Simplify

Author: ptrus

.github/workflows/docker-rofl-container-builder.yml

@@ -0,0 +1,84 @@
+name: docker-rofl-container-builder
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - docker/rofl-container-builder/**
+      - .github/workflows/docker-rofl-container-builder.yml
+    tags:
+      - 'rofl-container-builder/v[0-9]+.[0-9]+*'
+  pull_request:
+    paths:
+      - docker/rofl-container-builder/**
+      - .github/workflows/docker-rofl-container-builder.yml
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-rofl-container-builder:
+    name: build-rofl-container-builder
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Determine tag name
+        id: determine-tag
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "tag=pr-${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            # Trim rofl-container-builder/v prefix from tag
+            TAG="${{ github.ref_name }}"
+            TAG="${TAG#rofl-container-builder/v}"
+            echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=latest" >> "$GITHUB_OUTPUT"
+          fi
+          echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Build and push oasisprotocol/rofl-container-builder:${{ steps.determine-tag.outputs.tag }}"
+        uses: docker/build-push-action@v6
+        with:
+          context: docker/rofl-container-builder
+          file: docker/rofl-container-builder/Dockerfile
+          tags: ghcr.io/oasisprotocol/rofl-container-builder:${{ steps.determine-tag.outputs.tag }}
+          pull: true
+          push: true
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.created=${{ steps.determine-tag.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+
+  prune-old-images:
+    name: prune-old-images
+    if: ${{ always() }}
+    needs: [build-rofl-container-builder]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Prune old ghcr.io/oasisprotocol/rofl-container-builder images
+        uses: vlaurin/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          organization: oasisprotocol
+          container: rofl-container-builder
+          keep-younger-than: 7
+          keep-last: 2
+          prune-tags-regexes: ^pr-

build/rofl/artifacts.go

@@ -1,7 +1,12 @@
 package rofl
 
-// LatestBuilderImage is the latest builder container image to use when building ROFL apps.
-const LatestBuilderImage = "ghcr.io/oasisprotocol/rofl-dev:v0.5.0@sha256:31573686552abeb0edebc450f6872831f0006a6cf38220cef7e0789d4376c2c1"
+// Builder images for different app kinds.
+const (
+	// LatestBuilderImage is the full builder with Rust toolchain for raw apps.
+	LatestBuilderImage = "ghcr.io/oasisprotocol/rofl-dev:v0.5.0@sha256:31573686552abeb0edebc450f6872831f0006a6cf38220cef7e0789d4376c2c1"
+	// LatestContainerBuilderImage is the minimal builder for container apps.
+	LatestContainerBuilderImage = "ghcr.io/oasisprotocol/rofl-container-builder:0.0.1@sha256:913ef97ab07dde31f08ce873f825bf3d4f32ad4102ff5797d7c3050c121c4dce"
+)
 
 // LatestBasicArtifacts are the latest TDX ROFL basic app artifacts.
 var LatestBasicArtifacts = ArtifactsConfig{

cmd/rofl/build/artifacts.go

@@ -137,18 +137,33 @@ func cleanEnvForReproducibility() []string {
 	return append(env, "LC_ALL=C", "TZ=UTC", "SOURCE_DATE_EPOCH=0")
 }
 
-// ExtraFile represents a file to be injected into the rootfs.
-type ExtraFile struct {
-	HostPath string      // Path on host filesystem
-	TarPath  string      // Path inside the tar/rootfs (e.g., "init" or "etc/config")
-	Mode     os.FileMode // File mode (e.g., 0o755 for executables)
+// extraFile represents a file to be injected into the rootfs.
+type extraFile struct {
+	HostPath string
+	TarPath  string
+	Mode     os.FileMode
+}
+
+// normalizeHeader normalizes a tar header for reproducible builds.
+// Uses GNU format because sqfstar < 4.6 has a bug with PAX headers
+// that incorrectly strips pathname components in linkpath for symlinks.
+func normalizeHeader(header *tar.Header) {
+	header.Format = tar.FormatGNU
+	header.Uid = 0
+	header.Gid = 0
+	header.Uname = ""
+	header.Gname = ""
+	header.ModTime = time.Unix(0, 0)
+	header.AccessTime = time.Time{}
+	header.ChangeTime = time.Time{}
+	header.PAXRecords = nil
 }
 
