feat(cmd/rofl): Add support for Dockerized builders

Author: kostko

build/cargo/cargo.go

@@ -8,6 +8,8 @@ import (
 	"os/exec"
 	"slices"
 	"strings"
+
+	"github.com/oasisprotocol/cli/build/env"
 )
 
 // Metadata is the cargo package metadata.
@@ -42,12 +44,15 @@ func (d *Dependency) HasFeature(feature string) bool {
 }
 
 // GetMetadata queries `cargo` for metadata of the package in the current working directory.
-func GetMetadata() (*Metadata, error) {
+func GetMetadata(env env.ExecEnv) (*Metadata, error) {
 	cmd := exec.Command("cargo", "metadata", "--no-deps", "--format-version", "1")
 	stdout, err := cmd.StdoutPipe()
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize metadata process: %w", err)
 	}
+	if err = env.WrapCommand(cmd); err != nil {
+		return nil, err
+	}
 	if err = cmd.Start(); err != nil {
 		return nil, fmt.Errorf("failed to start metadata process: %w", err)
 	}
@@ -105,8 +110,8 @@ func GetMetadata() (*Metadata, error) {
 }
 
 // Build builds a Rust program using `cargo` in the current working directory.
-func Build(release bool, target string, features []string) (string, error) {
-	args := []string{"build"}
+func Build(env env.ExecEnv, release bool, target string, features []string) (string, error) {
+	args := []string{"build", "--locked"}
 	if release {
 		args = append(args, "--release")
 	}
@@ -128,6 +133,9 @@ func Build(release bool, target string, features []string) (string, error) {
 	var stderr bytes.Buffer
 	cmd.Stderr = &stderr
 
+	if err = env.WrapCommand(cmd); err != nil {
+		return "", err
+	}
 	if err = cmd.Start(); err != nil {
 		return "", fmt.Errorf("failed to start build process: %w", err)
 	}
@@ -171,5 +179,9 @@ func Build(release bool, target string, features []string) (string, error) {
 	if executable == "" {
 		return "", fmt.Errorf("no executable generated")
 	}
+	executable, err = env.PathFromEnv(executable)
+	if err != nil {
+		return "", fmt.Errorf("failed to map executable path: %w", err)
+	}
 	return executable, nil
 }

build/env/base.go

@@ -0,0 +1,47 @@
+package env
+
+import (
+	"os"
+	"path/filepath"
+)
+
+// GetBasedir finds the Git repository root directory and use that as base. If one cannot be found,
+// uses the current working directory.
+func GetBasedir() (string, error) {
+	wd, err := os.Getwd()
+	if err != nil {
+		return "", err
+	}
+
+	dir := getGitRoot(wd)
+	if dir != "" {
+		return dir, nil
+	}
+	return wd, nil
+}
+
+func getGitRoot(dir string) string {
+	currentDir := dir
+
+	for {
+		entries, err := os.ReadDir(currentDir)
+		if err != nil {
+			return ""
+		}
+
+		for _, de := range entries {
+			if !de.IsDir() {
+				continue
+			}
+			if de.Name() == ".git" {
+				return currentDir
+			}
+		}
+
+		parentDir := filepath.Dir(currentDir)
+		if parentDir == currentDir {
+			return ""
+		}
+		currentDir = parentDir
+	}
+}

