Merge branch 'docker-buildx-helper' into 'master'

Add foundation to build multiarch images

Closes #8469 and #8470

See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7492

Merged-by: Robert Marshall <[email protected]>
Approved-by: Dmytro Makovey <[email protected]>
Approved-by: Robert Marshall <[email protected]>
Reviewed-by: Robert Marshall <[email protected]>
Co-authored-by: Balasankar 'Balu' C <[email protected]>

Author: Robert Marshall

docker/Dockerfile

@@ -10,6 +10,8 @@ ENV LANG=C.UTF-8
 COPY locale.gen /etc/locale.gen
 
 # Install required packages
+# Note: libatomic1 is only required for arm64, but it is small enough to not
+# bother about the conditional inclusion logic
 RUN apt-get update -q \
     && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
       busybox \
@@ -20,6 +22,7 @@ RUN apt-get update -q \
       wget \
       perl \
       libperl5.34 \
+      libatomic1 \
     && locale-gen \
     && cp -a /usr/lib/locale/locale-archive /tmp/locale-archive \
     && DEBIAN_FRONTEND=noninteractive apt-get purge -yq locales \
@@ -43,6 +46,8 @@ RUN ln -fs /dev/null /run/motd.dynamic
 # Legacy code to be removed on 17.0.  See: https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7035
 ENV GITLAB_ALLOW_SHA1_RSA=false
 
+ARG TARGETARCH
+
 # Copy assets
 COPY RELEASE /
 COPY assets/ /assets/

docker/assets/setup

@@ -10,9 +10,19 @@ source /RELEASE
 sed -i "/DOWNLOAD_URL/d;/CI_JOB_TOKEN/d;" /RELEASE
 
 # Install GitLab
+if [[ "${TARGETARCH}" == "amd64" ]]; then
+  export DOWNLOAD_URL=${DOWNLOAD_URL_amd64}
+elif [[ "${TARGETARCH}" == "arm64" ]]; then
+  export DOWNLOAD_URL=${DOWNLOAD_URL_arm64}
+else
+  echo "Unknown TARGETARCH: DOWNLOAD_URL not set"
+fi
+
 DOWNLOAD_URL=${DOWNLOAD_URL} CI_JOB_TOKEN=${CI_JOB_TOKEN} /assets/download-package && dpkg -i /tmp/gitlab.deb 
 rm -rf /tmp/gitlab.deb /var/lib/apt/lists/*
 
+unset DOWNLOAD_URL_amd64
+unset DOWNLOAD_URL_arm64
 unset DOWNLOAD_URL
 unset CI_JOB_TOKEN
 

gitlab-ci-config/dev-gitlab-org.yml

@@ -315,6 +315,8 @@ Ubuntu-22.04-arm64-branch:
     - !reference [.default_rules, rules]
     - if: '$PIPELINE_TYPE =~ /_(NIGHTLY|BRANCH)_BUILD_PIPELINE$/'
     - if: '$PIPELINE_TYPE =~ /TRIGGERED_(CE|EE)_PIPELINE/'
+      # TODO: When multi-arch images are built by default, make this an
+      # automatic job
       when: manual
       allow_failure: true
 CentOS-7-branch:

lib/gitlab/build/image.rb

@@ -51,6 +51,15 @@ def copy_image_to_dockerhub(final_tag)
       SkopeoHelper.copy_image(source, target)
     end
 
+    def copy_image_to_gitlab_registry(final_tag)
+      source = source_image_address
+      target = gitlab_registry_image_address(tag: final_tag)
+
+      SkopeoHelper.login('gitlab-ci-token', Gitlab::Util.get_env('CI_JOB_TOKEN'), Gitlab::Util.get_env('CI_REGISTRY'))
+
+      SkopeoHelper.copy_image(source, target)
+    end
+
     def source_image_address
       raise NotImplementedError
     end

lib/gitlab/build/info/docker.rb

@@ -13,15 +13,19 @@ def tag
 
         def release_file_contents
           repo = Gitlab::Util.get_env('PACKAGECLOUD_REPO') # Target repository
+          download_urls = {}.tap do |urls|
+            urls[:amd64] = Build::Info::CI.package_download_url
+            urls[:arm64] = Build::Info::CI.package_download_url(arch: 'arm64')
+          end
 
