Merge branch 'basvandijk/fetch-images-from-cas-urls' into 'master'

rs/tests: directly fetch disk images from the content-addressed bazel cache

This fetches disk images from the bazel cache available over HTTP
using content-addressed URLs instead of downloading them from our CDN
using commit-hash-keyed URLs. 

See merge request dfinity-lab/public/ic!12085

Author: basvandijk

ic-os/boundary-guestos/envs/dev-sev/BUILD.bazel

@@ -6,4 +6,5 @@ boundary_node_icos_build(
     image_deps = image_deps,
     mode = "dev",
     sev = True,
+    visibility = ["//visibility:public"],
 )

ic-os/boundary-guestos/envs/dev/BUILD.bazel

@@ -9,4 +9,5 @@ boundary_node_icos_build(
     name = "dev",
     image_deps = image_deps,
     sev = False,
+    visibility = ["//visibility:public"],
 )

ic-os/defs.bzl

@@ -363,14 +363,18 @@ def icos_build(name, upload_prefix, image_deps, mode = None, malicious = False,
         zstd_compress(
             name = "update-img-test.tar.zst",
             srcs = [":update-img-test.tar"],
-            # The image is pretty big, therefore it is usually much faster to just rebuild it instead of fetching from the cache.
-            # TODO(IDX-2221): remove this when CI jobs and bazel infrastructure will run in the same clusters.
-            tags = ["no-remote-cache"],
         )
 
         sha256sum(
             name = "update-img-test.tar.zst.sha256",
             srcs = [":update-img-test.tar.zst"],
+            visibility = visibility,
+        )
+
+        sha256sum2url(
+            name = "update-img-test.tar.zst.cas-url",
+            src = ":update-img-test.tar.zst.sha256",
+            visibility = visibility,
         )
 
         gzip_compress(
@@ -671,14 +675,18 @@ def boundary_node_icos_build(name, image_deps, mode = None, sev = False, visibil
     zstd_compress(
         name = "disk-img.tar.zst",
         srcs = ["disk-img.tar"],
-        # The image is pretty big, therefore it is usually much faster to just rebuild it instead of fetching from the cache.
-        # TODO(IDX-2221): remove this when CI jobs and bazel infrastructure will run in the same clusters.
-        tags = ["no-remote-cache"],
     )
 
     sha256sum(
         name = "disk-img.tar.zst.sha256",
         srcs = [":disk-img.tar.zst"],
+        visibility = visibility,
+    )
+
+    sha256sum2url(
+        name = "disk-img.tar.zst.cas-url",
+        src = ":disk-img.tar.zst.sha256",
+        visibility = visibility,
     )
 
     gzip_compress(
@@ -710,7 +718,7 @@ def boundary_node_icos_build(name, image_deps, mode = None, sev = False, visibil
             ":upload_disk-img",
             ":disk-img.tar.zst.sha256",
         ],
-        visibility = ["//visibility:public"],
+        visibility = visibility,
         tags = ["manual"],
     )
 
@@ -908,14 +916,18 @@ def boundary_api_guestos_build(name, image_deps, mode = None, visibility = None)
     zstd_compress(
         name = "disk-img.tar.zst",
         srcs = ["disk-img.tar"],
-        # The image is pretty big, therefore it is usually much faster to just rebuild it instead of fetching from the cache.
-        # TODO(IDX-2221): remove this when CI jobs and bazel infrastructure will run in the same clusters.
-        tags = ["no-remote-cache"],
     )
 
     sha256sum(
         name = "disk-img.tar.zst.sha256",
         srcs = [":disk-img.tar.zst"],
+        visibility = visibility,
+    )
+
+    sha256sum2url(
+        name = "disk-img.tar.zst.cas-url",
+        src = ":disk-img.tar.zst.sha256",
+        visibility = visibility,
     )
 
     gzip_compress(

ic-os/guestos/envs/dev-malicious/BUILD.bazel

@@ -11,4 +11,5 @@ icos_build(
     malicious = True,
     mode = "dev",
     upload_prefix = "guest-os",
+    visibility = ["//visibility:public"],
 )

rs/tests/common.bzl

@@ -154,8 +154,10 @@ MACRO_DEPENDENCIES = [
 ]
 
