diff --git a/Makefile.toml b/Makefile.toml index f7b5ce06082..a536e6cc8d3 100644 --- a/Makefile.toml +++ b/Makefile.toml @@ -57,6 +57,8 @@ script = [ ''' set -o pipefail if ! docker image inspect ${BUILDSYS_SDK_IMAGE} >/dev/null 2>&1 ; then + # Let curl resolve the certificates instead of the tasks resolved bundle. + unset SSL_CERT_FILE SSL_CERT_DIR if ! curl https://thar-upstream-lookaside-cache.s3.us-west-2.amazonaws.com/${BUILDSYS_SDK_IMAGE}.tar.gz \ | gunzip | docker load ; then echo "failed to load '${BUILDSYS_SDK_IMAGE}'" >&2 diff --git a/bin/amiize.sh b/bin/amiize.sh index d69b19a55fd..7166a0be369 100755 --- a/bin/amiize.sh +++ b/bin/amiize.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # Register partitioned root and data images as an AMI in EC2. # Only registers with HVM virtualization type and GP2 EBS volume type. @@ -106,6 +106,7 @@ $(basename "${0}") [ --root-volume-size 1234 ] [ --data-volume-size 5678 ] [ --security-group-name default | --security-group-id sg-abcdef1234 ] + [ --write-output-dir output-dir ] Registers the given images as an AMI in the given EC2 region. @@ -130,6 +131,9 @@ Optional: --security-group-id The ID of a security group name that allows SSH access from this host --security-group-name The name of a security group name that allows SSH access from this host (defaults to "default" if neither name nor ID are specified) + --write-output-dir The directory to write out IDs into attribute named files. + (not written out to anywhere other than log otherwise) + EOF } @@ -161,6 +165,7 @@ parse_args() { --data-volume-size ) shift; DATA_VOLUME_SIZE="${1}" ;; --security-group-name ) shift; SECURITY_GROUP_NAME="${1}" ;; --security-group-id ) shift; SECURITY_GROUP_ID="${1}" ;; + --write-output-dir ) shift; WRITE_OUTPUT_DIR="${1}" ;; --help ) usage; exit 0 ;; *) @@ -323,6 +328,19 @@ check_return() { return 0 } +# Helper to conditionally write out attribute if WRITE_OUTPUT_DIR is +# configured. +write_output() { + local name="$1" + local value="$2" + + if [[ -z "${WRITE_OUTPUT_DIR}" ]]; then + return + fi + + mkdir -p "${WRITE_OUTPUT_DIR}/$(dirname "$name")" + echo -n "$value" > "${WRITE_OUTPUT_DIR}/${name}" +} # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= @@ -623,6 +641,7 @@ while true; do echo "* Warning: Could not delete root volume!" # Don't die though, we got what we want... fi + write_output "root_snapshot_id" "$root_snapshot" if aws ec2 delete-volume \ --output text \ @@ -635,6 +654,7 @@ while true; do echo "* Warning: Could not delete data volume!" # Don't die though, we got what we want... fi + write_output "data_snapshot_id" "$data_snapshot" # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= @@ -657,6 +677,8 @@ while true; do check_return ${?} "AMI registration failed!" || continue echo "Registered ${registered_ami}" + write_output "ami_id" "$registered_ami" + echo "Waiting for the AMI to appear in a describe query" waits=0 while [ ${waits} -lt 20 ]; do diff --git a/bin/upload-sources b/bin/upload-sources index cb25185577d..e7bbf21d708 100755 --- a/bin/upload-sources +++ b/bin/upload-sources @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail diff --git a/tools/docker-go b/tools/docker-go index 25c52005a1a..15516443fc4 100755 --- a/tools/docker-go +++ b/tools/docker-go @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # Helper script for running commands in a golang build/runtime environment for testing/vendoring/building a go module diff --git a/tools/gen-docs.sh b/tools/gen-docs.sh index 2ae32cea42f..a83dd20c858 100755 --- a/tools/gen-docs.sh +++ b/tools/gen-docs.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash DOCS=(START.md README.md INSTALL.md CHANGELOG.md extras/dogswatch/README.md) EXTRAS=(extras/dogswatch/{dogswatch,dev/deployment}.yaml) diff --git a/tools/infra/buildspec/infra-pr-build.yml b/tools/infra/buildspec/infra-pr-build.yml index 62e7042a6fe..17e4c25e74d 100644 --- a/tools/infra/buildspec/infra-pr-build.yml +++ b/tools/infra/buildspec/infra-pr-build.yml @@ -8,4 +8,4 @@ env: phases: build: commands: - - make -C "$INFRA_DIR/stacks" --keep-going validate + - make -C "$INFRA_DIR/stacks" --keep-going validate check diff --git a/tools/infra/buildspec/thar-develop-pipeline-test.yml b/tools/infra/buildspec/thar-develop-pipeline-test.yml index 30e824d0f06..c40747f74c8 100644 --- a/tools/infra/buildspec/thar-develop-pipeline-test.yml +++ b/tools/infra/buildspec/thar-develop-pipeline-test.yml @@ -1,21 +1,9 @@ version: 0.2 -env: - variables: - # Path to infra tooling directory. - INFRA_DIR: "./tools/infra" - phases: - install: - runtime-versions: - docker: 18 - commands: - - . "${INFRA_DIR}/env/lib/environment-setup" - - . setup-rust-builder - # TODO: rely on libsystemd in build container instead, see #545 - - apt install -y libsystemd-dev pre_build: commands: + - start-build-environment - environment-report - write-build-meta build: diff --git a/tools/infra/buildspec/thar-pr-build.yml b/tools/infra/buildspec/thar-pr-build.yml index 2c793d43bcf..5038b9ed12e 100644 --- a/tools/infra/buildspec/thar-pr-build.yml +++ b/tools/infra/buildspec/thar-pr-build.yml @@ -1,31 +1,21 @@ version: 0.2 -env: - variables: - # Path to infra tooling directory. - INFRA_DIR: "./tools/infra" - phases: - install: - runtime-versions: - docker: 18 - commands: - - . "${INFRA_DIR}/env/lib/environment-setup" - - . setup-rust-builder pre_build: commands: + - start-build-environment - environment-report - write-build-meta build: commands: - # Retry fetches a few times before failing - - retry 2 'fetch dependencies' -- cargo make fetch - cargo make world artifacts: base-directory: 'build/' files: - '*.img*' + - '*.ext4*' + - '*.verity*' secondary-artifacts: meta: base-directory: 'build/meta' diff --git a/tools/infra/container/.dockerignore b/tools/infra/container/.dockerignore new file mode 100644 index 00000000000..f3c7a7c5da6 --- /dev/null +++ b/tools/infra/container/.dockerignore @@ -0,0 +1 @@ +Makefile diff --git a/tools/infra/container/Dockerfile.builder b/tools/infra/container/Dockerfile.builder new file mode 100644 index 00000000000..bc48992bcc2 --- /dev/null +++ b/tools/infra/container/Dockerfile.builder @@ -0,0 +1,36 @@ +# Dockerfile.builder - Base build environment container image +# +# The builder image provides an environment in which packages and images may be +# built. This includes the necessary compilers, libraries, services, and +# executable dependencies used in the course of the build process. +# +# Facilitating scripts may be found in the ./runtime and ./scripts directory +# where scripts are generally participants in the build of the environment. +# +FROM amazonlinux:2 as base +RUN yum update -y \ + && yum groupinstall -y 'Development Tools' \ + && yum install -y socat procps-ng awscli jq openssh rsync systemd-devel \ + && amazon-linux-extras enable docker \ + && yum install -y docker amazon-ecr-credential-helper \ + && yum clean all \ + && rm -rf /var/cache/yum /var/cache/amzn2extras +RUN install -D /dev/null /root/.docker/config.json \ + && echo '{ "credsStore": "ecr-login" }' >> /root/.docker/config.json + +FROM base +ENV PATH="$PATH:/build/runtime/bin:/build/scripts:/build/.cargo/bin" +ENV CARGO_HOME="/build/.cargo" +ENV RUNTIME_SCRIPT_LIB="/build/runtime/lib" + +COPY scripts /build/scripts +COPY runtime /build/runtime +WORKDIR /build + +RUN install-rust && configure-rust && install-crates + +COPY builder/entrypoint.sh /build/entrypoint.sh + +ENTRYPOINT ["/build/entrypoint.sh"] + +CMD [ "bash" ] diff --git a/tools/infra/container/Makefile b/tools/infra/container/Makefile new file mode 100644 index 00000000000..7fbae8be7f4 --- /dev/null +++ b/tools/infra/container/Makefile @@ -0,0 +1,50 @@ +# SHELL is bash, silly sh. +SHELL = bash +# DOCKERFILES are the detected container images that are being worked +# with. It is expected that NAME be part of the file name, as in +# Dockerfile.NAME, which is used throughout the infrastructure. +DOCKERFILES = $(filter-out %~,$(wildcard Dockerfile.*)) +# NAMES are the detected NAMES given the provided Dockerfiles. +NAMES = $(DOCKERFILES:Dockerfile.%=%) +# IMAGE_REPO_PREFIX is prepended to the image's tag. In the case of +# `push', the IMAGE_REPO_PREFIX provides the ECR repository URI prefix +# for each image. +IMAGE_REPO_PREFIX ?= infra/ +# IMAGE_TAG provides the registry/image-name:IMAGE_TAG portion of the +# URI tagged to images. +IMAGE_TAG ?= develop +# IMAGE_NAME is the name that the container image is tagged with. +IMAGE_NAME ?= $(IMAGE_REPO_PREFIX)$(NAME):$(IMAGE_TAG) +# ECR_URI_PREFIX is the ECR URI prefix based on the resolved builder +# image URI which, like other container images, is discoverable under +# its in-region SSM parameter - so we can lob off the builder part and +# use it as our model for the pushed repository name. +ECR_URI_PREFIX = $(shell aws ssm get-parameter --name /infra/container/infra/builder --query Parameter.Value --output text | sed 's/builder$$//') +# ECR_NAME_PREFIX provides a prefix to derive the ECR repository-name +# (the attribute) from the images' NAME - the infra/ prefix is +# conventional across automations' consumed images. +ECR_NAME_PREFIX ?= infra/ + +.DEFAULT: all +.PHONY: force all release $(NAMES) +force: + +all: $(if $(NAME),$(NAME),$(NAMES)) + +$(NAMES) : NAME = $@ +$(NAMES): force + @echo "Building container image for '$(NAME)'" + docker build -t $(IMAGE_NAME) -f Dockerfile.$(NAME) . + +# Push images (must explicitly provide IMAGE_TAG=release to be pulled +# by consumers). +push: IMAGE_REPO_PREFIX = $(ECR_URI_PREFIX) +push: IMAGE_TAG = staging +push: all + @echo "Pushing container images with tag '$(IMAGE_TAG)'" + @echo "Images: $(foreach NAME,$(NAMES),$(IMAGE_NAME))" + @$(foreach NAME,$(NAMES),\ + echo "Pushing '$(NAME)' to '$(IMAGE_NAME)'" && \ + aws ecr describe-repositories --repository-names $(ECR_NAME_PREFIX)$(NAME) &> /dev/null \ + && docker push $(IMAGE_NAME) \ + || echo "Could not push $(NAME) to ECR repository as $(IMAGE_NAME)";) diff --git a/tools/infra/container/README.md b/tools/infra/container/README.md new file mode 100644 index 00000000000..37b3ee2d8dc --- /dev/null +++ b/tools/infra/container/README.md @@ -0,0 +1,61 @@ +# Container Environments + +Container images, defined in this directory, provide environments for infra's build and automation needs. + +## Images + +Each image is defined in their own `Dockerfile` and suffixed with its name. For example the `builder` container - used in CI builds - is defined by `Dockerfile.builder`. +The containers copy in common resources and others as needed from this shared root context. + +**`builder` image** + +The `builder` image provides an environment in which packages and images may be built. +`builder`'s container image is created with all required dependencies used by the build driver, `buildsys`, and the supporting tools & scripts used by it (including many of the `cargo-make` tasks' dependencies). + +# Building + +## Development Images + +To all build images locally, a single `make` call can be made: + +```bash +make all +``` + +Each `Dockerfile.