-          download_url = Build::Info::CI.package_download_url
-          raise "Unable to identify package download URL." unless download_url
+          raise "Unable to identify package download URLs." if download_urls.empty?
 
           contents = []
           contents << "PACKAGECLOUD_REPO=#{repo.chomp}\n" if repo && !repo.empty?
           contents << "RELEASE_PACKAGE=#{Build::Info::Package.name}\n"
           contents << "RELEASE_VERSION=#{Build::Info::Package.release_version}\n"
-          contents << "DOWNLOAD_URL=#{download_url}\n"
+          contents << "DOWNLOAD_URL_amd64=#{download_urls[:amd64]}\n"
+          contents << "DOWNLOAD_URL_arm64=#{download_urls[:arm64]}\n"
           contents << "CI_JOB_TOKEN=#{Build::Info::CI.job_token}\n"
           contents.join
         end

lib/gitlab/docker_helper.rb

@@ -0,0 +1,92 @@
+require 'open3'
+require_relative 'docker_operations'
+
+# TODO: Deprecate DockerOperations
+class DockerHelper < DockerOperations
+  class << self
+    def authenticate(username: nil, password: nil, registry: nil)
+      puts "Logging in to Docker registry"
+
+      stdout, stderr, status = Open3.popen3({}, *%W[docker login --username=#{username} --password-stdin #{registry}]) do |stdin, stdout, stderr, wait_thr|
+        stdin.puts(password)
+        stdin.close
+
+        [stdout.read, stderr.read, wait_thr.value]
+      end
+
+      return if status.success?
+
+      puts "Failed to login to Docker registry."
+      puts "Output is: #{stdout}"
+      puts stderr
+      Kernel.exit 1
+    end
+
+    # TODO: When multi-arch images are built by default, modify `platforms`
+    # array to include `linux/arm64` also
+    def build(location, image, tag, dockerfile: nil, buildargs: nil, platforms: %w[linux/amd64], push: true)
+      create_builder
+
+      commands = %W[docker buildx build #{location} -t #{image}:#{tag}]
+
+      if (env_var_platforms = Gitlab::Util.get_env('DOCKER_BUILD_PLATFORMS'))
+        platforms.append(env_var_platforms.split(",").map(&:strip))
+      end
+
+      platforms.uniq!
+
+      commands += %W[--platform=#{platforms.join(',')}]
+
+      # If specified to push, we must push to registry. Even if not, if the
+      # image being built is multiarch, we must push to registry.
+      commands += %w[--push] if push || platforms.length > 1
+
+      commands += %W[-f #{dockerfile}] if dockerfile
+
+      buildargs&.each do |arg|
+        commands += %W[--build-arg='#{arg}']
+      end
+
+      puts "Running command: #{commands.join(' ')}"
+
+      Open3.popen2e(*commands) do |_, stdout_stderr, status|
+        while line = stdout_stderr.gets
+          puts line
+        end
+
+        Kernel.exit 1 unless status.value.success?
+      end
+    end
+
+    def create_builder
+      cleanup_existing_builder
+
+      puts "Creating docker builder instance"
+      # TODO: For multi-arch builds, use Kubernetes driver for builder instance
+      _, stdout_stderr, status = Open3.popen2e(*%w[docker buildx create --bootstrap --use --name omnibus-gitlab-builder])
+
+      return if status.value.success?
+
+      puts "Creating builder instance failed."
+      puts "Output: #{stdout_stderr.read}"
+      raise
+    end
+
+    def cleanup_existing_builder
+      puts "Cleaning any existing builder instances."
+      _, _, status = Open3.popen2e(*%w[docker buildx ls | grep omnibus-gitlab-builder])
+      unless status.value.success?
+        puts "omnibus-gitlab-builder instance not found. Not attempting to clean."
+        return
+      end
+
+      _, stdout_stderr, status = Open3.popen2e(*%w[docker buildx rm --force omnibus-gitlab-builder])
+      if status.value.success?
+        puts "Successfully cleaned omnibus-gitlab-builder instance."
+      else
+        puts "Cleaning of omnibus-gitlab-builder instance failed."
+        puts "Output: #{stdout_stderr.read}"
+      end
+    end
+  end
+end