 GUESTOS_RUNTIME_DEPS = [
-    "//ic-os/guestos/envs/dev:hash_and_upload_disk-img",
-    "//ic-os/guestos/envs/dev:hash_and_upload_update-img",
+    "//ic-os/guestos/envs/dev:disk-img.tar.zst.cas-url",
+    "//ic-os/guestos/envs/dev:disk-img.tar.zst.sha256",
+    "//ic-os/guestos/envs/dev:update-img.tar.zst.cas-url",
+    "//ic-os/guestos/envs/dev:update-img.tar.zst.sha256",
     "//ic-os:scripts/build-bootstrap-config-image.sh",
 ]
 
@@ -319,19 +321,23 @@ GRAFANA_RUNTIME_DEPS = UNIVERSAL_VM_RUNTIME_DEPS + [
 ]
 
 BOUNDARY_NODE_GUESTOS_RUNTIME_DEPS = [
-    "//ic-os/boundary-guestos/envs/dev:hash_and_upload_disk-img",
+    "//ic-os/boundary-guestos/envs/dev:disk-img.tar.zst.cas-url",
+    "//ic-os/boundary-guestos/envs/dev:disk-img.tar.zst.sha256",
     "//ic-os/boundary-guestos:scripts/build-bootstrap-config-image.sh",
 ]
 
 BOUNDARY_NODE_GUESTOS_SEV_RUNTIME_DEPS = [
-    "//ic-os/boundary-guestos/envs/dev-sev:hash_and_upload_disk-img",
+    "//ic-os/boundary-guestos/envs/dev-sev:disk-img.tar.zst.cas-url",
+    "//ic-os/boundary-guestos/envs/dev-sev:disk-img.tar.zst.sha256",
 ]
 
 COUNTER_CANISTER_RUNTIME_DEPS = ["//rs/tests:src/counter.wat"]
 
 GUESTOS_MALICIOUS_RUNTIME_DEPS = [
-    "//ic-os/guestos/envs/dev-malicious:hash_and_upload_disk-img",
-    "//ic-os/guestos/envs/dev-malicious:hash_and_upload_update-img",
+    "//ic-os/guestos/envs/dev-malicious:disk-img.tar.zst.cas-url",
+    "//ic-os/guestos/envs/dev-malicious:disk-img.tar.zst.sha256",
+    "//ic-os/guestos/envs/dev-malicious:update-img.tar.zst.cas-url",
+    "//ic-os/guestos/envs/dev-malicious:update-img.tar.zst.sha256",
     "//ic-os:scripts/build-bootstrap-config-image.sh",
 ]
 

rs/tests/consensus/orchestrator/BUILD.bazel

@@ -16,6 +16,11 @@ STATIC_FILE_SERVER_IMAGE_RUNTIME_DEP = [
     "//rs/tests:static-file-server_image",
 ]
 
+GUESTOS_UPDATE_TEST_RUNTIME_DEPS = [
+    "//ic-os/guestos/envs/dev:update-img-test.tar.zst.cas-url",
+    "//ic-os/guestos/envs/dev:update-img-test.tar.zst.sha256",
+]
+
 system_test(
     name = "downgrade_app_subnet_with_ecdsa_test",
     proc_macro_deps = MACRO_DEPENDENCIES,
@@ -216,6 +221,7 @@ system_test(
     target_compatible_with = ["@platforms//os:linux"],  # requires libssh that does not build on Mac OS
     runtime_deps =
         GUESTOS_RUNTIME_DEPS +
+        GUESTOS_UPDATE_TEST_RUNTIME_DEPS +
         UNIVERSAL_VM_RUNTIME_DEPS +
         NNS_CANISTER_RUNTIME_DEPS +
         MAINNET_REVISION_RUNTIME_DEPS,
@@ -228,6 +234,7 @@ system_test(
     target_compatible_with = ["@platforms//os:linux"],  # requires libssh that does not build on Mac OS
     runtime_deps =
         GUESTOS_RUNTIME_DEPS +
+        GUESTOS_UPDATE_TEST_RUNTIME_DEPS +
         UNIVERSAL_VM_RUNTIME_DEPS +
         NNS_CANISTER_RUNTIME_DEPS +
         MAINNET_REVISION_RUNTIME_DEPS,