` can be built individually with `make $name` as needed. + +## Release Images (using a tag) + +As with the development images, all images may be built at once: + +```bash +make all IMAGE_TAG=release +``` + +To build a specific image, for instance named `builder`, `make` may be provided this name to build its release image: + +```bash +make all NAME=builder IMAGE_TAG=release +``` + +# Releasing + +The `push` target is provided to build & push release container images for use, at least in the context of build and release automation. + +The default target will prepare to push the images using the environment's AWS profile to confirm that the ECR repositories line up and subsequently pushing with a default of `IMAGE_TAG=staging`. +This invocation **will** push to the ECR repository, but with the image tagged as "staging". +Doing a push this way will stage the layers in the ECR repository so that subsequent pushes update lightweight references only (pushing a tag that refers to the same layers). + +``` bash +make push +``` + +To push a container image tagged as a release image, which is required for the CodeBuild project to use, the `IMAGE_TAG` must be set explicitly to the same tag that's configured to be pulled by projects. +If the release tag is `release`, then the call to `push` these images would be: + +``` bash +make push IMAGE_TAG=release +``` + +The `Makefile` target would then match the images to their respective ECR repositories, as before, and `docker push` to the images' respective repositories. +If the `make push IMAGE_TAG=release` followed an earlier `make push` then this the `make push IMAGE_TAG=release` call will simply update the references in the remote ECR repository to point to the same layers. diff --git a/tools/infra/container/builder/entrypoint.sh b/tools/infra/container/builder/entrypoint.sh new file mode 100755 index 00000000000..6c31cdf3d3d --- /dev/null +++ b/tools/infra/container/builder/entrypoint.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -e +start-build-environment +exec -- "$@" diff --git a/tools/infra/container/runtime/bin/create-image-ami b/tools/infra/container/runtime/bin/create-image-ami new file mode 100755 index 00000000000..de517852ee9 --- /dev/null +++ b/tools/infra/container/runtime/bin/create-image-ami @@ -0,0 +1,267 @@ +#!/usr/bin/env bash +# +# create-image-ami - Create an AMI from a build's image +# +# usage: +# +# create-image-ami +# +# Environment variable overrides for building, testing, and otherwise +# using this script (other variables, undocumented here, may be +# overridden also - see script below): +# +# BUILD_AMI_NAME +# +# Name the AMI exactly instead of calculating the image's name +# +# BUILD_REGION +# +# Region to create and register the AMI and its snapshots in. +# +# The region must be configured and provisioned with the +# required resources for both EC2 AMI creation and the SSM resources +# used for manipulating the launched image building instance. +# +# BUILD_IMAGE_ROOT, BUILD_IMAGE_DATA +# +# Paths, to the ROOT and DATA images respectively, for +# specifying exact disk images to use instead of relying on path +# construction. +# +# BUILD_INSTANCE_AMI, BUILD_INSTANCE_TYPE +# +# AMI ID and the EC2 Instance Type may be specified to +# explicitly choose an AMI and the Instance Type used to launch, +# instead of querying for the latest Amazon Linux 2 in-region +# AMI and the default EC2 Instance Type. +# +# KEYPAIR_NAME +# +# Name of the EC2 Key Pair (as named during creation or import) +# provisioned and accessible in the SSM Parameter (configured +# with KEYPAIR_PARAMETER). +# +# KEYPAIR_PARAMETER +# +# SSM Parameter Name (eg: "/Prod/ami-build/builder-ssh-key") +# that holds the Private SSH Key that corresponds to the EC2 Key +# Pair (specified in KEYPAIR_NAME) used to access the image +# building instance. +# + +set -o pipefail + +# BUILD_OUTPUT is the directory in which resource data will be written +# to as files. +BUILD_OUTPUT="${BUILD_OUTPUT:-build/ami}" +# BUILD_KEEP_OUTPUT can be set to non-nil to retain existing output in +# BUILD_OUTPUT. +BUILD_KEEP_OUTPUT="${BUILD_KEEP_OUTPUT:+yes}" +# BUILD_REGION is the region the image should be built in. +BUILD_REGION="${AWS_DEFAULT_REGION:-us-west-2}" +# BUILD_INSTANCE_TYPE is the instance type chosen to run the amiize +# build on. +BUILD_INSTANCE_TYPE="${BUILD_INSTANCE_TYPE:-m3.xlarge}" +# BUILD_AMI provides an override to choose an image to use, otherwise +# the latest release of Amazon Linux 2 is used. +BUILD_INSTANCE_AMI="${BUILD_INSTANCE_AMI:-}" +# BUILDSYS_VARIANT specifies the image's variant to be amiized. +BUILDSYS_VARIANT="${BUILDSYS_VARIANT:-aws-k8s}" +# BUILD_ARCH is the image's architecture. +BUILD_ARCH="${BUILD_ARCH:-x86_64}" +# ami_suffix provides a the dynamic portion of an AMI name using the +# environment of a build. +# +# CodeBuild based defaults use pre-defined Environment Variables as +# documented: +# https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html +# +if [[ -n "$CODEBUILD_RESOLVED_SOURCE_VERSION" ]]; then + ami_suffix="${CODEBUILD_RESOLVED_SOURCE_VERSION:0:8}" +else + ami_suffix="$USER-$(date +'%s')" +fi +# BUILD_AMI_NAME is the created AMI's EC2 AMI Name. +BUILD_AMI_NAME="${BUILD_AMI_NAME:-thar-${BUILD_ARCH}-${ami_suffix}}" +# BUILD_IMAGE_ROOT may be specified to provide a specific root disk +# image to write out. +BUILD_IMAGE_ROOT="${BUILD_IMAGE_ROOT:-build/thar-$BUILD_ARCH-${BUILDSYS_VARIANT}.img.lz4}" +# BUILD_IMAGE_DATA may be specified to provide a specific data disk +# image to write out. +BUILD_IMAGE_DATA="${BUILD_IMAGE_ROOT:-build/thar-$BUILD_ARCH-${BUILDSYS_VARIANT}-data.img.lz4}" +# EC2 Key Pair used to spin up and access instance for AMIizing disk +# images. These are created automatically if the build task is +# configured with access to the SSM, EC2, and KMS resources involved. +# +# KEYPAIR_NAME is the EC2 KeyPair Name +KEYPAIR_NAME="${KEYPAIR_NAME:-ami-build-key}" +# KEYPAIR_PARAMETER is the SecureString SSM Parameter used to hold the +# private key for the specified EC2 Key Pair (in KEYPAIR_NAME). +KEYPAIR_PARAMETER="${KEYPAIR_PARAMETER:-/Prod/ami-build/$KEYPAIR_NAME}" + +WORK_DIR="$(mktemp -d -t create-image-ami.XXX)" + +# shellcheck source=../lib/lib.bash +source "${RUNTIME_SCRIPT_LIB:-../lib}/lib.bash" + +# Explicitly configured aws-cli for making API calls. +aws() { + command aws --region "$BUILD_REGION" "$@" +} + +# prepareImage massages a provided disk image into a format suitable +# for use in the amiize process and returns that file's name. +# +# usage: prepareImage +prepareImage() { + local image_file="${1:?need image file to prepare it}" + local out + case "$image_file" in + *.lz4 ) + un_name="${image_file%%.lz4}" + out="$WORK_DIR/${un_name##*/}" + logger -t INFO "decompressing LZ4 disk image: $image_file to $out" + lz4 -dc "$image_file" > "$out" || return 1 + ;; + *.img ) + out="$image_file" + logger -t INFO "using provided raw disk image: $out" + ;; + * ) + logger -t ERROR "unknown image file provided: $image_file" + return 1 + ;; + esac + + echo "$out" +} + +# cleanup our files and helping processes before exiting +cleanup() { + if [[ -n "$SSH_AGENT_PID" ]]; then + logger -t INFO "terminating key-wielding ssh-agent" + eval "$(ssh-agent -k | grep -v '^echo')" + fi + + if [[ -d "$WORK_DIR" ]]; then + logger -t INFO "removing work directory $WORK_DIR" + rm -rf -- "$WORK_DIR" + fi +} + +trap "cleanup" EXIT + +mkdir -p "$WORK_DIR" + +if ! [[ -s "$BUILD_IMAGE_ROOT" ]]; then + logger -t ERROR "missing root disk image" + exit 1 +fi +if ! [[ -s "$BUILD_IMAGE_DATA" ]]; then + logger -t ERROR "missing data disk image" + exit 1 +fi + +logger -t INFO "using ssh key from SSM parameter '$KEYPAIR_PARAMETER'" +if ! ( + # shellcheck disable=SC2030 + export KEYPAIR_NAME KEYPAIR_PARAMETER + export AWS_DEFAULT_REGION="$BUILD_REGION" + ensure-key-pair + ); then + logger -t ERROR "unable to setup ssh key from SSM parameter" + exit 1 +fi + +logger -t INFO "configuring ssh for SSM parameter ssh key" +# shellcheck disable=SC2091 +eval "$(ssh-agent | grep -v '^echo')" +# shellcheck disable=SC2031 +if ! ssh-add <(aws ssm get-parameter --name "$KEYPAIR_PARAMETER" --with-decryption --query Parameter.Value --output text) ; then + logger -t ERROR "unable to load ssh key from SSM Parameter $KEYPAIR_PARAMETER" + exit 1 +fi + +if [[ -z "$BUILD_AMI" ]]; then + logger -t INFO "querying SSM for latest Amazon Linux 2 AMI" + BUILD_INSTANCE_AMI="$(aws ssm get-parameter --output text --query Parameter.Value \ + --name /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2)" + # shellcheck disable=2181 + if [[ "$?" -ne 0 ]]; then + logger -t ERROR "AMI query failed, cannot proceed without image" + exit 1 + fi + if [[ -z "$BUILD_INSTANCE_AMI" ]]; then + logger -t ERROR "AMI ID is empty, cannot proceed without image" + exit 1 + fi +fi +logger -t INFO "using $BUILD_INSTANCE_AMI for amiizing instance" + +logger -t INFO "preparing disk images for amiizing" +if ! BUILD_IMAGE_ROOT="$(prepareImage "$BUILD_IMAGE_ROOT")"; then + logger -t ERROR "failed to prepare root image for amiizing" + exit 1 +fi + +if ! BUILD_IMAGE_DATA="$(prepareImage "$BUILD_IMAGE_DATA")"; then + logger -t ERROR "failed to prepare data image for amiizing" + exit 1 +fi + +userdata="$(base64 -w 0 < "$amiize_output/region" + + # When we're writing to an existing directory, we allow the caller to retain + # existing resources there also while (effectively) overwriting the + # overlapping resources. + if [[ -d "$BUILD_OUTPUT" ]]; then + if [[ -z "$BUILD_KEEP_OUTPUT" ]]; then + logger -t WARN -- "removing prior data (in $BUILD_OUTPUT) to record newly created resources" + # Remove overlapping files in the $BUILD_OUTPUT first. + find "$amiize_output" -mindepth 1 -printf "$BUILD_OUTPUT/%P\0" | xargs -0 -- rm -rf -- + fi + fi + + logger -t INFO "recording created resource IDs in $BUILD_OUTPUT" + mkdir -p "$BUILD_OUTPUT" + cp -rT "$amiize_output/" "$BUILD_OUTPUT/" +fi + +exit "$amiize_ret" diff --git a/tools/infra/container/runtime/bin/ensure-key-pair b/tools/infra/container/runtime/bin/ensure-key-pair new file mode 100755 index 00000000000..ac40b347723 --- /dev/null +++ b/tools/infra/container/runtime/bin/ensure-key-pair @@ -0,0 +1,47 @@ +#!/usr/bin/env bash +set -euo pipefail + +KEYPAIR_NAME="${KEYPAIR_NAME:?Need a keypair name}" +KEYPAIR_PARAMETER="${KEYPAIR_PARAMETER:?Need a parameter name}" + +logger() { + command logger --stderr --no-act "$@" +} + +ssh_keypair="$(mktemp -u -t "ssm-key-pair.XXX")" +# shellcheck disable=2064 +trap "rm -f -- '$ssh_keypair' '$ssh_keypair.pub'" EXIT + +if aws ssm get-parameter --name "$KEYPAIR_PARAMETER" &>/dev/null; then + : SSM Secure Parameter exists +else + logger -t INFO "creating SSM parameter ssh key-pair" + mkfifo "$ssh_keypair" "${ssh_keypair}.pub" + yes | ssh-keygen -P '' -C "$KEYPAIR_NAME" -f "$ssh_keypair" & + aws ssm put-parameter --overwrite --name "$KEYPAIR_PARAMETER" --type SecureString --value "$(<"$ssh_keypair")" >/dev/null +fi + +if aws ec2 describe-key-pairs --key-name "$KEYPAIR_NAME" &>/dev/null ; then + : EC2 Key Pair exists +else + if [ -e "${ssh_keypair}.pub" ]; then + logger -t INFO "importing ssh key from newly generated pair" + else + logger -t INFO "importing ssh key from SSM parameter '$KEYPAIR_PARAMETER'" + + ssh-keygen -y -f <(aws ssm get-parameter --name "$KEYPAIR_PARAMETER" \ + --with-decryption \ + --query Parameter.Value \ + --output text) \ + > "${ssh_keypair}.pub" + # shellcheck disable=SC2181 + if [ "$?" -ne 0 ]; then + logger -t ERROR "could not import ssh key from SSM parameter" + exit 1 + fi + fi + + + aws ec2 import-key-pair --key-name "$KEYPAIR_NAME" --public-key-material file://"${ssh_keypair}.pub" + logger -t INFO "imported ssh key as EC2 key pair '$KEYPAIR_NAME'" +fi diff --git a/tools/infra/env/bin/environment-report b/tools/infra/container/runtime/bin/environment-report similarity index 100% rename from tools/infra/env/bin/environment-report rename to tools/infra/container/runtime/bin/environment-report diff --git a/tools/infra/env/bin/retry b/tools/infra/container/runtime/bin/retry similarity index 100% rename from tools/infra/env/bin/retry rename to tools/infra/container/runtime/bin/retry diff --git a/tools/infra/container/runtime/bin/start-build-environment b/tools/infra/container/runtime/bin/start-build-environment new file mode 100755 index 00000000000..99f2f1f5a3a --- /dev/null +++ b/tools/infra/container/runtime/bin/start-build-environment @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +# +# start-build-environment - Setup the build environment & start supporting services +# +# Intended primarily for use in the builder container image, the +# start-build-environment provides a single call setup for the common use cases +# in the context of builds. +# +# usage: +# +# start-build-environment +# +set -xe +# Ensure we have a logging facility (or stubbed service) +start-log-listener +# Ensure the docker daemon is running. +start-docker-daemon diff --git a/tools/infra/container/runtime/bin/start-docker-daemon b/tools/infra/container/runtime/bin/start-docker-daemon new file mode 100755 index 00000000000..0a95438e6fb --- /dev/null +++ b/tools/infra/container/runtime/bin/start-docker-daemon @@ -0,0 +1,80 @@ +#!