lib/gitlab/tasks/docker_tasks.rake

@@ -5,6 +5,7 @@ require_relative '../build/gitlab_image'
 require_relative '../build/info/ci'
 require_relative '../build/info/docker'
 require_relative '../docker_operations'
+require_relative '../docker_helper'
 require_relative '../util'
 
 namespace :docker do
@@ -14,11 +15,8 @@ namespace :docker do
       Gitlab::Util.section('docker:build:image') do
         Build::GitlabImage.write_release_file
         location = File.absolute_path(File.join(File.dirname(File.expand_path(__FILE__)), "../../../docker"))
-        DockerOperations.build(
-          location,
-          Build::GitlabImage.gitlab_registry_image_address,
-          'latest'
-        )
+        DockerHelper.authenticate(username: "gitlab-ci-token", password: Gitlab::Util.get_env("CI_JOB_TOKEN"), registry: Gitlab::Util.get_env('CI_REGISTRY'))
+        DockerHelper.build(location, Build::GitlabImage.gitlab_registry_image_address, Build::Info::Docker.tag)
       end
     end
   end
@@ -28,11 +26,11 @@ namespace :docker do
     # Only runs on dev.gitlab.org
     task :staging do
       Gitlab::Util.section('docker:push:staging') do
-        Build::GitlabImage.tag_and_push_to_gitlab_registry(Build::Info::Docker.tag)
-
-        # Also tag with CI_COMMIT_REF_SLUG so that manual testing using Docker
-        # can use the same image name/tag.
-        Build::GitlabImage.tag_and_push_to_gitlab_registry(Build::Info::CI.commit_ref_slug)
+        # As part of build, the image is already tagged and pushed  to GitLab
+        # registry with `Build::Info::Docker.tag` as the tag. Also copy the
+        # image with `CI_COMMIT_REF_SLUG` as the tag so that manual testing
+        # using Docker can use the same image name/tag.
+        Build::GitlabImage.copy_image_to_gitlab_registry(Build::Info::CI.commit_ref_slug)
       end
     end
 
@@ -88,11 +86,11 @@ namespace :docker do
     desc "Push triggered Docker Image to GitLab Registry"
     task :triggered do
       Gitlab::Util.section('docker:push:triggered') do
-        Build::GitlabImage.tag_and_push_to_gitlab_registry(Build::Info::Docker.tag)
-
-        # Also tag with CI_COMMIT_REF_SLUG so that manual testing using Docker
+        # As part of build, the image is already tagged and pushed with
+        # `Build::Info::Docker.tag` as the tag. Also copy the image with
+        # `CI_COMMIT_REF_SLUG` as the tag so that manual testing using Docker
         # can use the same image name/tag.
-        Build::GitlabImage.tag_and_push_to_gitlab_registry(Build::Info::CI.commit_ref_slug)
+        Build::GitlabImage.copy_image_to_gitlab_registry(Build::Info::CI.commit_ref_slug)
       end
     end
   end

