DataDog · pawelchcki · May 8, 2026 · May 8, 2026 · May 8, 2026 · May 9, 2026
@@ -7,17 +7,23 @@
 #   - Rust toolchain for RUM (inject-browser-sdk requires Rust 1.73+)
 #   - uv (fast Python package manager for tests)
 #
-# Toolchain files are sourced from deps/nginx-datadog/build_env/
+# Toolchain files are sourced from deps/nginx-datadog/build_env/.
 #
+# Arch is auto-derived from `uname -m` inside each RUN (matches the
+# buildx --platform the container runs on), so callers don't have to
+# pass --build-arg ARCH=. The VSCode "Reopen in Container" flow can't
+# auto-detect host arch from devcontainer.json, so relying on uname
+# keeps it correct without env-var gymnastics. `ARG ARCH` stays declared
+# (as an override) so external callers that already pass it — e.g. the
+# dd-repo-tools template's auto-detected build-arg — don't trigger
+# "ARG not declared" warnings.
 FROM alpine:3.20.3 AS sysroot
 
 ARG LLVM_VERSION=17.0.6
 ARG ARCH
 
 COPY deps/nginx-datadog/build_env/CHECKSUMS /CHECKSUMS
 
-RUN echo "Building LLVM ${LLVM_VERSION} on ${ARCH}"
-
 RUN apk --no-cache add alpine-sdk coreutils sudo bash samurai python3 linux-headers \
 	compiler-rt clang llvm lld wget cmake make binutils musl-dev git patchelf xz lit
 RUN wget https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VERSION}/llvm-project-${LLVM_VERSION}.src.tar.xz && \
@@ -60,22 +66,32 @@ RUN cd /usr/lib && ln -s clang/${LLVM_VERSION%%.*}/lib/linux/libclang_rt.builtin
 RUN rm -rf /llvm-project-${LLVM_VERSION}.src
 RUN rm -f llvm-project-${LLVM_VERSION}.src.tar.xz
 
-RUN mkdir -p /sysroot/${ARCH}-none-linux-musl/usr
-RUN ln -s /usr/lib /sysroot/${ARCH}-none-linux-musl/usr/
-RUN ln -s /usr/include /sysroot/${ARCH}-none-linux-musl/usr/
-RUN ln -s /lib /sysroot/${ARCH}-none-linux-musl/
-RUN ln -s /usr/lib/llvm${LLVM_VERSION%%.*}/lib/clang/${LLVM_VERSION%%.*}/lib /sysroot/${ARCH}-none-linux-musl/usr/lib/resource_dir/lib
-
-COPY deps/nginx-datadog/build_env/Toolchain.cmake.${ARCH} /sysroot/${ARCH}-none-linux-musl/Toolchain.cmake
+RUN arch=${ARCH:-$(uname -m)} && \
+    mkdir -p /sysroot/${arch}-none-linux-musl/usr && \
+    ln -s /usr/lib /sysroot/${arch}-none-linux-musl/usr/ && \
+    ln -s /usr/include /sysroot/${arch}-none-linux-musl/usr/ && \
+    ln -s /lib /sysroot/${arch}-none-linux-musl/ && \
+    ln -s /usr/lib/llvm${LLVM_VERSION%%.*}/lib/clang/${LLVM_VERSION%%.*}/lib /sysroot/${arch}-none-linux-musl/usr/lib/resource_dir/lib
+
+# Both Toolchain.cmake variants are staged; the RUN below picks the one
+# matching the build platform. (COPY can't use a shell-derived path, so
+# we copy both and select at RUN-time instead.)
+COPY deps/nginx-datadog/build_env/Toolchain.cmake.x86_64 /tmp/Toolchain.cmake.x86_64
+COPY deps/nginx-datadog/build_env/Toolchain.cmake.aarch64 /tmp/Toolchain.cmake.aarch64
+RUN arch=${ARCH:-$(uname -m)} && \
+    cp /tmp/Toolchain.cmake.${arch} /sysroot/${arch}-none-linux-musl/Toolchain.cmake && \
+    rm /tmp/Toolchain.cmake.x86_64 /tmp/Toolchain.cmake.aarch64
 
 # see https://github.com/llvm/llvm-project/issues/60572
-RUN mv /usr/lib/gcc/${ARCH}-alpine-linux-musl/13.2.1/include/stdatomic.h /usr/lib/gcc/${ARCH}-alpine-linux-musl/13.2.1/include/stdatomic.h_
-RUN cp /usr/lib/llvm${LLVM_VERSION%%.*}/lib/clang/${LLVM_VERSION%%.*}/include/stdatomic.h /usr/lib/gcc/${ARCH}-alpine-linux-musl/13.2.1/include/stdatomic.h
+RUN arch=${ARCH:-$(uname -m)} && \
+    mv /usr/lib/gcc/${arch}-alpine-linux-musl/13.2.1/include/stdatomic.h /usr/lib/gcc/${arch}-alpine-linux-musl/13.2.1/include/stdatomic.h_ && \
+    cp /usr/lib/llvm${LLVM_VERSION%%.*}/lib/clang/${LLVM_VERSION%%.*}/include/stdatomic.h /usr/lib/gcc/${arch}-alpine-linux-musl/13.2.1/include/stdatomic.h
 