/usr/bin/env bash +# +# start-docker-daemon - Start up a docker daemon for the build environment +# +# Builds depend on a series of docker images and containers used to run builds +# for various stages of the system. In the CodeBuild task, the docker daemon +# must be started as part of the environment startup (in the buildspec) as the +# CodeBuild Agent does not execute an image's ENTRYPOINT. +# +# usage: +# +# start-docker-daemon +# + +if ! hash docker dockerd; then + logger -s --no-act -t ERROR "missing required commands" +fi + +# If not configured, we'll use the default docker daemon socket address. +export DOCKER_HOST="${DOCKER_HOST:-unix:///var/run/docker.sock}" +# Don't startup our own daemon if the environment has access configured for the +if docker version &>/dev/null; then + logger -s --no-act -t INFO "delegating to running & configured dockerd (via $DOCKER_HOST)" + exit 0 +fi + +# Also check to see if the daemon is running but we're unable to access it, the +# environment may already have docker daemon running but not fully configured +# for use. +if [[ -S "${DOCKER_HOST:+${DOCKER_HOST##unix://}}" ]]; then + logger -s --no-act -t ERROR "unable to access running dockerd (via $DOCKER_HOST)" + exit 1 +fi + +# Verify we're a user that can start the docker daemon (assuming for now that +# being root means that). +euid="$(id -u)" +if [[ "$euid" -ne 0 ]]; then + logger -s --no-act -t ERROR "unable to start dockerd as non-root user (euid: $euid != 0)" + exit 1 +fi + +# In all other cases, start the docker daemon +logger -s --no-act -t INFO "starting dockerd" +nohup dockerd \ + --host="$DOCKER_HOST" \ + &>/var/log/docker.log & +daemon_pid="$!" + +sleep 1 + +if [[ ! -e "/proc/$daemon_pid" ]]; then + logger -s --no-act -t ERROR "dockerd did not start" + exit 1 +fi + +# Starting up the daemon asynchronously may take a moment or may fail to start +# in the background, tries are made to check in on the brief time between exec +# and the daemon ready to work. +# +# sleep interval before attempting each try +try_interval="0.1s" +# maximum try attempts that will be made +try_max_count=3 +# try attempts +try_count=0 + +until docker info &>/dev/null; do + ((try_count++)) + if [[ "$try_count" -gt "$try_max_count" ]]; then + logger -s --no-act -t ERROR "dockerd start exceeded deadline (may be slow or failed to start, check logs)" + if [[ -s "/var/log/docker.log" ]]; then + sed 's/^/docker.log: /' /var/log/docker.log + else + logger -s --no-act -t WARN "dockerd logs are empty" + fi + exit 1 + fi + sleep "$try_interval" +done diff --git a/tools/infra/container/runtime/bin/start-log-listener b/tools/infra/container/runtime/bin/start-log-listener new file mode 100755 index 00000000000..ee8e85a1055 --- /dev/null +++ b/tools/infra/container/runtime/bin/start-log-listener @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +# +# start-log-listener - Setup a socket at /dev/log when missing +# +# The kernel's /dev/log socket may not be present in some environments so this +# script stands up a blackhole listener, to avoid logger from complaining and +# not outputting our messages. +# +# usage: +# +# start-log-listener +# +if ! hash socat; then + echo "ERROR: missing required commands" +fi + +log_sock="/dev/log" + +# Starting up the socket asynchronously may take a moment or may fail to start +# in the background, tries are made to check in on the brief time between exec +# and the listener bound. +# +# sleep interval before attempting each try +try_interval="0.1s" +# maximum try attempts that will be made +try_max_count=3 + +# Let the existing socket be. +if [[ -S "$log_sock" ]]; then + logger -s --no-act -t INFO -- "kernel's log socket is already present /dev/log" + logger -s --no-act -t INFO -- "not replacing /dev/log" + exit 0 +fi + +# Require EUID 0 as we're mucking about in /dev +euid="$(id -u)" +if [[ "$euid" -ne 0 ]]; then + echo "ERROR: unable to start log listener socket as non-root user (euid: $euid != 0)" + exit 1 +fi + +# Listen on syslog unix socket and dump any sent datagrams. +nohup socat "UNIX-LISTEN:$log_sock,fork" - &>/dev/null & + +# Wait for the listener to start and assume the process didn't successfully bind +# to the socket otherwise. +try_count=0 +until [[ -S "$log_sock" ]]; do + ((try_count++)) + if [[ "$try_count" -gt "$try_max_count" ]]; then + echo "ERROR: unable to start log listener at $log_sock" >&2 + exit 1 + fi + sleep "$try_interval" +done diff --git a/tools/infra/env/bin/write-build-meta b/tools/infra/container/runtime/bin/write-build-meta similarity index 96% rename from tools/infra/env/bin/write-build-meta rename to tools/infra/container/runtime/bin/write-build-meta index 8636072b919..1e15292271d 100755 --- a/tools/infra/env/bin/write-build-meta +++ b/tools/infra/container/runtime/bin/write-build-meta @@ -31,7 +31,7 @@ fi write_common -if [[ -z "${CODEBUILD_BUILD_ID}" ]]; then +if [[ -n "${CODEBUILD_BUILD_ID}" ]]; then write_codebuild fi diff --git a/tools/infra/container/runtime/lib/lib.bash b/tools/infra/container/runtime/lib/lib.bash new file mode 100644 index 00000000000..958a202fdb5 --- /dev/null +++ b/tools/infra/container/runtime/lib/lib.bash @@ -0,0 +1,51 @@ +# shellcheck shell=bash + +# Logger provides the corrected interface to log to stderr. +logger() { + # Use logger if its usable + if test -S /dev/log; then + command logger --no-act -s "$@" + return 0 + fi + + # Otherwise, use a simple polyfill implementation that provides a similar + # enough interface to be