spec/lib/gitlab/build/image_spec.rb

@@ -109,7 +109,8 @@ def self.dockerhub_image_name
             "PACKAGECLOUD_REPO=download-package",
             "RELEASE_PACKAGE=gitlab-ce",
             "RELEASE_VERSION=12.121.12-ce.0",
-            "DOWNLOAD_URL=https://dev.gitlab.org/api/v4/projects/283/jobs/999999/artifacts/pkg/ubuntu-jammy/gitlab-ce_12.121.12-ce.0_amd64.deb",
+            "DOWNLOAD_URL_amd64=https://dev.gitlab.org/api/v4/projects/283/jobs/999999/artifacts/pkg/ubuntu-jammy/gitlab-ce_12.121.12-ce.0_amd64.deb",
+            "DOWNLOAD_URL_arm64=https://dev.gitlab.org/api/v4/projects/283/jobs/999999/artifacts/pkg/ubuntu-jammy_aarch64/gitlab-ce_12.121.12-ce.0_arm64.deb",
             "CI_JOB_TOKEN=NOT-CI-JOB-TOKEN\n"
           ].join("\n")
         end
@@ -130,7 +131,8 @@ def self.dockerhub_image_name
             "PACKAGECLOUD_REPO=download-package",
             "RELEASE_PACKAGE=gitlab-ee",
             "RELEASE_VERSION=12.121.12-ee.0",
-            "DOWNLOAD_URL=https://dev.gitlab.org/api/v4/projects/283/jobs/999999/artifacts/pkg/ubuntu-jammy/gitlab-ee_12.121.12-ee.0_amd64.deb",
+            "DOWNLOAD_URL_amd64=https://dev.gitlab.org/api/v4/projects/283/jobs/999999/artifacts/pkg/ubuntu-jammy/gitlab-ee_12.121.12-ee.0_amd64.deb",
+            "DOWNLOAD_URL_arm64=https://dev.gitlab.org/api/v4/projects/283/jobs/999999/artifacts/pkg/ubuntu-jammy_aarch64/gitlab-ee_12.121.12-ee.0_arm64.deb",
             "CI_JOB_TOKEN=NOT-CI-JOB-TOKEN\n"
           ].join("\n")
         end
@@ -159,7 +161,8 @@ def self.dockerhub_image_name
             "PACKAGECLOUD_REPO=download-package",
             "RELEASE_PACKAGE=gitlab-ce",
             "RELEASE_VERSION=12.121.12-ce.0",
-            "DOWNLOAD_URL=https://gitlab.com/api/v4/projects/20699/jobs/999999/artifacts/pkg/ubuntu-jammy/gitlab-ce_12.121.12-ce.0_amd64.deb",
+            "DOWNLOAD_URL_amd64=https://gitlab.com/api/v4/projects/20699/jobs/999999/artifacts/pkg/ubuntu-jammy/gitlab-ce_12.121.12-ce.0_amd64.deb",
+            "DOWNLOAD_URL_arm64=https://gitlab.com/api/v4/projects/20699/jobs/999999/artifacts/pkg/ubuntu-jammy_aarch64/gitlab-ce_12.121.12-ce.0_arm64.deb",
             "CI_JOB_TOKEN=NOT-CI-JOB-TOKEN\n"
           ].join("\n")
         end
@@ -180,7 +183,8 @@ def self.dockerhub_image_name
             "PACKAGECLOUD_REPO=download-package",
             "RELEASE_PACKAGE=gitlab-ee",
             "RELEASE_VERSION=12.121.12-ee.0",
-            "DOWNLOAD_URL=https://gitlab.com/api/v4/projects/20699/jobs/999999/artifacts/pkg/ubuntu-jammy/gitlab-ee_12.121.12-ee.0_amd64.deb",
+            "DOWNLOAD_URL_amd64=https://gitlab.com/api/v4/projects/20699/jobs/999999/artifacts/pkg/ubuntu-jammy/gitlab-ee_12.121.12-ee.0_amd64.deb",
+            "DOWNLOAD_URL_arm64=https://gitlab.com/api/v4/projects/20699/jobs/999999/artifacts/pkg/ubuntu-jammy_aarch64/gitlab-ee_12.121.12-ee.0_arm64.deb",
             "CI_JOB_TOKEN=NOT-CI-JOB-TOKEN\n"
           ].join("\n")
         end