Remote docker host (#1228)

* Bump httplib2 library to 0.11.3 for DigiCert

Per httplib2/httplib2#91  Which adds the DigiCert Global Root G2 serial to cacert.txt  Without this push_image() fails to registries trusted by the DigiCert CA.

* added email for cla

* added email for cla

* added travis.ci

* local puller

* no label

* use docker_tool_path in util

* docker command

* docker command

* docker command

* docker command

* docker command

* docker command

* docker command

* docker commands use quotes

* docker commands use quotes

* move flags to toolchain config

* misplaced arguments

* ran buildifier

* more buildifier bs

* added tests

* added tests

* proper linting

* test confusion

* tests for incremental_load and run_and_commit.

* tests for incremental_load and run_and_commit.

* making other tests run again after my changes

* add docker flag docs

* use symlink to test incremental_load template

* attempt at tests with image.bzl coverage

* add .executable to test scripts

* pushed wrong workspace

* fix compare test

* changes per PR

* reverted e2e test with executable

* template was in run.bzl too!

* fix dict order

* do docker cp rather than vm

* buildifier lint

* fix non merging files

* duplicate client_config

* fix lint and duplicate client_config

* checkout unmerged files

* fix tests with double outs

* fix e2e style tests for new executable.

* correct executable names for test

* fix executable in loop test

Co-authored-by: Yu YI <yiyu@google.com>
Co-authored-by: Nicolas Lopez <nlopezgi@gmail.com>

Author: 3 people

.bazelignore

@@ -3,3 +3,4 @@
 testing/examples
 testing/java_image
 testing/download_pkgs_at_root
+testing/custom_toolchain_flags

CONTRIBUTORS

@@ -9,6 +9,7 @@
 # Names should be added to this file as:
 #     Name <email address>
 
+David Schile <david.v.schile@nordstrom.com>
 Matthew Moore <mattmoor@google.com>
 Nathan Herring <nherring@google.com>
 Nicolas Lopez <ngiraldo@google.com>

README.md

@@ -150,6 +150,12 @@ docker_toolchain_configure(
   # OPTIONAL: Path to the xz binary.
   # Should be set explcitly for remote execution.
   xz_path="<enter absolute path to the xz binary (in the remote exec env) here>",
+  # OPTIONAL: List of additional flags to pass to the docker command.
+  docker_flags = [
+    "--tls",
+    "--log-level=info",
+  ],
+
 )
 # End of OPTIONAL segment.
 
@@ -2294,6 +2300,7 @@ Here's a (non-exhaustive) list of companies that use `rules_docker` in productio
   * [Evertz](https://evertz.com/)
   * [Jetstack](https://www.jetstack.io/)
   * [Kubernetes Container Image Promoter](https://github.com/kubernetes-sigs/k8s-container-image-promoter)
+  * [Nordstrom](https://nordstrom.com)
   * [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)
   * [Tink](https://www.tink.com)
   * [Wix](https://www.wix.com)

WORKSPACE

@@ -419,9 +419,9 @@ rbe_exec_properties(
     name = "exec_properties",
 )
 
+load("@bazel_skylib//lib:dicts.bzl", "dicts")
 load("@bazel_toolchains//rules:rbe_repo.bzl", "rbe_autoconfig")
 load("@exec_properties//:constants.bzl", "DOCKER_SIBLINGS_CONTAINERS", "NETWORK_ON")
-load("@bazel_skylib//lib:dicts.bzl", "dicts")
 
 rbe_autoconfig(
     name = "buildkite_config",

container/image.bzl

@@ -330,11 +330,12 @@ def _impl(
     cmd = cmd or ctx.attr.cmd
     operating_system = operating_system or ctx.attr.operating_system
     creation_time = creation_time or ctx.attr.creation_time
-    output_executable = output_executable or ctx.outputs.executable
+    build_executable = output_executable or ctx.outputs.build_script
     output_tarball = output_tarball or ctx.outputs.out
     output_digest = output_digest or ctx.outputs.digest
     output_config = output_config or ctx.outputs.config
     output_layer = output_layer or ctx.outputs.layer
+    build_script = ctx.outputs.build_script
     null_cmd = null_cmd or ctx.attr.null_cmd
     null_entrypoint = null_entrypoint or ctx.attr.null_entrypoint
 
@@ -465,10 +466,11 @@ def _impl(
     _incr_load(
         ctx,
         images,
-        output_executable,
+        build_executable,
         run = not ctx.attr.legacy_run_behavior,
         run_flags = docker_run_flags,
     )
+
     _assemble_image(
         ctx,
         images,
@@ -496,7 +498,7 @@ def _impl(
             docker_run_flags = docker_run_flags,
         ),
         DefaultInfo(
-            executable = output_executable,
+            executable = build_executable,
             files = depset([output_layer]),
             runfiles = runfiles,
         ),
@@ -559,6 +561,8 @@ _outputs["digest"] = "%{name}.digest"
 
 _outputs["config"] = "%{name}.json"
 
+_outputs["build_script"] = "%{name}.executable"
+
 image = struct(
     attrs = _attrs,
     outputs = _outputs,

container/incremental_load.sh.tpl

@@ -32,6 +32,7 @@ function guess_runfiles() {
 RUNFILES="${PYTHON_RUNFILES:-$(guess_runfiles)}"
 
