Merge pull request #364 from OffchainLabs/braga/fix-docker-image-entrypoint

Fix reproducible docker image build for stylus verify

Author: rory-ocl

Cargo.lock

@@ -43,6 +43,7 @@ serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 sneks = "0.1"
 sys-info = "0.9.1"
+tempfile = "3.8"
 thiserror = "2.0"
 tiny-keccak = { version = "2.0", features = ["keccak"] }
 toml = "0.8"

stylus-tools/Cargo.toml

@@ -4,9 +4,10 @@
 use std::{cmp::Ordering, io::Write};
 
 use cargo_metadata::{semver::Version, Package};
+use tempfile::NamedTempFile;
 
 use crate::utils::{
-    docker::{self, image_exists, validate_host, DockerError},
+    docker::{self, validate_host, DockerError},
     toolchain::{get_toolchain_channel, ToolchainError},
 };
 
@@ -25,11 +26,24 @@ pub fn run_reproducible(
     let selected_cargo_stylus_version = select_stylus_version(cargo_stylus_version)?;
     let image_name = create_image(&selected_cargo_stylus_version, &toolchain_channel)?;
 
+    /// Currently only calling cargo stylus is supported (not cargo stylus-beta for instance)
     let mut args = vec!["cargo".to_string(), "stylus".to_string()];
     for arg in command_line.into_iter() {
         args.push(arg);
     }
-    docker::run_in_container(&image_name, package.source.clone().unwrap().repr, args)?;
+    // Use package source if available, otherwise use current working directory
+    let source = package
+        .source
+        .as_ref()
+        .map(|s| s.repr.to_owned())
+        .unwrap_or_else(|| {
+            std::env::current_dir()
+                .unwrap_or_else(|_| std::path::PathBuf::from("."))
+                .to_string_lossy()
+                .to_string()
+        });
+
+    docker::run_in_container(&image_name, &source, args)?;
     Ok(())
 }
 
@@ -39,23 +53,49 @@ fn create_image(
     toolchain_version: &str,
 ) -> Result<String, DockerError> {
     let name = image_name(cargo_stylus_version, toolchain_version);
-    if image_exists(&name)? {
+
+    // First, check if image exists locally
+    if docker::image_exists_locally(&name)? {
+        info!(@grey, "Using local image {name}");
         return Ok(name);
     }
-    println!("Building Docker image for Rust toolchain {toolchain_version}");
-    let mut build = docker::cmd::build(&name)?;
-    write!(
-        build.file(),
-        "\
+    info!(@grey, "Building Docker image for Rust toolchain {toolchain_version}");
+
+    // Second, check if base image exists on Docker Hub. If not, we fail early since
+    // docker build will fail trying to pull such image
+    let base_image = format!("offchainlabs/cargo-stylus-base:{cargo_stylus_version}");
+    info!(@grey, "Checking if base image exists on Docker Hub: {base_image}");
+
+    if !docker::image_exists_on_hub(&base_image)? {
+        return Err(DockerError::ImageNotFound(
+            base_image,
+            cargo_stylus_version.to_string(),
+        ));
+    }
+
+    info!(@grey, "Image exists, building container with base image: {base_image}");
+
+    // Create temporary Dockerfile
+    let dockerfile_content = format!(
+        r#"\
             ARG BUILD_PLATFORM=linux/amd64
-            FROM --platform=${{BUILD_PLATFORM}} offchainlabs/cargo-stylus-base:{cargo_stylus_version} AS base
+            FROM --platform=${{BUILD_PLATFORM}} {base_image} AS base
             RUN rustup toolchain install {toolchain_version}-x86_64-unknown-linux-gnu 
             RUN rustup default {toolchain_version}-x86_64-unknown-linux-gnu
             RUN rustup target add wasm32-unknown-unknown
             RUN rustup component add rust-src --toolchain {toolchain_version}-x86_64-unknown-linux-gnu
-        ",
-    )?;
-    build.wait()?;
+        "#
+    );
+
+    // Write to temporary file (automatically cleaned up when dropped)
+    let temp_file = NamedTempFile::new().map_err(DockerError::Io)?;
+    temp_file
+        .as_file()
+        .write_all(dockerfile_content.as_bytes())
+        .map_err(DockerError::Io)?;
+
+    // Build using the temporary file
+    docker::cmd::build_with_file(&name, temp_file.path())?;
     Ok(name)
 }
 

stylus-tools/src/core/build/reproducible.rs

@@ -5,6 +5,7 @@
 
 use std::{
     ffi::OsStr,
+    path::Path,
     process::{Command, Stdio},
     str,
 };
@@ -13,55 +14,83 @@ use super::{error::DockerError, json};
 
 const DOCKER_PROGRAM: &str = "docker";
 
-#[derive(Debug)]
-pub struct DockerBuild {
-    pub child: std::process::Child,
-}
-
-impl DockerBuild {
-    pub fn file(&mut self) -> impl std::io::Write + '_ {
-        self.child.stdin.as_mut().unwrap()
-    }
-
-    pub fn wait(mut self) -> Result<(), DockerError> {
-        self.child.wait().map_err(DockerError::WaitFailure)?;
-        Ok(())
-    }
-}
+/// Build a Docker image using a Dockerfile from an existing file.
+pub fn build_with_file(tag: &str, dockerfile_path: &Path) -> Result<(), DockerError> {
+    info!(@grey, "Building Docker image: {} (using Dockerfile: {})", tag, dockerfile_path.display());
 