 // createSquashFsFromTar creates a squashfs filesystem by streaming a tar.bz2 template
 // and injecting extra files, without extracting to disk.
 //
 // Returns the size of the created filesystem image in bytes.
-func createSquashFsFromTar(buildEnv env.ExecEnv, outputFn, templateFn string, extraFiles []ExtraFile) (int64, error) {
+func createSquashFsFromTar(buildEnv env.ExecEnv, outputFn, templateFn string, extraFiles []extraFile) (int64, error) {
 	const (
 		sqfstarBin  = "sqfstar"
 		fakerootBin = "fakeroot"
@@ -216,114 +231,83 @@ func createSquashFsFromTar(buildEnv env.ExecEnv, outputFn, templateFn string, ex
 	tarHasher := sha256.New()
 	tarWriter := tar.NewWriter(io.MultiWriter(stdinPipe, tarHasher))
 
+	// Ensure cleanup on error.
+	var cmdErr error
+	defer func() {
+		if cmdErr != nil {
+			tarWriter.Close()
+			stdinPipe.Close()
+			cmd.Wait() //nolint:errcheck
+		}
+	}()
+
 	// Build a map of extra files by their tar path for quick lookup.
-	extraFileMap := make(map[string]ExtraFile)
+	extraFileMap := make(map[string]extraFile)
 	for _, ef := range extraFiles {
 		extraFileMap[ef.TarPath] = ef
 	}
 
-	// Copy entries from template, potentially skipping ones we'll replace.
+	// Copy entries from template, skipping ones we'll replace.
 	for {
 		header, err := tarReader.Next()
 		if errors.Is(err, io.EOF) {
 			break
 		}
 		if err != nil {
-			tarWriter.Close()
-			stdinPipe.Close()
-			cmd.Wait() //nolint:errcheck
-			return 0, fmt.Errorf("error reading template archive: %w", err)
-		}
-
-		// Skip PAX/GNU special headers - these are metadata entries that tar.Reader
-		// normally handles internally, but if we see them we should not emit them.
-		// They have bodies that must be drained.
-		switch header.Typeflag {
-		case tar.TypeXHeader, tar.TypeXGlobalHeader, tar.TypeGNULongName, tar.TypeGNULongLink:
-			//nolint:gosec // G110: This is trusted input from our own template archives.
-			if _, err := io.Copy(io.Discard, tarReader); err != nil {
-				tarWriter.Close()
-				stdinPipe.Close()
-				cmd.Wait() //nolint:errcheck
-				return 0, fmt.Errorf("failed to skip special header content: %w", err)
-			}
-			continue
+			cmdErr = fmt.Errorf("error reading template archive: %w", err)
+			return 0, cmdErr
 		}
 
-		// Normalize the path (remove leading ./).
+		// Normalize the path.
 		cleanPath := strings.TrimPrefix(header.Name, "./")
 
 		// Skip if this path will be replaced by an extra file.
 		if _, willReplace := extraFileMap[cleanPath]; willReplace {
-			// Skip this entry, we'll add the replacement later.
-			if header.Typeflag == tar.TypeReg || header.Typeflag == tar.TypeRegA { //nolint:staticcheck // TypeRegA for backward compat
-				// Drain the content.
-				//nolint:gosec // G110: This is trusted input from our own template archives.
-				if _, err := io.Copy(io.Discard, tarReader); err != nil {
-					tarWriter.Close()
-					stdinPipe.Close()
-					cmd.Wait() //nolint:errcheck
-					return 0, fmt.Errorf("failed to skip replaced file content: %w", err)
-				}
-			}
 			continue
 		}
 
