Write a Dockerfile that can build both entropy and server.
#430
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
vitropy
force-pushed
the
vi/containerize
branch
from
b8950bc to
acbe06e
Compare
vitropy
force-pushed
the
vi/containerize
branch
from
acbe06e to
2650b3d
Compare
This commit satisfies the pre-requisite for building container images from the source code herein inside a CI/CD pipeline (or, really, for any other purpose we might need containers for), as described in #423. The long and short of it is that we can use this to have container images built of the current commit, or any commit that we want. Since the code here depends on access to currently-private GitHub repositories, we need to have set a GitHub Personal Access Token (PAT) that can access the `entropyxyz/synedrion` and `entropyxyz/constraints` repositories. This is expected to be part of the `entropy-workstation-setup` [prerequisites](https://github.com/entropyxyz/entropy-workstation-setup#pre-requisites), so do that first if you haven't yet. The canonical place for such a token on a developer machine is `~/.entropy.auth.sh`, so developers can create containers of the `entropy` binary in a manner like so from their local workstation: ```shell docker buildx build \ --secret id=credentials,src=$HOME/.entropy.auth.sh \ --tag entropy . ``` This assumes a line like the following exists in `~/.entropy.auth.sh`: ```shell export GITHUB_TOKEN="ghp_xxxxxxxxxx" # Obviously, put a real PAT here. ``` You can also build arbitrary packages in the same environment by setting the `PACKAGE` build argument: ```shell docker buildx build --build-arg PACKAGE=server \ --secret id=credentials,src=$HOME/.entropy.auth.sh \ --tag server . ``` Additional build arguments provide some flexibility for the build environment: `RUST_VERSION`, `DEBIAN_CODENAME`, and `ALPINE_VERSION`.
vitropy
force-pushed
the
vi/containerize
branch
from
2650b3d to
7eecf1f
Compare
There was a problem hiding this comment.
Nice work!
A few thoughts/questions:
Can we use this as the canonical way to build release binaries? I worry that the build steps/dependencies will differ from what was introduced in #429 which might make tracking down bugs harder. What if the GHA workflow were to use this to build and publish binaries instead?
What are the tradeoffs between using PATs and SSH? I ask because my SSH setup for GH is already good (and hardware backed) to go and I'd rather not have an extra piece of sensitive data lying around. Would it be possible to use SSH instead of PATs here?
Otherwise everything looks reasonable. I'll approve once I actually build an image locally later today
There was a problem hiding this comment.
Can you add some of the points about the access token assumptions, etc. as comments here?
Will help anybody in the future that runs into issues
That is the plan.
It would be possible to use SSH but then we (and any consumer) has to manage SSH keys. Also, Cargo's implementation of SSH is extremely frustrating; it doesn't always pick up SSH configuration options the way OpenSSH does. There's a fall back possible ( Moreover, the PAT here can be what GitHub calls a "fine-grained PAT" instead of a "classic" PAT, which can be scoped not only to permissions of your user account but to specific repositories. This makes the fine-grained PAT option much easier to work with because it is A) symmetrical, B) no more permissive than a deploy key, and C) does not rely on our other infrastructure requirements. |
Co-authored-by: Hernando Castano <HCastano@users.noreply.github.com>
|
I wasn't able to get to building this today, so I'll do this tomorrow. @vitropy Do you need a yolo-approve to unblock you here? |
@HCastano Yes, pls! 🙏🏻💖 |
|
I had a go at trying this out. The buildx command above works fine for me with a 'classic' PAT token, but with a fine-grained one i couldn't figure out the right permissions to give it. Using |
It needs
I think you're looking at the wrong file. You're using a two-year old version of the |
|
@ameba23 Following up from my previous comment, you may also want to check out the newer
Have a look at the 3b453fd commit. |
* master: Write a Dockerfile that can build both `entropy` and `server`. (#430) Workflow for automated GitHub Release drafting/publishing. (#429) Update `.editorconfig` to match `.rustfmt.toml` settings (#427) Place `demo_offence` dispatchable behind root origin check (#426) Ensure correct validator order by using ValidatorInfo from chain rather than from user (#425) changed remaining references of --ws-external to --rpc-external Update README.md proactive refresh (#413)
This commit satisfies the pre-requisite for building container images from the source code herein inside a CI/CD pipeline (or, really, for any other purpose we might need containers for), as described in #423. The long and short of it is that we can use this to have container images built of the current commit, or any commit that we want.
Since the code here depends on access to currently-private GitHub repositories, we need to have set a GitHub Personal Access Token (PAT) that can access the
entropyxyz/synedrionandentropyxyz/constraintsrepositories. This is expected to be part of theentropy-workstation-setupprerequisites, so do that first if you haven't yet.
The canonical place for such a token on a developer machine is
~/.entropy.auth.sh, so developers can create containers of theentropybinary in a manner like so from their local workstation:docker buildx build \ --secret id=credentials,src=$HOME/.entropy.auth.sh \ --tag entropy .This assumes a line like the following exists in
~/.entropy.auth.sh:You can also build arbitrary packages in the same environment by setting the
PACKAGEbuild argument:docker buildx build --build-arg PACKAGE=server \ --secret id=credentials,src=$HOME/.entropy.auth.sh \ --tag server .Additional build arguments provide some flexibility for the build environment:
RUST_VERSION,DEBIAN_CODENAME, andALPINE_VERSION.