 DOCKER="%{docker_tool_path}"
+DOCKER_FLAGS="%{docker_flags}"
 
 if [[ -z "${DOCKER}" ]]; then
     echo >&2 "error: docker not found; do you need to manually configure the docker toolchain?"
@@ -43,7 +44,7 @@ TEMP_FILES="$(mktemp -t 2>/dev/null || mktemp -t 'rules_docker_files')"
 TEMP_IMAGES="$(mktemp -t 2>/dev/null || mktemp -t 'rules_docker_images')"
 function cleanup() {
   cat "${TEMP_FILES}" | xargs rm -rf> /dev/null 2>&1 || true
-  cat "${TEMP_IMAGES}" | xargs "${DOCKER}" rmi > /dev/null 2>&1 || true
+  cat "${TEMP_IMAGES}" | xargs "${DOCKER}" ${DOCKER_FLAGS} rmi > /dev/null 2>&1 || true
 
   rm -rf "${TEMP_FILES}"
   rm -rf "${TEMP_IMAGES}"
@@ -56,7 +57,7 @@ function load_legacy() {
 
   # docker load has elision of preloaded layers built in.
   echo "Loading legacy tarball base $1..."
-  "${DOCKER}" load -i "${tarball}"
+  "${DOCKER}" ${DOCKER_FLAGS} load -i "${tarball}"
 }
 
 function join_by() {
@@ -97,7 +98,7 @@ EOF
 EOF
 
   set -o pipefail
-  tar c config.json manifest.json | "${DOCKER}" load 2>/dev/null | cut -d':' -f 2- >> "${TEMP_IMAGES}"
+  tar c config.json manifest.json | "${DOCKER}" ${DOCKER_FLAGS} load 2>/dev/null | cut -d':' -f 2- >> "${TEMP_IMAGES}"
 }
 
 function find_diffbase() {
@@ -204,15 +205,15 @@ EOF
   # We minimize reads / writes by symlinking the layers above
   # and then streaming exactly the layers we've established are
   # needed into the Docker daemon.
-  tar cPh "${MISSING[@]}" | tee image.tar | "${DOCKER}" load
+  tar cPh "${MISSING[@]}" | tee image.tar | "${DOCKER}" ${DOCKER_FLAGS} load
 }
 
 function tag_layer() {
   local name="$(cat "${RUNFILES}/$2")"
 
   local TAG="$1"
   echo "Tagging ${name} as ${TAG}"
-  "${DOCKER}" tag sha256:${name} ${TAG}
+  "${DOCKER}" ${DOCKER_FLAGS} tag sha256:${name} ${TAG}
 }
 
 function read_variables() {

container/layer_tools.bzl

@@ -261,12 +261,13 @@ def incremental_load(
         if run:
             # Args are embedded into the image, so omitted here.
             run_statements += [
-                "\"${DOCKER}\" run %s %s" % (run_flags, tag_reference),
+                "\"${DOCKER}\" ${DOCKER_FLAGS} run %s %s" % (run_flags, tag_reference),
             ]
 
     ctx.actions.expand_template(
         template = ctx.file.incremental_load_template,
         substitutions = {
+            "%{docker_flags}": " ".join(toolchain_info.docker_flags),
             "%{docker_tool_path}": toolchain_info.tool_path,
             "%{load_statements}": "\n".join(load_statements),
             "%{run_statements}": "\n".join(run_statements),

contrib/automatic_container_release/configs_test.bzl

@@ -69,6 +69,7 @@ def _impl(ctx):
         template = ctx.file._tpl,
         substitutions = {
             "%{cmd_args}": " ".join(cmd_args),
+            "%{docker_flags}": " ".join(toolchain_info.docker_flags),
             "%{docker_path}": toolchain_info.tool_path,
             "%{image_name}": ctx.attr._checker + ":" + ctx.attr.checker_tag,
             "%{spec_container_paths}": " ".join(spec_container_paths),

contrib/automatic_container_release/run_checker.sh.tpl

@@ -39,14 +39,15 @@ RUNFILES="${PYTHON_RUNFILES:-$(guess_runfiles)}"
 
 # Resolve the docker tool path.
 DOCKER="%{docker_path}"
+DOCKER_FLAGS="%{docker_flags}"
 
 if [[ -z "$DOCKER" ]]; then
     echo >&2 "error: docker not found; do you need to manually configure the docker toolchain?"
     exit 1
 fi
 
 # Create a new docker container that will run the checker.
-container_id=$($DOCKER create %{image_name} %{cmd_args})
+container_id=$($DOCKER $DOCKER_FLAGS create %{image_name} %{cmd_args})
 
 specs=(%{specs})
 spec_container_paths=(%{spec_container_paths})
@@ -59,20 +60,20 @@ if [ ${#specs[@]} -ne ${#spec_container_paths[@]} ]; then
     exit 1
 fi
 for ((i=0;i<${#specs[@]};i++)); do
-    $DOCKER cp -L ${specs[$i]} $container_id:${spec_container_paths[$i]}
+    $DOCKER $DOCKER_FLAGS cp -L ${specs[$i]} $container_id:${spec_container_paths[$i]}
 done
 
 # Start the container that will run the checker logic.
-$DOCKER start $container_id
+$DOCKER $DOCKER_FLAGS start $container_id
 
 # Wait for the checker to finish running.
-retcode=$($DOCKER wait $container_id)
+retcode=$($DOCKER $DOCKER_FLAGS wait $container_id)
 
 # Print all logs generated by the container.
-$DOCKER logs $container_id
+$DOCKER $DOCKER_FLAGS logs $container_id
 
 # Delete the container.
-$DOCKER rm $container_id
+$DOCKER $DOCKER_FLAGS rm $container_id
 
 exit $retcode
 

contrib/compare_ids_test.bzl

@@ -40,7 +40,10 @@ compare_ids_test(
 
 # Implementation of compare_ids_test
 def _compare_ids_test_impl(ctx):
-    tar_files = ctx.files.images
+    tar_files = []
+    for file in ctx.files.images:
+        if file.short_path.endswith("tar"):
+            tar_files += [file]
 
     if (len(tar_files) == 0):
         fail("No images provided for test.")