Ci: Update gtest-bare-metal.yml (#1195)

Mionsz · web-flow · commit e21243342bbc · 2025-07-04T13:21:39.000+02:00
Update gtest-bare-metal.yml
Try to minimize possible issue inject points

Signed-off-by: Milosz Linkiewicz &lt;milosz.linkiewicz@intel.com&gt;
diff --git a/.github/path_filters.yml b/.github/path_filters.yml
@@ -8,7 +8,8 @@ linux_gtest: &linux_gtest
   - .github/workflows/ubuntu_build_with_gtest.yml
   - '.github/workflows/upl*'
   - 'patches/ice_drv/**'
-  - *ubuntu_build
+  - '*src'
+  - '*build'
 
 ice_build: &ice_build
   - .github/workflows/base_build.yml
@@ -27,7 +28,6 @@ rust_build: &rust_hooks_build
   - .github/workflows/base_build.yml
   - 'rust/**'
 
-
 python_build: &python_hooks_build
   - .github/workflows/base_build.yml
   - 'python/**'
diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml
@@ -14,6 +14,13 @@ on:
 permissions:
   contents: read
 
+env:
+  DOCKER_IMAGE_TAG: "${{ github.sha }}"
+  DOCKER_IMAGE_NAME: "mtl"
+  DOCKER_REGISTRY: "ghcr.io"
+  DOCKER_REGISTRY_PREFIX: "openvisualcloud/media-transport-library"
+  DOCKER_REGISTRY_LOGIN: "${{ github.repository == 'openvisualcloud/media-transport-library' }}"
+
 jobs:
   changes:
     runs-on: ubuntu-latest
@@ -37,7 +44,7 @@ jobs:
     timeout-minutes: 120
     permissions:
       contents: read
-
+      packages: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
@@ -50,17 +57,27 @@ jobs:
         uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
         with:
           buildkitd-flags: "--debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host"
-          platforms: "linux/amd64"
+          platforms: "linux/amd64/v4"
           driver-opts: memory=14Gib,memory-swap=25Gib,env.BUILDKIT_STEP_LOG_MAX_SIZE=50000000,env.BUILDKIT_STEP_LOG_MAX_SPEED=10000000
 
+      - name: Login to Docker Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }}
+        continue-on-error: true
+        with:
+          registry: "${{ env.DOCKER_REGISTRY }}"
+          username: "${{ github.repository_owner }}"
+          password: "${{ secrets.GITHUB_TOKEN }}"
+
       - name: Build image
         uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         with:
-          push: false
-          file: docker/ubuntu.dockerfile
-          tags: mtl:latest
-
-
+          push: "${{ env.DOCKER_REGISTRY_LOGIN == 'true' }}"
+          context: "${{ github.workspace }}"
+          file: "${{ github.workspace }}/docker/ubuntu.dockerfile"
+          tags: "${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REGISTRY_PREFIX }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}"
+          cache-from: "type=gha,scope=${{ env.DOCKER_IMAGE_NAME }}"
+          cache-to: "type=gha,scope=${{ env.DOCKER_IMAGE_NAME }},mode=${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && 'max' || 'min' }}"
 
   manager-docker-build:
     needs: changes
@@ -69,31 +86,47 @@ jobs:
     timeout-minutes: 120
     permissions:
       contents: read
-
+      packages: write
+    env:
+      DOCKER_IMAGE_NAME: mtl-manager
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
         with:
           egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
         with:
           buildkitd-flags: "--debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host"
-          platforms: "linux/amd64"
+          platforms: "linux/amd64/v4"
           driver-opts: memory=14Gib,memory-swap=25Gib,env.BUILDKIT_STEP_LOG_MAX_SIZE=50000000,env.BUILDKIT_STEP_LOG_MAX_SPEED=10000000
 
       - name: Cache version from version file
         id: version
         working-directory: ${{ github.workspace }}
         run: echo "VERSION=$(cat VERSION)">> "$GITHUB_OUTPUT"
 
