diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6d9b969d69..c12809d383 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -35,6 +35,10 @@ jobs: - name: Parse .tool-versions uses: wistia/parse-tool-versions@v2.1.1 + - name: Fetch busybox for orchestrator embed + if: contains(matrix.modules, 'orchestrator') + run: make -C packages/orchestrator fetch-busybox + - name: golangci-lint ${{ matrix.modules }} uses: golangci/golangci-lint-action@v8 with: diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml index d9b8f23621..f07214a6ea 100644 --- a/.github/workflows/pr-tests.yml +++ b/.github/workflows/pr-tests.yml @@ -56,6 +56,9 @@ jobs: - name: Setup orchestrator tests run: | + # Download busybox for go:embed + make -C packages/orchestrator fetch-busybox + # Enable unprivileged uffd mode echo 1 | sudo tee /proc/sys/vm/unprivileged_userfaultfd diff --git a/packages/orchestrator/.gitignore b/packages/orchestrator/.gitignore index a67d136791..05024eafc5 100644 --- a/packages/orchestrator/.gitignore +++ b/packages/orchestrator/.gitignore @@ -8,3 +8,7 @@ bin .shared /tmp .local-build + +# Downloaded at build time from fc-busybox release +pkg/template/build/core/systeminit/busybox +pkg/template/build/core/systeminit/busybox.stamp diff --git a/packages/orchestrator/Dockerfile b/packages/orchestrator/Dockerfile index e8f6fba915..ce57083d57 100644 --- a/packages/orchestrator/Dockerfile +++ b/packages/orchestrator/Dockerfile @@ -3,7 +3,13 @@ ARG GOLANG_VERSION=1.25.4 # It has to match with the host OS version (Ubuntu 22.04 = bookworm) ARG DEBIAN_VERSION=bookworm +# Busybox version from fc-busybox GitHub release. +# TARGETARCH is set automatically by Docker --platform. +ARG BUSYBOX_VERSION=1.36.1 + FROM golang:${GOLANG_VERSION}-${DEBIAN_VERSION} AS builder +ARG BUSYBOX_VERSION +ARG TARGETARCH # Cached golang dependencies WORKDIR /build/shared @@ -25,6 +31,16 @@ COPY ./shared/pkg ./shared/pkg COPY ./clickhouse/pkg ./clickhouse/pkg COPY ./orchestrator/pkg ./orchestrator/pkg + +# Download busybox from fc-busybox release for go:embed, verify against published SHA256SUMS. +# Runs after COPY so the systeminit directory exists; overwrites any stale binary from build context. +RUN RELEASE_URL="https://github.com/e2b-dev/fc-busybox/releases/download/v${BUSYBOX_VERSION}" \ + && BINARY="busybox_v${BUSYBOX_VERSION}_${TARGETARCH}" \ + && curl -sfL -o /tmp/${BINARY} "${RELEASE_URL}/${BINARY}" \ + && curl -sfL -o /tmp/SHA256SUMS "${RELEASE_URL}/SHA256SUMS" \ + && (cd /tmp && grep "${BINARY}" SHA256SUMS | sha256sum -c -) \ + && mv /tmp/${BINARY} /build/orchestrator/pkg/template/build/core/systeminit/busybox \ + && chmod +x /build/orchestrator/pkg/template/build/core/systeminit/busybox COPY ./orchestrator/cmd ./orchestrator/cmd COPY ./orchestrator/main.go ./orchestrator/main.go COPY ./orchestrator/Makefile ./orchestrator/Makefile @@ -32,7 +48,10 @@ COPY ./orchestrator/Makefile ./orchestrator/Makefile WORKDIR /build/orchestrator ARG COMMIT_SHA -RUN --mount=type=cache,target=/root/.cache/go-build make build-local COMMIT_SHA=${COMMIT_SHA} +# Build directly (not via make build-local) to skip fetch-busybox — binary is already downloaded above. +RUN --mount=type=cache,target=/root/.cache/go-build \ + CGO_ENABLED=1 GOOS=linux go build -o bin/orchestrator -ldflags "-X=main.commitSHA=${COMMIT_SHA}" . \ + && CGO_ENABLED=1 GOOS=linux go build -o bin/clean-nfs-cache -ldflags "-X=main.commitSHA=${COMMIT_SHA}" ./cmd/clean-nfs-cache FROM scratch diff --git a/packages/orchestrator/Makefile b/packages/orchestrator/Makefile index 5feb4af992..ad641c6580 100644 --- a/packages/orchestrator/Makefile +++ b/packages/orchestrator/Makefile @@ -27,15 +27,37 @@ build: $(eval COMMIT_SHA := $(shell git rev-parse --short HEAD)) @docker build --platform $(BUILD_PLATFORM) --output=bin --build-arg COMMIT_SHA="$(COMMIT_SHA)" -f ./Dockerfile .. +BUSYBOX_VERSION ?