rs/tests/src/driver/test_env_api.rs

@@ -836,8 +836,7 @@ impl<T: HasDependencies + HasTestEnv> HasIcDependencies for T {
     }
 
     fn get_ic_os_img_url(&self) -> Result<Url> {
-        let dep_rel_path =
-            "ic-os/guestos/envs/dev/upload_disk-img_disk-img.tar.zst.proxy-cache-url";
+        let dep_rel_path = "ic-os/guestos/envs/dev/disk-img.tar.zst.cas-url";
         let url = self.read_dependency_to_string(dep_rel_path)?;
         Ok(Url::parse(&url)?)
     }
@@ -850,8 +849,7 @@ impl<T: HasDependencies + HasTestEnv> HasIcDependencies for T {
     }
 
     fn get_malicious_ic_os_img_url(&self) -> Result<Url> {
-        let dep_rel_path =
-            "ic-os/guestos/envs/dev-malicious/upload_disk-img_disk-img.tar.zst.proxy-cache-url";
+        let dep_rel_path = "ic-os/guestos/envs/dev-malicious/disk-img.tar.zst.cas-url";
         let url = self.read_dependency_to_string(dep_rel_path)?;
         Ok(Url::parse(&url)?)
     }
@@ -864,8 +862,7 @@ impl<T: HasDependencies + HasTestEnv> HasIcDependencies for T {
     }
 
     fn get_ic_os_update_img_url(&self) -> Result<Url> {
-        let dep_rel_path =
-            "ic-os/guestos/envs/dev/upload_update-img_update-img.tar.zst.proxy-cache-url";
+        let dep_rel_path = "ic-os/guestos/envs/dev/update-img.tar.zst.cas-url";
         let url = self.read_dependency_to_string(dep_rel_path)?;
         Ok(Url::parse(&url)?)
     }
@@ -878,28 +875,20 @@ impl<T: HasDependencies + HasTestEnv> HasIcDependencies for T {
     }
 
     fn get_ic_os_update_img_test_url(&self) -> Result<Url> {
-        let dep_rel_path =
-            "ic-os/guestos/envs/dev/upload_update-img_update-img-test.tar.zst.proxy-cache-url";
+        let dep_rel_path = "ic-os/guestos/envs/dev/update-img-test.tar.zst.cas-url";
         let url = self.read_dependency_to_string(dep_rel_path)?;
         Ok(Url::parse(&url)?)
     }
 
     fn get_ic_os_update_img_test_sha256(&self) -> Result<String> {
-        let dep_rel_path =
-            "ic-os/guestos/envs/dev/upload_update-img/update-img-test.tar.zst.SHA256SUM";
-        let sha256 = self
-            .read_dependency_to_string(dep_rel_path)?
-            .split(' ')
-            .next()
-            .unwrap()
-            .to_string();
-        bail_if_sha256_invalid(&sha256, "update-img-test.tar.zst")?;
+        let dep_rel_path = "ic-os/guestos/envs/dev/update-img-test.tar.zst.sha256";
+        let sha256 = self.read_dependency_to_string(dep_rel_path)?;
+        bail_if_sha256_invalid(&sha256, "ic_os_update_img_sha256")?;
         Ok(sha256)
     }
 
     fn get_malicious_ic_os_update_img_url(&self) -> Result<Url> {
-        let dep_rel_path =
-            "ic-os/guestos/envs/dev-malicious/upload_update-img_update-img.tar.zst.proxy-cache-url";
+        let dep_rel_path = "ic-os/guestos/envs/dev-malicious/update-img.tar.zst.cas-url";
         let url = self.read_dependency_to_string(dep_rel_path)?;
         Ok(Url::parse(&url)?)
     }
@@ -912,8 +901,7 @@ impl<T: HasDependencies + HasTestEnv> HasIcDependencies for T {
     }
 