+      - name: Login to Docker Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }}
+        continue-on-error: true
+        with:
+          registry: "${{ env.DOCKER_REGISTRY }}"
+          username: "${{ github.repository_owner }}"
+          password: "${{ secrets.GITHUB_TOKEN }}"
+
       - name: Build manager image
         uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         with:
-          push: false
-          context: ${{ github.workspace }}/manager
-          tags: mtl-manager:latest
-          build-args: VERSION=${{ steps.version.outputs.VERSION }}
+          push: "${{ env.DOCKER_REGISTRY_LOGIN == 'true' }}"
+          context: "${{ github.workspace }}/manager"
+          file: "${{ github.workspace }}/manager/Dockerfile"
+          tags: "${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REGISTRY_PREFIX }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}"
+          cache-from: "type=gha,scope=${{ env.DOCKER_IMAGE_NAME }}"
+          cache-to: "type=gha,scope=${{ env.DOCKER_IMAGE_NAME }},mode=${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && 'max' || 'min' }}"
+          build-args: VERSION=${{ steps.version.outputs.VERSION }}
+
diff --git a/docker/ubuntu.dockerfile b/docker/ubuntu.dockerfile
@@ -1,84 +1,124 @@
-# SPDX-License-Identifier: BSD-3-Clause
-# Copyright 2023 Intel Corporation
+# syntax=docker/dockerfile:1
 
-# NOTE: This Dockerfile is intended for development purposes only.
-# It has been tested for functionality, but not for security.
-# Please review and modify as necessary before using in a production environment.
+# Copyright (c) 2025 Intel Corporation.
+# SPDX-License-Identifier: BSD-3-Clause
 
-# Ubuntu 22.04, build stage
-FROM ubuntu@sha256:149d67e29f765f4db62aa52161009e99e389544e25a8f43c8c89d4a445a7ca37 AS builder
+# Ubuntu 22.04, builder stage
+ARG IMAGE_CACHE_REGISTRY=docker.io
+FROM "${IMAGE_CACHE_REGISTRY}/library/ubuntu:22.04@sha256:149d67e29f765f4db62aa52161009e99e389544e25a8f43c8c89d4a445a7ca37" AS builder
 
 LABEL maintainer="andrzej.wilczynski@intel.com,dawid.wesierski@intel.com,marek.kasiewicz@intel.com"
 
+ARG NPROC=20
+ARG DPDK_VER=25.03
+ARG PREFIX_PATH=/opt/intel
+ARG MTL_REPO=${PREFIX_PATH}/mtl
+ENV XDP_REPO=${PREFIX_PATH}/xdp
+ENV DPDK_REPO=${PREFIX_PATH}/dpdk
+ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig
+ENV DEBIAN_FRONTEND="noninteractive"
+ENV TZ="Europe/Warsaw"
+
+SHELL ["/bin/bash", "-ex", "-o", "pipefail", "-c"]
+
 # Install build dependencies and debug tools
+WORKDIR "${DPDK_REPO}"
+RUN apt-get update -y && \
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends ca-certificates sudo curl unzip apt-transport-https apt-utils python3-dev && \
+    apt-get autoremove -y && \
+    rm -rf /var/lib/apt/lists/* && \
+    curl -fsSL https://bootstrap.pypa.io/get-pip.py | python3 && \
+    python3 -m pip --no-cache-dir install --upgrade pip setuptools
+
+WORKDIR "${MTL_REPO}"
 RUN apt-get update -y && \
-    apt-get install -y --no-install-recommends systemtap-sdt-dev && \
-    apt-get install -y --no-install-recommends git build-essential meson python3 python3-pyelftools pkg-config libnuma-dev libjson-c-dev libpcap-dev libgtest-dev libsdl2-dev libsdl2-ttf-dev libssl-dev ca-certificates && \
-    apt-get install -y --no-install-recommends m4 clang llvm zlib1g-dev libelf-dev libcap-ng-dev libcap2-bin gcc-multilib && \
+    apt-get install -y --no-install-recommends git build-essential python3-pyelftools pkg-config libnuma-dev libjson-c-dev libpcap-dev libgtest-dev libsdl2-dev libsdl2-ttf-dev libssl-dev && \
+    apt-get install -y --no-install-recommends m4 clang llvm zlib1g-dev libelf-dev libcap-ng-dev libcap2-bin gcc-multilib systemtap-sdt-dev && \
+    apt-get autoremove -y && \
     apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-ENV MTL_REPO=Media-Transport-Library
-ENV DPDK_VER=25.03
-ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig
+    rm -rf /var/lib/apt/lists/* && \
+    python3 -m pip --no-cache-dir install meson ninja
 