= 1.36.1 +BUSYBOX_EMBED := pkg/template/build/core/systeminit/busybox +BUSYBOX_STAMP := $(BUSYBOX_EMBED).stamp +BUSYBOX_RELEASE_URL := https://github.com/e2b-dev/fc-busybox/releases/download/v$(BUSYBOX_VERSION) + +# Download busybox and verify SHA256 against published checksums. +# Skips if binary exists and version/arch match the stamp file. +.PHONY: fetch-busybox +fetch-busybox: + @if [ ! -f $(BUSYBOX_EMBED) ] || [ "$$(cat $(BUSYBOX_STAMP) 2>/dev/null)" != "$(BUSYBOX_VERSION)-$(BUILD_ARCH)" ]; then \ + BINARY="busybox_v$(BUSYBOX_VERSION)_$(BUILD_ARCH)"; \ + echo "Downloading busybox v$(BUSYBOX_VERSION) ($(BUILD_ARCH))..."; \ + curl -sfL -o /tmp/$$BINARY "$(BUSYBOX_RELEASE_URL)/$$BINARY" \ + && curl -sfL -o /tmp/SHA256SUMS "$(BUSYBOX_RELEASE_URL)/SHA256SUMS" \ + && (cd /tmp && grep "$$BINARY" SHA256SUMS | sha256sum -c -) \ + && mv /tmp/$$BINARY $(BUSYBOX_EMBED) \ + && chmod +x $(BUSYBOX_EMBED) \ + && echo "$(BUSYBOX_VERSION)-$(BUILD_ARCH)" > $(BUSYBOX_STAMP) \ + && rm -f /tmp/SHA256SUMS \ + || { rm -f /tmp/$$BINARY /tmp/SHA256SUMS; echo "ERROR: failed to download or verify busybox"; exit 1; }; \ + fi + .PHONY: build-local -build-local: +build-local: fetch-busybox # Allow for passing commit sha directly for docker builds $(eval COMMIT_SHA ?= $(shell git rev-parse --short HEAD)) CGO_ENABLED=1 GOOS=linux GOARCH=$(BUILD_ARCH) go build -o bin/orchestrator -ldflags "-X=main.commitSHA=$(COMMIT_SHA)" . CGO_ENABLED=1 GOOS=linux GOARCH=$(BUILD_ARCH) go build -o bin/clean-nfs-cache -ldflags "-X=main.commitSHA=$(COMMIT_SHA)" ./cmd/clean-nfs-cache .PHONY: build-debug -build-debug: +build-debug: fetch-busybox CGO_ENABLED=1 GOOS=linux GOARCH=$(BUILD_ARCH) go build -race -gcflags=all="-N -l" -o bin/orchestrator . .PHONY: run-debug diff --git a/packages/orchestrator/pkg/template/build/core/systeminit/busybox_1.36.1-2_amd64 b/packages/orchestrator/pkg/template/build/core/systeminit/busybox_1.36.1-2_amd64 deleted file mode 100755 index 507ea56de1..0000000000 Binary files a/packages/orchestrator/pkg/template/build/core/systeminit/busybox_1.36.1-2_amd64 and /dev/null differ diff --git a/packages/orchestrator/pkg/template/build/core/systeminit/busybox_1.36.1-2_arm64 b/packages/orchestrator/pkg/template/build/core/systeminit/busybox_1.36.1-2_arm64 deleted file mode 100755 index 625e048f09..0000000000 Binary files a/packages/orchestrator/pkg/template/build/core/systeminit/busybox_1.36.1-2_arm64 and /dev/null differ diff --git a/packages/orchestrator/pkg/template/build/core/systeminit/busybox_amd64.go b/packages/orchestrator/pkg/template/build/core/systeminit/busybox_amd64.go index 60c76bbb0a..b25dfdc27d 100644 --- a/packages/orchestrator/pkg/template/build/core/systeminit/busybox_amd64.go +++ b/packages/orchestrator/pkg/template/build/core/systeminit/busybox_amd64.go @@ -1,11 +1,11 @@ //go:build amd64 -// Busybox v1.36.1 static binary for amd64 (musl, minimal ~16 applets). -// Custom build added in #1002 — origin unknown, no distro tag in binary. +// Busybox static binary for amd64. +// Downloaded from https://github.com/e2b-dev/fc-busybox/releases at build time. package systeminit import _ "embed" -//go:embed busybox_1.36.1-2_amd64 +//go:embed busybox var BusyboxBinary []byte diff --git a/packages/orchestrator/pkg/template/build/core/systeminit/busybox_arm64.go b/packages/orchestrator/pkg/template/build/core/systeminit/busybox_arm64.go index d906967079..6bfcc5775c 100644 --- a/packages/orchestrator/pkg/template/build/core/systeminit/busybox_arm64.go +++ b/packages/orchestrator/pkg/template/build/core/systeminit/busybox_arm64.go @@ -1,12 +1,11 @@ //go:build arm64 -// Busybox v1.36.1 static binary for arm64 (glibc, full 271 applets). -// Source: Debian busybox-static 1:1.36.1-9 (https://packages.debian.org/busybox-static) -// TODO: rebuild both binaries from the same minimal config for consistency. +// Busybox static binary for arm64. +// Downloaded from https://github.com/e2b-dev/fc-busybox/releases at build time. package systeminit import _ "embed" -//go:embed busybox_1.36.1-2_arm64 +//go:embed busybox var BusyboxBinary []byte