build/env/env.go

@@ -0,0 +1,187 @@
+package env
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+)
+
+// ExecEnv is an execution environment.
+type ExecEnv interface {
+	// WrapCommand modifies an existing `exec.Cmd` such that it runs in this environment.
+	WrapCommand(cmd *exec.Cmd) error
+
+	// PathFromEnv converts the given path from inside the environment into a path outside the
+	// environment.
+	PathFromEnv(path string) (string, error)
+
+	// PathToEnv converts the given path from outside the environment into a path inside the
+	// environment.
+	PathToEnv(path string) (string, error)
+
+	// FixPermissions ensures that the user executing this process owns the file at the given path
+	// outside the environment.
+	FixPermissions(path string) error
+
+	// HasBinary returns true iff the given binary name is available in this environment.
+	HasBinary(name string) bool
+}
+
+// PlainEnv is a plain execution environment that executes all commands directly.
+type PlainEnv struct{}
+
+// NewPlainEnv creates a new plain execution environment.
+func NewPlainEnv() *PlainEnv {
+	return &PlainEnv{}
+}
+
+// WrapCommand implements ExecEnv.
+func (pe *PlainEnv) WrapCommand(*exec.Cmd) error {
+	return nil
+}
+
+// PathFromEnv implements ExecEnv.
+func (pe *PlainEnv) PathFromEnv(path string) (string, error) {
+	return path, nil
+}
+
+// PathToEnv implements ExecEnv.
+func (pe *PlainEnv) PathToEnv(path string) (string, error) {
+	return path, nil
+}
+
+// FixPermissions implements ExecEnv.
+func (pe *PlainEnv) FixPermissions(string) error {
+	return nil
+}
+
+// HasBinary implements ExecEnv.
+func (pe *PlainEnv) HasBinary(name string) bool {
+	path, err := exec.LookPath(name)
+	return err == nil && path != ""
+}
+
+// DockerEnv is a Docker-based execution environment that executes all commands inside a Docker
+// container using the configured image.
+type DockerEnv struct {
+	image   string
+	volumes map[string]string
+}
+
+// NewDockerEnv creates a new Docker-based execution environment.
+func NewDockerEnv(image, baseDir, dirMount string) *DockerEnv {
+	return &DockerEnv{
+		image: image,
+		volumes: map[string]string{
+			baseDir: dirMount,
+		},
+	}
+}
+
+// AddDirectory exposes a host directory to the container under the same path.
+func (de *DockerEnv) AddDirectory(path string) {
+	de.volumes[path] = path
+}
+
+// WrapCommand implements ExecEnv.
+func (de *DockerEnv) WrapCommand(cmd *exec.Cmd) error {
+	origArgs := cmd.Args
+
+	var err error
+	wd := cmd.Dir
+	if wd == "" {
+		wd, err = os.Getwd()
+		if err != nil {
+			return err
+		}
+	}
+	workDir, err := de.PathToEnv(wd)
+	if err != nil {
+		return fmt.Errorf("bad working directory: %w", err)
+	}
+
+	var envArgs []string //nolint: prealloc
+	for _, envKV := range cmd.Env {
+		envArgs = append(envArgs, "--env", envKV)
+	}
+	// When no environment is set, copy over any OASIS_ and ROFL_ variables.
+	if len(cmd.Env) == 0 {
+		for _, envKV := range os.Environ() {
+			if !strings.HasPrefix(envKV, "OASIS_") && !strings.HasPrefix(envKV, "ROFL_") {
+				continue
+			}
+			envArgs = append(envArgs, "--env", envKV)
+		}
+	}
+
+	cmd.Path, err = exec.LookPath("docker")
+	if err != nil {
+		return fmt.Errorf("failed to find 'docker': %w", err)
+	}
+
+	cmd.Args = []string{
+		"docker", "run",
+		"--rm",
+		"--platform", "linux/amd64",
+		"--workdir", workDir,
+	}
+	for hostDir, bindDir := range de.volumes {
+		cmd.Args = append(cmd.Args, "--volume", hostDir+":"+bindDir)
+	}
+	cmd.Args = append(cmd.Args, envArgs...)
+	cmd.Args = append(cmd.Args, de.image)
+	cmd.Args = append(cmd.Args, origArgs...)
+
+	return nil
+}
+
+// PathFromEnv implements ExecEnv.
+func (de *DockerEnv) PathFromEnv(path string) (string, error) {
+	for hostDir, bindDir := range de.volumes {
+		if !strings.HasPrefix(path, bindDir) {
+			continue
+		}
+		relPath, err := filepath.Rel(bindDir, path)
+		if err != nil {
+			return "", fmt.Errorf("bad path: %w", err)
+		}
+		return filepath.Join(hostDir, relPath), nil
+	}
+	return "", fmt.Errorf("bad path '%s'", path)
+}
+
+// PathToEnv implements ExecEnv.
+func (de *DockerEnv) PathToEnv(path string) (string, error) {
+	for hostDir, bindDir := range de.volumes {
+		if !strings.HasPrefix(path, hostDir) {
+			continue
+		}
+		relPath, err := filepath.Rel(hostDir, path)
+		if err != nil {
+			return "", fmt.Errorf("bad path: %w", err)
+		}
+		return filepath.Join(bindDir, relPath), nil
+	}
+	return "", fmt.Errorf("bad path '%s'", path)
+}
+
+// FixPermissions implements ExecEnv.
+func (de *DockerEnv) FixPermissions(path string) error {
+	path, err := de.PathToEnv(path)
+	if err != nil {
+		return err
+	}
+
+	cmd := exec.Command("chown", fmt.Sprintf("%d:%d", os.Getuid(), os.Getgid()), path) //nolint: gosec
+	if err = de.WrapCommand(cmd); err != nil {
+		return err
+	}
+	return cmd.Run()
+}
+
+// HasBinary implements ExecEnv.
+func (de *DockerEnv) HasBinary(string) bool {
+	return true
+}