-COPY . $MTL_REPO
+COPY . "${MTL_REPO}"
 
 # Clone DPDK and xdp-tools repo
-RUN git clone https://github.com/DPDK/dpdk.git && \
-    git clone --recurse-submodules https://github.com/xdp-project/xdp-tools.git
+WORKDIR "${XDP_REPO}"
+RUN git clone https://github.com/DPDK/dpdk.git "${DPDK_REPO}" && \
+    git clone --recurse-submodules https://github.com/xdp-project/xdp-tools.git "${XDP_REPO}"
 
 # Build DPDK with Media-Transport-Library patches
-WORKDIR /dpdk
+WORKDIR "${DPDK_REPO}"
 RUN git checkout v$DPDK_VER && \
     git switch -c v$DPDK_VER && \
     git config --global user.email "you@example.com" && \
     git config --global user.name "Your Name" && \
-    git am ../$MTL_REPO/patches/dpdk/$DPDK_VER/*.patch && \
+    git am "${MTL_REPO}/patches/dpdk/${DPDK_VER}/"*.patch && \
     meson setup build && \
-    meson install -C build && \
-    DESTDIR=/install meson install -C build
+    ninja -C build && \
+    ninja -C build install && \
+    DESTDIR=/install ninja -C build install
 
 # Build the xdp-tools project
-WORKDIR /xdp-tools
-RUN ./configure && make &&\
-    make install && \
-    DESTDIR=/install make install
-WORKDIR /xdp-tools/lib/libbpf/src
-RUN make install && \
-    DESTDIR=/install make install
+WORKDIR "${XDP_REPO}"
+RUN ./configure && \
+    make -j${NPROC:-$(nproc)} && \
+    make -j${NPROC:-8} install && \
+    DESTDIR=/install make -j${NPROC:-8} install && \
+    mkdir -p "${XDP_REPO}/lib/libbpf/src" && \
+    make -C "${XDP_REPO}/lib/libbpf/src" -j${NPROC:-$(nproc)} && \
+    make -C "${XDP_REPO}/lib/libbpf/src" -j${NPROC:-8} install && \
+    DESTDIR=/install make -C "${XDP_REPO}/lib/libbpf/src" -j${NPROC:-8} install
 