used across scripts. + local tag + local message + local format + + # polyfill in a logger that writes to stderr + while [ "$#" -ne 0 ]; do + case "$1" in + -t ) + tag="$2" + shift 1 + ;; + -*|-- ) + # drop options + ;; + * ) + # message + message=( "$@" ) + break + ;; + esac + shift 1 + done + + # Message printer format + format="${tag:+"$tag: "}%s\n" + + # Single message in function call + if [[ "${#message[@]}" -ne 0 ]]; then + printf "$format" "${message[*]}" >&2 + return 0 + fi + + # Stream of messages sent to function as input + while read msg; do + printf "$format" "${msg}" >&2 + done + + return 0 +} diff --git a/tools/infra/env/bin/setup-rust-builder b/tools/infra/container/scripts/configure-rust old mode 100644 new mode 100755 similarity index 50% rename from tools/infra/env/bin/setup-rust-builder rename to tools/infra/container/scripts/configure-rust index f242e7885b6..38e9631043e --- a/tools/infra/env/bin/setup-rust-builder +++ b/tools/infra/container/scripts/configure-rust @@ -1,15 +1,15 @@ -#!/usr/bin/env sh +#!/usr/bin/env bash # -# setup-rust-builder - install rust and configure shell for its use by a builder -# -# This script is expected to be sourced by callers in order to affect their PATH -# directly AND is used in CodeBuild environments where the SHELL is /bin/sh. +# confgure-rust - configure container environment for rust usage # # usage: # -# . setup-rust-builder +# configure-rust # +# shellcheck source=../runtime/lib/lib.bash +source "$RUNTIME_SCRIPT_LIB/lib.bash" + configure_color_output() { # Prepare Cargo for build and CI usage PATH="$HOME/.cargo/bin:$PATH" @@ -42,37 +42,5 @@ configure_color_output() { unset cargo_make_config } -cargo_dep() { - cargo_install_package="$@" - logger -s -t INFO "installing cargo dep with 'cargo install $cargo_install_package'" - if ! cargo install --force $cargo_install_package; then - logger -s -t ERROR "failed to install dep with 'cargo install $cargo_install_package'" - exit 1 - fi -} - -install_rust_toolchain() { - test -f rustup-init.sh || rm -f rustup-init.sh - if ! curl -o rustup-init.sh --proto '=https' --tlsv1.2 -sS "https://sh.rustup.rs"; then - logger -s -t ERROR "could not fetch rustup, needed for managing rust toolchain" - exit 1 - fi - if ! bash rustup-init.sh -y --no-modify-path --default-toolchain stable ; then - logger -s -t ERROR "could not setup rustup & rust toolchain for build" - exit 1 - fi - rm -f rustup-init.sh -} - configure_color_output -install_rust_toolchain - -# Install build tooling dependencies -cargo_dep --version 0.23.0 cargo-make -cargo_dep --version 0.2.6 cargo-deny - -unset -f configure_color_output -unset -f install_rust_toolchain -unset -f cargo_dep - diff --git a/tools/infra/container/scripts/install-crates b/tools/infra/container/scripts/install-crates new file mode 100755 index 00000000000..145460bc366 --- /dev/null +++ b/tools/infra/container/scripts/install-crates @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +# +# install-crates - install binary crate dependencies +# +# usage: +# +# install-crates +# + +# shellcheck source=../runtime/lib/lib.bash +source "$RUNTIME_SCRIPT_LIB/lib.bash" + +cargo_dep() { + local cargo_install_package=( "$@" ) + logger -s -t INFO "installing cargo dep with 'cargo install ${cargo_install_package[*]}'" + if ! cargo install --force "${cargo_install_package[@]}"; then + logger -s -t ERROR "failed to install dep with 'cargo install ${cargo_install_package[*]}'" + exit 1 + fi +} + +# Install build tooling dependencies +cargo_dep --version 0.23.0 cargo-make +cargo_dep --version 0.2.6 cargo-deny + diff --git a/tools/infra/container/scripts/install-rust b/tools/infra/container/scripts/install-rust new file mode 100755 index 00000000000..e056fd08ff1 --- /dev/null +++ b/tools/infra/container/scripts/install-rust @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +# +# install-rust - install rust for use in builder containers +# +# usage: +# +# install-rust +# + +# shellcheck source=../runtime/lib/lib.bash +source "$RUNTIME_SCRIPT_LIB/lib.bash" + +install_rust_toolchain() { + local toolchain="${1:-stable}" + test -f rustup-init.sh || rm -f rustup-init.sh + if ! curl -o rustup-init.sh --proto '=https' --tlsv1.2 -sS "https://sh.rustup.rs"; then + logger -s -t ERROR "could not fetch rustup, needed for managing rust toolchain" + exit 1 + fi + if ! bash rustup-init.sh -y --profile minimal --no-modify-path --default-toolchain "$toolchain" ; then + logger -s -t ERROR "could not setup rustup & rust toolchain for build" + exit 1 + fi + rm -f rustup-init.sh +} + +install_rust_toolchain "stable" diff --git a/tools/infra/env/README.md b/tools/infra/env/README.md deleted file mode 100644 index 97189cf3585..00000000000 --- a/tools/infra/env/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# CI Builder Environment - -This directory provides the working environment within the context of a CI build. -The `lib/` directory contains bootstrap and support resources that are not otherwise not directly executed. -The `bin/` directory contains scripts and executables that are directly used in the build process. -Scripts named `setup-$NAME` are intended to be sourced into the build environment; scripts sourced into the build environment must be compatible with the bourne shell - `/bin/sh`. - diff --git a/tools/infra/env/lib/environment-setup b/tools/infra/env/lib/environment-setup deleted file mode 100644 index 5397068b3d3..00000000000 --- a/tools/infra/env/lib/environment-setup +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env sh -# -# environment-setup - setup shell for building in -# -if [ -d "${INFRA_DIR:-./tools/infra}/env/bin" ]; then - PATH="$(pwd -P)/tools/infra/env/bin:$PATH" -fi - -for src_path in $(env | awk -F'=' '/^CODEBUILD_SRC_DIR/ { print $2; }'); do - for src_bin in "$src_path/bin" "$src_path/ci/bin"; do - if [ -d "$src_bin" ]; then - PATH="$src_bin:$PATH" - fi - done -done diff --git a/tools/infra/stacks/Makefile