 		// Normalize header for reproducibility.
-		// Use GNU format because sqfstar < 4.6 has a bug with PAX headers
-		// that incorrectly strips pathname components in linkpath for symlinks.
-		header.Format = tar.FormatGNU
-		header.Uid = 0
-		header.Gid = 0
-		header.Uname = ""
-		header.Gname = ""
-		header.ModTime = time.Unix(0, 0)
-		header.AccessTime = time.Time{} // Zero value = not set
-		header.ChangeTime = time.Time{} // Zero value = not set
-		header.PAXRecords = nil
+		normalizeHeader(header)
 
 		if err := tarWriter.WriteHeader(header); err != nil {
-			tarWriter.Close()
-			stdinPipe.Close()
-			cmd.Wait() //nolint:errcheck
-			return 0, fmt.Errorf("failed to write tar header: %w", err)
+			cmdErr = fmt.Errorf("failed to write tar header: %w", err)
+			return 0, cmdErr
 		}
 
-		// Copy body for entry types that have content (regular files).
-		if header.Typeflag == tar.TypeReg || header.Typeflag == tar.TypeRegA { //nolint:staticcheck // TypeRegA for backward compat
-			//nolint:gosec // G110: This is trusted input from our own template archives.
-			if _, err := io.Copy(tarWriter, tarReader); err != nil {
-				tarWriter.Close()
-				stdinPipe.Close()
-				cmd.Wait() //nolint:errcheck
-				return 0, fmt.Errorf("failed to copy file content: %w", err)
+		// Copy body for regular files.
+		if header.Typeflag == tar.TypeReg {
+			const maxFileSize = 500 * 1024 * 1024 // 500 MB sanity limit
+			if header.Size > maxFileSize {
+				cmdErr = fmt.Errorf("file too large: %s (%d bytes)", header.Name, header.Size)
+				return 0, cmdErr
+			}
+			if _, err := io.Copy(tarWriter, io.LimitReader(tarReader, header.Size)); err != nil {
+				cmdErr = fmt.Errorf("failed to copy file content: %w", err)
+				return 0, cmdErr
 			}
 		}
 	}
 
 	// Add extra files.
 	for _, ef := range extraFiles {
 		if err := addFileToTar(tarWriter, ef.HostPath, ef.TarPath, ef.Mode); err != nil {
-			tarWriter.Close()
-			stdinPipe.Close()
-			cmd.Wait() //nolint:errcheck
-			return 0, fmt.Errorf("failed to add extra file %s: %w", ef.TarPath, err)
+			cmdErr = fmt.Errorf("failed to add extra file %s: %w", ef.TarPath, err)
+			return 0, cmdErr
 		}
 	}
 
 	// Close tar writer and stdin pipe.
 	if err := tarWriter.Close(); err != nil {
-		stdinPipe.Close()
-		cmd.Wait() //nolint:errcheck
-		return 0, fmt.Errorf("failed to close tar writer: %w", err)
+		cmdErr = fmt.Errorf("failed to close tar writer: %w", err)
+		return 0, cmdErr
 	}
 
 	// Print tar hash for verification.
 	fmt.Printf("TAR archive SHA256: %s\n", hex.EncodeToString(tarHasher.Sum(nil)))
 
 	if err := stdinPipe.Close(); err != nil {
-		cmd.Wait() //nolint:errcheck
-		return 0, fmt.Errorf("failed to close stdin pipe: %w", err)
+		cmdErr = fmt.Errorf("failed to close stdin pipe: %w", err)
+		return 0, cmdErr
 	}
 