     fn get_boundary_node_snp_img_url(&self) -> Result<Url> {
-        let dep_rel_path =
-            "ic-os/boundary-guestos/envs/dev-sev/upload_disk-img_disk-img.tar.zst.proxy-cache-url";
+        let dep_rel_path = "ic-os/boundary-guestos/envs/dev-sev/disk-img.tar.zst.cas-url";
         let result = self.read_dependency_to_string(dep_rel_path)?;
         Ok(Url::parse(&result)?)
     }
@@ -926,8 +914,7 @@ impl<T: HasDependencies + HasTestEnv> HasIcDependencies for T {
     }
 
     fn get_boundary_node_img_url(&self) -> Result<Url> {
-        let dep_rel_path =
-            "ic-os/boundary-guestos/envs/dev/upload_disk-img_disk-img.tar.zst.proxy-cache-url";
+        let dep_rel_path = "ic-os/boundary-guestos/envs/dev/disk-img.tar.zst.cas-url";
         let url = self.read_dependency_to_string(dep_rel_path)?;
         Ok(Url::parse(&url)?)
     }

rs/tests/src/orchestrator/upgrade_downgrade.rs

@@ -35,7 +35,7 @@ use ic_registry_subnet_type::SubnetType;
 use ic_types::{Height, SubnetId};
 use k256::ecdsa::VerifyingKey;
 use slog::{info, Logger};
-use std::{env, time::Duration};
+use std::time::Duration;
 
 pub const MIN_HASH_LENGTH: usize = 8; // in bytes
 
@@ -82,12 +82,8 @@ pub fn upgrade_downgrade_app_subnet(env: TestEnv) {
 fn upgrade_downgrade(env: TestEnv, subnet_type: SubnetType) {
     let logger = env.logger();
 
-    // TODO: abandon the TARGET_VERSION approach once run-system-tests.py is deprecated [VER-1818]
-    let is_bazel = env::var("TARGET_VERSION").is_err();
-
-    // TODO: [VER-1818]
-    let mainnet_version = env::var("TARGET_VERSION")
-        .or_else(|_| env.read_dependency_to_string("testnet/mainnet_nns_revision.txt"))
+    let mainnet_version = env
+        .read_dependency_to_string("testnet/mainnet_nns_revision.txt")
         .unwrap();
 
     // we expect to get a hash value here, so checking that is a hash number of at least 64 bits size
@@ -144,27 +140,16 @@ fn upgrade_downgrade(env: TestEnv, subnet_type: SubnetType) {
         &logger,
     ));
 
-    if is_bazel {
-        let sha256 = env.get_ic_os_update_img_test_sha256().unwrap();
-        let upgrade_url = env.get_ic_os_update_img_test_url().unwrap();
-        block_on(bless_replica_version(
-            &nns_node,
-            &original_branch_version,
-            UpdateImageType::ImageTest,
-            &logger,
-            &sha256,
-            vec![upgrade_url.to_string()],
-        ));
-    } else {
-        // TODO: [VER-1818]
-        block_on(bless_public_replica_version(
-            &nns_node,
-            &original_branch_version,
-            UpdateImageType::ImageTest,
-            UpdateImageType::ImageTest,
-            &logger,
-        ));
-    }
+    let sha256 = env.get_ic_os_update_img_test_sha256().unwrap();
+    let upgrade_url = env.get_ic_os_update_img_test_url().unwrap();
+    block_on(bless_replica_version(
+        &nns_node,
+        &original_branch_version,
+        UpdateImageType::ImageTest,
+        &logger,
+        &sha256,
+        vec![upgrade_url.to_string()],
+    ));
     info!(&logger, "Blessed all versions");
 
     downgrade_upgrade_roundtrip(
@@ -217,6 +202,10 @@ fn downgrade_upgrade_roundtrip(
             }
             (subnet.subnet_id, subnet_node, faulty_node, redundant_nodes)
         };
+    info!(
+        logger,
+        "downgrade_upgrade_roundtrip: subnet_node = {:?}", subnet_node.node_id
+    );
     subnet_node.await_status_is_healthy().unwrap();
     faulty_node.await_status_is_healthy().unwrap();