhub_digests.py" "riot/riotbuild")"
if [ "$pinned_digest" != "$upstream_digest" ]; then
git -C "${RIOTBASE}" grep -n '^DOCKER_TESTED_IMAGE_ID :=' "$RIOTMAKE/docker.inc.mk" \
| error_with_message "Update docker image SHA256 to ${upstream_digest}"
fi
if [ "$pinned_repo_digest" != "$upstream_repo_digest" ]; then if [ "$pinned_repo_digest" != "$upstream_repo_digest" ]; then
git -C "${RIOTBASE}" grep -n '^DOCKER_TESTED_IMAGE_REPO_DIGEST :=' "$RIOTMAKE/docker.inc.mk" \ git -C "${RIOTBASE}" grep -n '^DOCKER_TESTED_IMAGE_REPO_DIGEST :=' "$RIOTMAKE/docker.inc.mk" \

View File

@ -87,5 +87,5 @@ if __name__ == '__main__':
if len(sys.argv) != 2: if len(sys.argv) != 2:
sys.exit(f"Usage {sys.argv[0]} <REPO_NAME>") sys.exit(f"Usage {sys.argv[0]} <REPO_NAME>")
digest, repo_digest = get_upstream_digests(sys.argv[1]) _, repo_digest = get_upstream_digests(sys.argv[1])
print(f"{digest} {repo_digest}") print(f"{repo_digest}")

View File

@ -5,13 +5,10 @@
# When the docker image is updated, checks at # When the docker image is updated, checks at
# dist/tools/buildsystem_sanity_check/check.sh start complaining in CI, and # dist/tools/buildsystem_sanity_check/check.sh start complaining in CI, and
# provide the latest values to verify and fill in. # provide the latest values to verify and fill in.
DOCKER_TESTED_IMAGE_ID := 1329f419ec1a045a5830361f288536a56a0671a3b0db216e469369b00719cdff
DOCKER_TESTED_IMAGE_REPO_DIGEST := d5a70c06703731ddfebb98e9227eb03a69f02c393d9e89bbbcd65d71f3ef056e DOCKER_TESTED_IMAGE_REPO_DIGEST := d5a70c06703731ddfebb98e9227eb03a69f02c393d9e89bbbcd65d71f3ef056e
DOCKER_PULL_IDENTIFIER := docker.io/riot/riotbuild@sha256:$(DOCKER_TESTED_IMAGE_REPO_DIGEST) DOCKER_PULL_IDENTIFIER := docker.io/riot/riotbuild@sha256:$(DOCKER_TESTED_IMAGE_REPO_DIGEST)
DOCKER_IMAGE_DEFAULT := sha256:$(DOCKER_TESTED_IMAGE_ID) export DOCKER_IMAGE ?= $(DOCKER_PULL_IDENTIFIER)
DOCKER_AUTO_PULL ?= 1
export DOCKER_IMAGE ?= $(DOCKER_IMAGE_DEFAULT)
export DOCKER_BUILD_ROOT ?= /data/riotbuild export DOCKER_BUILD_ROOT ?= /data/riotbuild
DOCKER_RIOTBASE ?= $(DOCKER_BUILD_ROOT)/riotbase DOCKER_RIOTBASE ?= $(DOCKER_BUILD_ROOT)/riotbase
@ -39,25 +36,6 @@ else
export INSIDE_DOCKER := 0 export INSIDE_DOCKER := 0
endif endif
ifeq (0:1,$(INSIDE_DOCKER):$(BUILD_IN_DOCKER))
ifeq ($(DOCKER_IMAGE),$(DOCKER_IMAGE_DEFAULT))
IMAGE_PRESENT:=$(shell $(DOCKER) image inspect $(DOCKER_IMAGE) 2>/dev/null >/dev/null && echo 1 || echo 0)
ifeq (0,$(IMAGE_PRESENT))
$(warning Required docker image $(DOCKER_IMAGE) not installed)
ifeq (1,$(DOCKER_AUTO_PULL))
$(info Pulling required image automatically. You can disable this with DOCKER_AUTO_PULL=0)
DEPS_FOR_RUNNING_DOCKER += docker-pull
else
$(info Building with latest available riotbuild image. You can pull the correct image automatically with DOCKER_AUTO_PULL=1)
# The currently set DOCKER_IMAGE is not locally available, and the
# user opted out to automatically pull it. Fall back to the
# latest (locally) available riot/riotbuild image instead.
export DOCKER_IMAGE := docker.io/riot/riotbuild:latest
endif
endif
endif
endif
# Default target for building inside a Docker container if nothing was given # Default target for building inside a Docker container if nothing was given
export DOCKER_MAKECMDGOALS ?= all export DOCKER_MAKECMDGOALS ?= all
# List of all exported environment variables that shall be passed on to the # List of all exported environment variables that shall be passed on to the
@ -164,6 +142,9 @@ DOCKER_USER ?= $$(id -u)
DOCKER_USER_OPT = $(if $(_docker_is_podman),--userns keep-id,--user $(DOCKER_USER)) DOCKER_USER_OPT = $(if $(_docker_is_podman),--userns keep-id,--user $(DOCKER_USER))
DOCKER_RUN_FLAGS ?= --rm --tty $(DOCKER_USER_OPT) DOCKER_RUN_FLAGS ?= --rm --tty $(DOCKER_USER_OPT)
# Explicitly set the platform to what the image is expecting
DOCKER_RUN_FLAGS += --platform linux/amd64
# allow setting make args from command line like '-j' # allow setting make args from command line like '-j'
DOCKER_MAKE_ARGS ?= DOCKER_MAKE_ARGS ?=
@ -378,11 +359,6 @@ docker_run_make = \
-w '$(DOCKER_APPDIR)' '$2' \ -w '$(DOCKER_APPDIR)' '$2' \
$(MAKE) $(DOCKER_OVERRIDE_CMDLINE) $4 $1 $(MAKE) $(DOCKER_OVERRIDE_CMDLINE) $4 $1
# This target pulls the docker image required for BUILD_IN_DOCKER
.PHONY: docker-pull
docker-pull:
$(DOCKER) pull '$(DOCKER_PULL_IDENTIFIER)'
# This will execute `make $(DOCKER_MAKECMDGOALS)` inside a Docker container. # This will execute `make $(DOCKER_MAKECMDGOALS)` inside a Docker container.
# We do not push the regular $(MAKECMDGOALS) to the container's make command in # We do not push the regular $(MAKECMDGOALS) to the container's make command in
# order to only perform building inside the container and defer executing any # order to only perform building inside the container and defer executing any