 # Build MTL
-WORKDIR /$MTL_REPO
-RUN ./build.sh && \
-    DESTDIR=/install meson install -C build && \
-    setcap 'cap_net_raw+ep' ./tests/tools/RxTxApp/build/RxTxApp
-
-# Ubuntu 22.04, runtime stage
-FROM ubuntu@sha256:149d67e29f765f4db62aa52161009e99e389544e25a8f43c8c89d4a445a7ca37 AS final
-
-LABEL maintainer="andrzej.wilczynski@intel.com,dawid.wesierski@intel.com,marek.kasiewicz@intel.com"
+WORKDIR "${MTL_REPO}"
+RUN "${MTL_REPO}/build.sh" && \
+    ninja -C "${MTL_REPO}/build" && \
+    ninja -C "${MTL_REPO}/build" install && \
+    DESTDIR=/install ninja -C "${MTL_REPO}/build" install && \
+    setcap 'cap_net_raw+ep' "${MTL_REPO}/tests/tools/RxTxApp/build/RxTxApp"
+
+# Ubuntu 22.04, runtime/final stage
+ARG MTL_REPO
+ARG IMAGE_CACHE_REGISTRY
+FROM "${IMAGE_CACHE_REGISTRY}/library/ubuntu:22.04@sha256:149d67e29f765f4db62aa52161009e99e389544e25a8f43c8c89d4a445a7ca37" AS final
+
+LABEL org.opencontainers.image.authors="andrzej.wilczynski@intel.com,dawid.wesierski@intel.com,marek.kasiewicz@intel.com"
+LABEL org.opencontainers.image.url="https://github.com/OpenVisualCloud/Media-Transport-Library"
+LABEL org.opencontainers.image.title="Intel® Media Transport Library"
+LABEL org.opencontainers.image.description="Intel® Media Transport Library (MTL), a real-time media transport(DPDK, AF_XDP, RDMA) stack for both raw and compressed video based on COTS hardware"
+LABEL org.opencontainers.image.documentation="https://openvisualcloud.github.io/Media-Transport-Library/README.html"
+LABEL org.opencontainers.image.version="1.26.0"
+LABEL org.opencontainers.image.vendor="Intel® Corporation"
+LABEL org.opencontainers.image.licenses="BSD 3-Clause License"
+
+ARG PREFIX_PATH=/opt/intel
+ARG MTL_REPO=${PREFIX_PATH}/mtl
+ENV DEBIAN_FRONTEND="noninteractive"
+ENV TZ="Europe/Warsaw"
+SHELL ["/bin/bash", "-ex", "-o", "pipefail", "-c"]
 
 # Install runtime dependencies
-RUN apt-get update -y && \
+WORKDIR /home/imtl/
+RUN apt-get clean -y && rm -rf /var/lib/apt/lists/* && \
+    apt-get update -y && \
+    apt-get install -y --no-install-recommends ca-certificates sudo curl unzip && \
     apt-get install -y --no-install-recommends libnuma1 libjson-c5 libpcap0.8 libsdl2-2.0-0 libsdl2-ttf-2.0-0 libssl3 zlib1g libelf1 libcap-ng0 libatomic1 && \
+    apt-get autoremove -y && \
     apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-# Add user: imtl(1001) with group vfio(2110)
-RUN groupadd -g 2110 vfio && \
-    useradd -m -G vfio -u 1001 imtl
+    rm -rf /var/lib/apt/lists/* && \
+    echo "Add user: imtl(20001) with group vfio(2110)" && \
+    groupadd -g 2110 vfio && \
+    useradd -m -G vfio,root,sudo -u 20001 imtl
 
 # Copy libraries and binaries
 COPY --chown=imtl --from=builder /install /
-COPY --chown=imtl --from=builder /Media-Transport-Library/build /home/imtl
-COPY --chown=imtl --from=builder /Media-Transport-Library/tests/tools/RxTxApp/build/RxTxApp /home/imtl/RxTxApp
-COPY --chown=imtl --from=builder /Media-Transport-Library/tests/tools/RxTxApp/script /home/imtl/scripts
-
-WORKDIR /home/imtl/
+COPY --chown=imtl --from=builder "${MTL_REPO}/build" "/home/imtl"
+COPY --chown=imtl --from=builder "${MTL_REPO}/tests/tools/RxTxApp/build/RxTxApp" "/home/imtl/RxTxApp"
+COPY --chown=imtl --from=builder "${MTL_REPO}/tests/tools/RxTxApp/script" "/home/imtl/scripts"
 
-# ldconfig
 RUN ldconfig
+SHELL ["/bin/bash", "-c"]
 
 USER imtl
 HEALTHCHECK --interval=30s --timeout=5s CMD true || exit 1