-/// Start a Docker build.
-pub fn build(tag: &str) -> Result<DockerBuild, DockerError> {
-    let child = Command::new(DOCKER_PROGRAM)
+    let mut child = Command::new(DOCKER_PROGRAM)
         .arg("build")
         .args(["--tag", tag])
+        .args(["--file", dockerfile_path.to_str().unwrap()])
         .arg(".")
-        .args(["--file", "-"])
-        .stdin(Stdio::piped())
+        .stdout(Stdio::inherit())
+        .stderr(Stdio::inherit())
         .spawn()
         .map_err(DockerError::CommandExecution)?;
-    Ok(DockerBuild { child })
+
+    let status = child.wait().map_err(DockerError::WaitFailure)?;
+
+    if !status.success() {
+        return Err(DockerError::Docker(format!(
+            "Docker build failed with exit code: {}",
+            status.code().unwrap_or(-1)
+        )));
+    }
+
+    info!(@grey, "Docker image built successfully: {}", tag);
+    Ok(())
+}
+
+/// Check if a Docker image exists on Docker Hub.
+pub fn image_exists_on_hub(image_name: &str) -> Result<bool, DockerError> {
+    // Use docker manifest inspect to check if the image exists on the registry
+    let output = Command::new(DOCKER_PROGRAM)
+        .arg("manifest")
+        .arg("inspect")
+        .arg(image_name)
+        .output()
+        .map_err(DockerError::CommandExecution)?;
+
+    // If the command succeeds, the image exists
+    let exists = output.status.success();
+
+    Ok(exists)
 }
 
-/// List local Docker images.
-///
-/// We currently only use this with a repository specified.
-pub fn images(repository: &str) -> Result<Vec<json::Image>, DockerError> {
+/// Check if a specific Docker image exists locally.
+/// Returns true if the exact image:tag combination exists locally.
+pub fn image_exists_locally(image_name: &str) -> Result<bool, DockerError> {
     let output = Command::new(DOCKER_PROGRAM)
         .arg("images")
         .args(["--format", "json"])
-        .arg(repository)
+        .arg(image_name)
         .output()
         .map_err(DockerError::CommandExecution)?;
 
-    if !output.status.success() {
+    let success = output.status.success();
+    if !success {
         return Err(DockerError::from_stderr(output.stderr));
     }
 
-    output
+    // Parse the JSON output to check if any images match the exact image:tag
+    let images: Vec<json::Image> = output
         .stdout
         .split(|b| *b == b'\n')
-        .map(|slice| serde_json::from_slice(slice).map_err(Into::into))
-        .collect()
+        .filter(|slice| !slice.is_empty()) // Filter out empty lines
+        .map(|slice| serde_json::from_slice(slice).map_err(DockerError::Json))
+        .collect::<Result<Vec<_>, _>>()?;
+
+    // Check if any image matches the exact repository:tag combination
+    let exists = images.iter().any(|image| {
+        let full_name = if image.tag == "<none>" {
+            image.repository.clone()
+        } else {
+            format!("{}:{}", image.repository, image.tag)
+        };
+        full_name == image_name
+    });
+
+    Ok(exists)
 }
 
 /// Run a command in a Docker container.

stylus-tools/src/utils/docker/cmd.rs

@@ -24,6 +24,16 @@ pub enum DockerError {
     CannotConnect(String),
     #[error("Docker error: {0}")]
     Docker(String),
+    #[error(
+        "Base Docker image '{0}' not found locally nor on Docker Hub.
+            This usually means the version '{1}' is not available on Docker Hub.
+            Available options:
+            1. Visit https://hub.docker.com/r/offchainlabs/cargo-stylus-base/tags for all available versions
+            2. Try using a stable version: cargo stylus --version <stable-version>
+            3. Pull the image manually: docker pull {0}
+            Common stable versions: 0.6.3, 0.6.2"
+    )]
+    ImageNotFound(String, String),
 
     #[error("unable to determine host OS type")]
     UnableToDetermineOsType,

stylus-tools/src/utils/docker/error.rs

@@ -10,6 +10,8 @@ use serde::Deserialize;
 #[serde(rename_all = "PascalCase")]
 #[allow(dead_code)]
 pub struct Image {
+    pub id: Option<String>,
     pub repository: String,
+    pub created_at: String,
     pub tag: String,
 }

stylus-tools/src/utils/docker/json.rs

@@ -27,19 +27,27 @@ pub fn validate_host() -> Result<(), DockerError> {
     Ok(())
 }
 
-pub fn image_exists(image_name: &str) -> Result<bool, DockerError> {
-    Ok(!cmd::images(image_name)?.is_empty())
+pub fn image_exists_locally(image_name: &str) -> Result<bool, DockerError> {
+    cmd::image_exists_locally(image_name)
+}
+
+/// Check if a Docker image exists on Docker Hub.
+pub fn image_exists_on_hub(image_name: &str) -> Result<bool, DockerError> {
+    cmd::image_exists_on_hub(image_name)
 }
 
 pub fn run_in_container(
     image_name: &str,
     dir: impl AsRef<Path>,
     args: impl IntoIterator<Item = impl AsRef<OsStr>>,
 ) -> Result<(), DockerError> {
+    let dir_str = dir.as_ref().to_str().unwrap();
+    info!(@grey, "Using directory as entry point {dir_str}");
+
     cmd::run(
         image_name,
         Some("host"),
-        &[(dir.as_ref().to_str().unwrap(), "/source")],
+        &[(dir_str, "/source")],
         Some("/source"),
         args,
     )?;