buck2 icon indicating copy to clipboard operation
buck2 copied to clipboard
verified publisher icon facebook

Support for deterministic containers

Open salrashid123 opened this issue 2 years ago • 6 comments

I'm evaluating buck2 with the specific intent to generate container images that are deterministic

i do know you can do this with bazel and in golang with ko:

  • https://blog.bazel.build/2015/07/28/docker_build.html

but the state of the underlying library set is...well:

  • https://github.com/bazelbuild/rules_docker#status

i manged to build a simple go app with buck2 but struggling to find an example that would generate a container image.

Is this even possible with buck2 at the moment (any examples would go a long way).

salrashid123 avatar Apr 20 '23 15:04 salrashid123

Unfortunately this task is highly non-trivial in general as you can see from the implementation of something like those docker_build rules. I suspect this is unfortunately one of those cases where the answer is "no, but patches are welcome"

There are alternatives to crafting an entire bespoke filesystem image yourself, some tools can help you. For example, the tool buildah can create an OCI image from a directory you give it, so you can craft any filesystem layout for the container you want. I suspect this would be a great solution for Go binaries — you can just put the binary in a directory, pack it into an OCI image, and then ship that to your container registry. This is what people typically call "distroless containers", as they only contain your binary and whatever else they need (other binaries, maybe config files or startup scripts). This assumes your binary is fully statically linked. A rule like this, buildah_container_image or something, is probably ~30ish lines of Starlark total.

https://github.com/containers/buildah/blob/main/demos/buildah-scratch-demo.sh

If you do need distro-based containers, or something like them (e.g. your go app uses cgo and therefore needs libc.so.6), you can still use something like buildah. But you'd be on the hook for also populating a filesystem root for the container to use, based on some distro of your choosing. That's... it's own whole story.

thoughtpolice avatar Apr 21 '23 12:04 thoughtpolice

I think the answer is it's possible with the Buck2 core, but someone would need to write the Starlark. Maybe something like https://github.com/facebookincubator/antlir has some of the parts? CC @vmagro who might know.

ndmitchell avatar Apr 22 '23 12:04 ndmitchell

atleast in my case, i'll use kaniko or since the primary app is in go, the DIY approach with buildah.

I'll leave this open incase anyone wants to implement. thanks

salrashid123 avatar Apr 25 '23 13:04 salrashid123

I think rules_oci is the successor to rules_docker, FWIW: https://github.com/bazel-contrib/rules_oci

imjasonh avatar May 01 '24 21:05 imjasonh

I'm wondering what's the current status of it.

Some thoughts

  1. It would be nice if we have one implementation for container parts to take all required information and output oci images - which can be used by any tools (Bazel, Buck, etc.). I see rules_oci implements tarball to build images with layers etc. .. I don't see any docs

  2. buck2 should have all required context information. For example, bazel doesn't seem to pass all information at the same level (oci image arch and platform - see https://github.com/bazel-contrib/rules_oci/issues/228). For example, dev may run python in mac / arm64 but build python images for linux / amd64. If I specify oci image should be in linux/amd64, all dependent artifacts should be checked automatically.

chulkilee avatar Aug 18 '24 01:08 chulkilee

FWIW @benbrittain has done some work on https://github.com/benbrittain/oci-rules.

cbarrete avatar Aug 21 '24 16:08 cbarrete