 	// Wait for sqfstar to finish.
@@ -353,15 +337,12 @@ func addFileToTar(tw *tar.Writer, hostPath, tarPath string, mode os.FileMode) er
 	}
 
 	header := &tar.Header{
-		Format:   tar.FormatGNU,
 		Name:     "./" + tarPath,
 		Mode:     int64(mode),
 		Size:     fi.Size(),
-		Uid:      0,
-		Gid:      0,
-		ModTime:  time.Unix(0, 0),
 		Typeflag: tar.TypeReg,
 	}
+	normalizeHeader(header)
 
 	if err := tw.WriteHeader(header); err != nil {
 		return fmt.Errorf("failed to write header: %w", err)

cmd/rofl/build/container.go

@@ -33,8 +33,8 @@ func tdxBuildContainer(
 	// Use the pre-built container runtime.
 	initPath := artifacts[artifactContainerRuntime]
 
-	stage2, err := tdxPrepareStage2(buildEnv, tmpDir, artifacts, initPath, map[string]string{
-		artifacts[artifactContainerCompose]: "etc/oasis/containers/compose.yaml",
+	stage2, err := tdxPrepareStage2(buildEnv, tmpDir, artifacts, initPath, []extraFile{
+		{HostPath: artifacts[artifactContainerCompose], TarPath: "etc/oasis/containers/compose.yaml", Mode: 0o644},
 	})
 	if err != nil {
 		return err

cmd/rofl/build/tdx.go

@@ -132,7 +132,7 @@ func tdxPrepareStage2(
 	tmpDir string,
 	artifacts map[string]string,
 	initPath string,
-	extraFiles map[string]string,
+	extraFiles []extraFile,
 ) (*tdxStage2, error) {
 	fmt.Println("Preparing stage 2 root filesystem...")
 
@@ -144,12 +144,10 @@ func tdxPrepareStage2(
 	fmt.Printf("Runtime hash: %s\n", initHash)
 
 	// Build list of files to inject into the rootfs.
-	filesToInject := []ExtraFile{
+	filesToInject := []extraFile{
 		{HostPath: initPath, TarPath: "init", Mode: 0o755},
 	}
-	for src, dst := range extraFiles {
-		filesToInject = append(filesToInject, ExtraFile{HostPath: src, TarPath: dst, Mode: 0o644})
-	}
+	filesToInject = append(filesToInject, extraFiles...)
 
 	// Create the root filesystem by streaming template and injecting files.
 	fmt.Println("Creating squashfs filesystem...")

cmd/rofl/mgmt.go

@@ -121,16 +121,15 @@ var (
 				switch appKind {
 				case buildRofl.AppKindRaw:
 					artifacts := buildRofl.LatestBasicArtifacts // Copy.
+					artifacts.Builder = buildRofl.LatestBuilderImage
 					manifest.Artifacts = &artifacts
 				case buildRofl.AppKindContainer:
 					artifacts := buildRofl.LatestContainerArtifacts // Copy.
+					artifacts.Builder = buildRofl.LatestContainerBuilderImage
 					artifacts.Container.Compose = detectOrCreateComposeFile()
 					manifest.Artifacts = &artifacts
 				default:
 				}
-				if manifest.Artifacts != nil {
-					manifest.Artifacts.Builder = buildRofl.LatestBuilderImage
-				}
 			default:
 			}
 
@@ -564,11 +563,12 @@ var (
 				switch manifest.Kind {
 				case buildRofl.AppKindRaw:
 					latestArtifacts = buildRofl.LatestBasicArtifacts // Copy.
+					latestArtifacts.Builder = buildRofl.LatestBuilderImage
 				case buildRofl.AppKindContainer:
 					latestArtifacts = buildRofl.LatestContainerArtifacts // Copy.
+					latestArtifacts.Builder = buildRofl.LatestContainerBuilderImage
 				default:
 				}
-				latestArtifacts.Builder = buildRofl.LatestBuilderImage
 			default:
 			}
 

docker/rofl-container-builder/Dockerfile

@@ -0,0 +1,15 @@
+FROM debian:bookworm-slim
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -qq && \
+    apt-get install -qq --no-install-recommends \
+        squashfs-tools \
+        cryptsetup-bin \
+        qemu-utils \
+        fakeroot \
+    && apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+VOLUME /src
+WORKDIR /src