 COPY deps/nginx-datadog/build_env/glibc_compat.c /sysroot/
-RUN clang --sysroot /sysroot/${ARCH}-none-linux-musl/ -fpie -O2 -fno-omit-frame-pointer \
-    -ggdb3 -c /sysroot/glibc_compat.c -o /tmp/glibc_compat.o && \
-    ar rcs /sysroot/${ARCH}-none-linux-musl/usr/lib/libglibc_compat.a /tmp/glibc_compat.o && \
+RUN arch=${ARCH:-$(uname -m)} && \
+    clang --sysroot /sysroot/${arch}-none-linux-musl/ -fpie -O2 -fno-omit-frame-pointer \
+        -ggdb3 -c /sysroot/glibc_compat.c -o /tmp/glibc_compat.o && \
+    ar rcs /sysroot/${arch}-none-linux-musl/usr/lib/libglibc_compat.a /tmp/glibc_compat.o && \
     rm /tmp/glibc_compat.o
 
 # Install dependencies for httpd

@@ -0,0 +1,5 @@
+# rsync --files-from allowlist (anything COPY'd by the Dockerfile).
+# Runtime-only files (bind-mounted at `docker run`) stay out of the hash.
+.devcontainer/Dockerfile
+deps/nginx-datadog/build_env/
+scripts/setup-httpd.py
@@ -0,0 +1,8 @@
+{
+  "name": "httpd-datadog",
+  "initializeCommand": "make -f .devcontainer/devcontainer.mk .devcontainer-stage-context",
+  "build": {
+    "dockerfile": ".staged/.devcontainer/Dockerfile",
+    "context": ".staged"
+  }
+}
@@ -0,0 +1,18 @@
+# GitHub Actions CI image
+
+GitHub-hosted runners can't pull from `registry.ddbuild.io`, so the
+workflows here pin `image:` to a public Docker Hub mirror of the
+GitLab-built devcontainer image.
+
+Run this **from `main`** after a `.devcontainer/` change has landed
+(the GitLab pipeline publishes the new tag; this just retags it to
+Docker Hub and updates the workflow `image:` pins):
+
+```sh
+make mirror-public-image
+```
+
+The target pulls the latest amd64 build, retags it under
+`datadog/docker-library:httpd-datadog-ci-<hash>`, pushes, and prints
+the exact `image:` value to paste into `dev.yml`, `release.yml`, and
+`system-tests.yml`.
@@ -19,20 +19,12 @@ jobs:
     needs: format
     runs-on: ubuntu-22.04
     container:
-      # See in Makefile where this image comes from.
+      # See .github/workflows/CI_IMAGE.md — bump via `make mirror-public-image`.
       image: datadog/docker-library:httpd-datadog-ci-28219c0ef3e00f1e3d5afcab61a73a5e9bd2a9b957d7545556711cce2a6262cd
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-      - name: Add cloned repo as safe
-        run: sh -c "git config --global --add safe.directory $PWD"
-      - name: Init required submodules
-        run: git submodule update --init --depth=1 deps/dd-trace-cpp deps/nginx-datadog
-      - name: Configure
-        run: cmake --preset=ci-dev -B build .
       - name: Build
-        run: |
-          cmake --build build -j --verbose
-          cmake --install build --prefix dist
+        run: make ci-build PRESET=ci-dev
       - name: Export library
         uses:  actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -44,7 +36,7 @@ jobs:
     needs: build
     runs-on: ubuntu-22.04
     container:
-      # See in Makefile where this image comes from.
+      # See .github/workflows/CI_IMAGE.md — bump via `make mirror-public-image`.
       image: datadog/docker-library:httpd-datadog-ci-28219c0ef3e00f1e3d5afcab61a73a5e9bd2a9b957d7545556711cce2a6262cd
     env:
       DD_ENV: ci

@@ -5,20 +5,12 @@ jobs:
   build:
     runs-on: ubuntu-22.04
     container:
-      # See in Makefile where this image comes from.
+      # See .github/workflows/CI_IMAGE.md — bump via `make mirror-public-image`.
       image: datadog/docker-library:httpd-datadog-ci-28219c0ef3e00f1e3d5afcab61a73a5e9bd2a9b957d7545556711cce2a6262cd
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-      - name: Add cloned repo as safe
-        run: sh -c "git config --global --add safe.directory $PWD"
-      - name: Init required submodules
-        run: git submodule update --init --depth=1 deps/dd-trace-cpp deps/nginx-datadog
-      - name: Configure
-        run: cmake --preset ci-release -B build .
       - name: Build
-        run: |
-          cmake --build build -j --verbose
-          cmake --install build --prefix dist
+        run: make ci-build PRESET=ci-release
       - name: Export library
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:

@@ -19,20 +19,12 @@ jobs:
   build-artifacts:
     runs-on: ubuntu-22.04
     container:
-      # See in Makefile where this image comes from.
+      # See .github/workflows/CI_IMAGE.md — bump via `make mirror-public-image`.
       image: datadog/docker-library:httpd-datadog-ci-28219c0ef3e00f1e3d5afcab61a73a5e9bd2a9b957d7545556711cce2a6262cd
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-      - name: Add cloned repo as safe
-        run: sh -c "git config --global --add safe.directory $PWD"
-      - name: Init required submodules
-        run: git submodule update --init --depth=1 deps/dd-trace-cpp deps/nginx-datadog
-      - name: Configure
-        run: cmake --preset=ci-dev -B build .
       - name: Build
-        run: |
-          cmake --build build -j --verbose
-          cmake --install build --prefix dist
+        run: make ci-build PRESET=ci-dev
       - name: Export library
         uses:  actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:

@@ -23,10 +23,13 @@
 compile_commands.json
 
 __pycache__/
+build-container/
 build-rum/
 build/
+dist-container/
 httpd-*/
 httpd/
+/logs/
 venv/
 
 test/integration-test/.coverage
@@ -37,3 +40,6 @@ test/integration-test/htmlcov/
 test/integration-test/log-*/
 test/integration-test/logs/
 test/integration-test/uv.lock
+.devcontainer/.staged/
+.devcontainer/.image-ref
+.devcontainer/.image-ref-x86_64