build/rofl/manifest.go

@@ -395,11 +395,13 @@ func (e *StorageConfig) Validate() error {
 
 // ArtifactsConfig is the artifact location override configuration.
 type ArtifactsConfig struct {
-	// Firmware is the URI/path to the firmware artifact (empty to use default).
+	// Builder is the OCI reference to the builder container image. Empty to not use a builder.
+	Builder string `yaml:"builder,omitempty" json:"builder,omitempty"`
+	// Firmware is the URI/path to the firmware artifact.
 	Firmware string `yaml:"firmware,omitempty" json:"firmware,omitempty"`
-	// Kernel is the URI/path to the kernel artifact (empty to use default).
+	// Kernel is the URI/path to the kernel artifact.
 	Kernel string `yaml:"kernel,omitempty" json:"kernel,omitempty"`
-	// Stage2 is the URI/path to the stage 2 disk artifact (empty to use default).
+	// Stage2 is the URI/path to the stage 2 disk artifact.
 	Stage2 string `yaml:"stage2,omitempty" json:"stage2,omitempty"`
 	// Container is the container artifacts configuration.
 	Container ContainerArtifactsConfig `yaml:"container,omitempty" json:"container,omitempty"`

build/sgxs/sgxs.go

@@ -4,12 +4,14 @@ package sgxs
 import (
 	"os/exec"
 	"strconv"
+
+	"github.com/oasisprotocol/cli/build/env"
 )
 
 // Elf2Sgxs converts an ELF binary built for the SGX ABI into an SGXS binary.
 //
 // It requires the `ftxsgx-elf2sgxs` utility to be installed.
-func Elf2Sgxs(elfSgxPath, sgxsPath string, heapSize, stackSize, threads uint64) error {
+func Elf2Sgxs(buildEnv env.ExecEnv, elfSgxPath, sgxsPath string, heapSize, stackSize, threads uint64) error {
 	args := []string{
 		elfSgxPath,
 		"--heap-size", strconv.FormatUint(heapSize, 10),
@@ -19,5 +21,8 @@ func Elf2Sgxs(elfSgxPath, sgxsPath string, heapSize, stackSize, threads uint64)
 	}
 
 	cmd := exec.Command("ftxsgx-elf2sgxs", args...)
+	if err := buildEnv.WrapCommand(cmd); err != nil {
+		return err
+	}
 	return cmd.Run()
 }