b/tools/infra/stacks/Makefile index bdce060aacf..594e53a599e 100644 --- a/tools/infra/stacks/Makefile +++ b/tools/infra/stacks/Makefile @@ -10,4 +10,12 @@ validate/%: $(info validating stack: $*) aws cloudformation validate-template --template-body "$$(< $*)" +check: check-readme + +check-readme: + @$(foreach stack,$(stacks:.yml=),\ + grep -Fw -q -e "$(stack)" README.md ||\ + { MISSING=1; echo "Missing README section mentioning $(stack)"; }; )\ + $${MISSING:+exit 1} + .PHONY: test list diff --git a/tools/infra/stacks/host-containers-pr-build.yml b/tools/infra/stacks/host-containers-pr-build.yml index 3bf1e796924..9d907c89c19 100644 --- a/tools/infra/stacks/host-containers-pr-build.yml +++ b/tools/infra/stacks/host-containers-pr-build.yml @@ -1,3 +1,5 @@ +# stack-name: host-containers-pr-build + Parameters: BuildSpecPath: Type: String diff --git a/tools/infra/stacks/infra-container.yml b/tools/infra/stacks/infra-container.yml new file mode 100644 index 00000000000..6ef40a927bb --- /dev/null +++ b/tools/infra/stacks/infra-container.yml @@ -0,0 +1,163 @@ +# stack-name: infra-container + +AWSTemplateFormatVersion: "2010-09-09" + +Description: >- + Infra's container images ECR repositories used in release automation. + +Parameters: + SSMPathNamespace: + Type: String + Default: /infra/container + AllowedPattern: '^/.*[^/]$' + Description: > + Namespace under which SSM Parameters will be created for container images (should start but *not* end with '/') + +Resources: + SDKx8664Repo: + Type: AWS::ECR::Repository + Metadata: + Source: extras/sdk-container + Properties: + RepositoryName: thar/sdk-x86_64 + + SDKx8664Parameter: + Type: AWS::SSM::Parameter + Properties: + Name: !Sub "${SSMPathNamespace}/${SDKx8664Repo}" + Type: String + Value: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${SDKx8664Repo}" + + SDKaarch64Repo: + Type: AWS::ECR::Repository + Metadata: + Source: extras/sdk-container + Properties: + RepositoryName: thar/sdk-aarch64 + + SDKaarch64Parameter: + Type: AWS::SSM::Parameter + Properties: + Name: !Sub "${SSMPathNamespace}/${SDKaarch64Repo}" + Type: String + Value: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${SDKaarch64Repo}" + + BuilderRepo: + Type: AWS::ECR::Repository + Metadata: + Source: tools/infra/container/Dockerfile.builder + Properties: + RepositoryName: infra/builder + RepositoryPolicyText: + Version: "2012-10-17" + Statement: + - Sid: "codeBuildPull" + Effect: Allow + Principal: + Service: "codebuild.amazonaws.com" + Action: + - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchGetImage" + - "ecr:BatchCheckLayerAvailability" + + BuilderParameter: + Type: AWS::SSM::Parameter + Properties: + Name: !Sub "${SSMPathNamespace}/${BuilderRepo}" + Type: String + Value: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${BuilderRepo}" + + SigningRepo: + Type: AWS::ECR::Repository + Metadata: + Source: tools/infra/container/Dockerfile.signing + Properties: + RepositoryName: infra/signing + RepositoryPolicyText: + Version: "2012-10-17" + Statement: + - Sid: "codeBuildPull" + Effect: Allow + Principal: + Service: "codebuild.amazonaws.com" + Action: + - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchGetImage" + - "ecr:BatchCheckLayerAvailability" + + SigningParameter: + Type: AWS::SSM::Parameter + Properties: + Name: !Sub "${SSMPathNamespace}/${SigningRepo}" + Type: String + Value: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${SigningRepo}" + + PullPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + ManagedPolicyName: pull + Path: !Sub "/${AWS::StackName}/" + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: "imagePull" + Effect: Allow + Resource: + - !GetAtt BuilderRepo.Arn + - !GetAtt SigningRepo.Arn + - !GetAtt SDKx8664Repo.Arn + - !GetAtt SDKaarch64Repo.Arn + Action: + - "ecr:GetAuthorizationToken" + - "ecr:BatchCheckLayerAvailability" + - "ecr:GetDownloadUrlForLayer" + - "ecr:ListImages" + - "ecr:DescribeImages" + - "ecr:BatchGetImage" + - "ecr:ListTagsForResource" + - Sid: "imageResolve" + Effect: Allow + Resource: + - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${AWS::StackName}/*" + Action: + - "ssm:GetParameter" + - "ssm:GetParameters" + - "ssm:GetParametersByPath" + - "ssm:DescribeParameters" + + PushPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + ManagedPolicyName: push + Path: !Sub "/${AWS::StackName}/" + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: "imagePush" + Effect: Allow + Resource: + - !GetAtt BuilderRepo.Arn + - !GetAtt SigningRepo.Arn + - !GetAtt SDKx8664Repo.Arn + - !GetAtt SDKaarch64Repo.Arn + Action: + - "ecr:GetAuthorizationToken" + - "ecr:BatchCheckLayerAvailability" + - "ecr:GetDownloadUrlForLayer" + - "ecr:DescribeImages" + - "ecr:BatchGetImage" + - "ecr:ListTagsForResource" + - "ecr:InitiateLayerUpload" + - "ecr:UploadLayerPart" + - "ecr:CompleteLayerUpload" + - "ecr:PutImage" + +Outputs: + PullPolicy: + Export: + Name: !Sub "${AWS::StackName}-pull-policy" + Value: !Ref PullPolicy + PushPolicy: + Export: + Name: !Sub "${AWS::StackName}-push-policy" + Value: !Ref PushPolicy diff --git a/tools/infra/stacks/infra-pr-build.yml b/tools/infra/stacks/infra-pr-build.yml index aa458427fcd..9e9094b242e 100644 --- a/tools/infra/stacks/infra-pr-build.yml +++ b/tools/infra/stacks/infra-pr-build.yml @@ -1,3 +1,6 @@ +# stack-name: infra-pr-build +# stack-require: infra-container + Parameters: BuildSpecPath: Type: String @@ -12,6 +15,28 @@ Parameters: Description: >- The GitHub repository that builds run for. Your account must be authorized to modify this repository's settings. + EnvironmentImageName: + Type: AWS::SSM::Parameter::Value + Default: /infra/container/infra/builder + Description: >- + Parameter that defines the image name the builder uses as its execution + environment *without* a tag (eg: registry/image-name, not + registry/image-name:tag). The EnvironmentImageTag Parameter provides the + appropriate tag separately. + EnvironmentImageTag: + Type: String + Default: latest + Description: >- + The image 'tag' (as in registry/image-name:tag) to select of the EnvironmentImage + provided. + ImageCredentialsType: + Type: String + Default: CODEBUILD + AllowedValues: [ CODEBUILD, SERVICE_ROLE ] + Description: >- + If image policy does not trust codebuild.amazonaws.com OR cross-account + role is needed, then the SERVICE_ROLE must be specified to use the role + assigned to the build project. Resources: BuildArtifactBucket: @@ -41,40 +66,38 @@ Resources: BuildRolePolicy: Type: AWS::IAM::Policy Properties: - Roles: - - Ref: BuildRole PolicyName: BuildRolePolicy + Roles: + - !Ref BuildRole PolicyDocument: Version: "2012-10-17" Statement: # For validation API usage performed on templates during build. - - Action: - - cloudformation:ValidateTemplate + - Sid: "validateCfnTemplates" Effect: Allow + Action: + - cloudformation:ValidateTemplate + Resource: "*" # For managing cache, logs, and artifacts in the build's buckets. - - Action: + - Sid: "manageBuildArtifacts" + Effect: Allow + Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:PutObject* - s3:Abort* - Effect: Allow Resource: - !GetAtt BuildArtifactBucket.Arn - - Fn::Join: - - "" - - - !GetAtt BuildArtifactBucket.Arn - - /* + - !Sub "${BuildArtifactBucket.Arn}/*" - !GetAtt BuildLogBucket.Arn - - Fn::Join: - - "" - - - !GetAtt BuildLogBucket.Arn - - /* + - !Sub "${BuildLogBucket.Arn}/*" # For writing to CloudWatch Logs Streams for each build. - - Action: + - Sid: "manageBuildLogs" + Effect: Allow + Action: - logs:CreateLogStream - logs:PutLogEvents - Effect: Allow Resource: - !GetAtt BuildLogGroup.Arn @@ -86,14 +109,19 @@ Resources: - BuildLogGroup - BuildRole Properties: + Artifacts: + Location: !Ref BuildArtifactBucket + Name: / + NamespaceType: BUILD_ID + Packaging: NONE + Path: artifact/ + Type: S3 Environment: ComputeType: BUILD_GENERAL1_SMALL - Image: aws/codebuild/standard:2.0 Type: LINUX_CONTAINER - ServiceRole: - Fn::GetAtt: - - BuildRole - - Arn + Image: !Sub "${EnvironmentImageName}:${EnvironmentImageTag}" + ImagePullCredentialsType: !Ref ImageCredentialsType + ServiceRole: !GetAtt BuildRole.Arn Source: BuildSpec: !Ref BuildSpecPath Location: !Ref SourceGitHubRepositoryURL @@ -102,11 +130,7 @@ Resources: LogsConfig: S3Logs: Status: ENABLED - Location: - Fn::Join: - - "/" - - - !GetAtt BuildArtifactBucket.Arn - - "codebuild/log" + Location: !Sub "${BuildArtifactBucket.Arn}/codebuild/log" CloudWatchLogs: Status: ENABLED GroupName: !Ref BuildLogGroup diff --git a/tools/infra/stacks/thar-pr-build.yml b/tools/infra/stacks/thar-pr-build.yml index 37b2886f716..17a6b9ff695 100644 --- a/tools/infra/stacks/thar-pr-build.yml +++ b/tools/infra/stacks/thar-pr-build.yml @@ -1,9 +1,13 @@ +# stack-name: thar-pr-build +# stack-require: infra-container + Parameters: BuildSpecPath: Type: String AllowedPattern: '.+\.yml$' Default: "./tools/infra/buildspec/thar-pr-build.yml" - Description: "The path to the buildspec.yml file to use." + Description: >- + The path to the buildspec.yml file to use. SourceGitHubRepositoryURL: Type: String Default: "https://github.com/amazonlinux/PRIVATE-thar.git" @@ -12,6 +16,29 @@ Parameters: Description: >- The GitHub repository that builds run for. Your account must be authorized to modify this repository's settings. + EnvironmentImageName: + Type: AWS::SSM::Parameter::Value + Default: /infra/container/infra/builder + Description: >- + Parameter that defines the image name the builder uses as its execution + environment *without* a tag (eg: registry/image-name, not + registry/image-name:tag). The EnvironmentImageTag Parameter provides the + appropriate tag separately. + EnvironmentImageTag: + Type: String + Default: latest + Description: >- + The image 'tag' (as in registry/image-name:tag) to select of the EnvironmentImage + provided. + ImageCredentialsType: + Type: String + Default: CODEBUILD + AllowedValues: [ CODEBUILD, SERVICE_ROLE ] + Description: >- + If image policy does not trust codebuild.amazonaws.com OR cross-account + role is needed, then the SERVICE_ROLE must be specified to use the role + assigned to the build project. + Resources: BuildArtifactBucket: Type: AWS::S3::Bucket @@ -40,36 +67,32 @@ Resources: BuildRolePolicy: Type: AWS::IAM::Policy Properties: + PolicyName: BuildRolePolicy Roles: - !Ref BuildRole - PolicyName: BuildRolePolicy PolicyDocument: Version: "2012-10-17" Statement: # For managing cache, logs, and artifacts in the build's buckets. - - Action: + - Sid: "manageBuildArtifacts" + Effect: Allow + Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:PutObject* - s3:Abort* - Effect: Allow Resource: - !GetAtt BuildArtifactBucket.Arn - - Fn::Join: - - "" - - - !GetAtt BuildArtifactBucket.Arn - - /* + - !Sub "${BuildArtifactBucket.Arn}/*" - !GetAtt BuildLogBucket.Arn - - Fn::Join: - - "" - - - !GetAtt BuildLogBucket.Arn - - /* + - !Sub "${BuildLogBucket.Arn}/*" # For writing to CloudWatch Logs Streams for each build. - - Action: + - Sid: "manageBuildLogs" + Effect: Allow + Action: - logs:CreateLogStream - logs:PutLogEvents - Effect: Allow Resource: - !GetAtt BuildLogGroup.Arn @@ -90,9 +113,10 @@ Resources: Type: S3 Environment: ComputeType: BUILD_GENERAL1_LARGE - Image: aws/codebuild/standard:2.0 - PrivilegedMode: true Type: LINUX_CONTAINER + PrivilegedMode: true + Image: !Sub "${EnvironmentImageName}:${EnvironmentImageTag}" + ImagePullCredentialsType: !Ref ImageCredentialsType ServiceRole: !GetAtt BuildRole.Arn Source: BuildSpec: !Ref BuildSpecPath @@ -102,11 +126,7 @@ Resources: LogsConfig: S3Logs: Status: ENABLED - Location: - Fn::Join: - - "/" - - - !GetAtt BuildLogBucket.Arn - - "codebuild/log" + Location: !Sub "${BuildLogBucket.Arn}/codebuild/log" CloudWatchLogs: Status: ENABLED GroupName: !Ref BuildLogGroup diff --git a/tools/rpm2img b/tools/rpm2img index 3c92cbb69b6..65411776d0b 100755 --- a/tools/rpm2img +++ b/tools/rpm2img @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -eu -o pipefail shopt -qs failglob