Move most bazel flags to bazelrc so they are applied consistently. Us…

…e the same environment for Kokoro and GitHub, in particular treat CI_JOB_TYPE consistently. This is motivated by reproducible builds, where the issue is that we use a simple `blaze test containers/...` to build all the binaries on Kokoro, but a different just target with explicit bazel flags on GitHub. Collecting all (even including -c opt) into the blazerc should address this. Building on the command line creates unoptimized, non-stripped binaries, unless the build is invoked with environment variable: `env CI_JOB_TYPE=CONTINUOUS just oak_containers_orchestrator`. Bug: 377431387 Change-Id: Iff4479c50380294cafe5d6e003aa6f2d935832fc
project-oak · Nov 11, 2024 · 593527c · 593527c
1 parent be2f057
commit 593527c
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 82 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -1,19 +1,44 @@
-# Bazel build defaults.
-# incompatible_enable_cc_toolchain_resolution:
-#   Should not be needed after Bazel 7.0 is released.
-# cxxopt='-std=c++17':
-#   Build C++ targets using C++17.
-#   <https://stackoverflow.com/questions/40260242/how-to-set-c-standard-version-when-build-with-bazel>
-# --host_cxxopt='-std=c++17'
-#   Fix Abseil "C++ versions less than C++14 are not supported".
-#   <https://github.com/protocolbuffers/protobuf/issues/12393#issuecomment-1504349780>
-common --incompatible_enable_cc_toolchain_resolution --cxxopt='-std=c++17' --host_cxxopt='-std=c++17'
+# Bazel defaults.
+
+# Should not be needed after Bazel 7.0 is released.
+common --incompatible_enable_cc_toolchain_resolution
+
+# Build C++ targets using C++17.
+# <https://stackoverflow.com/questions/40260242/how-to-set-c-standard-version-when-build-with-bazel>
+common --cxxopt=-std=c++17
+
+# Fix Abseil "C++ versions less than C++14 are not supported".
+# <https://github.com/protocolbuffers/protobuf/issues/12393#issuecomment-1504349780>
+common --host_cxxopt=-std=c++17
 
 # Required for cargo_build_script support before Bazel 7
 # See: "Build script env is overridden by use_default_shell_env in Bazel 6"
 # https://github.com/bazelbuild/rules_rust/issues/2665
 common --incompatible_merge_fixed_and_default_shell_env
 
+# Use nightly rustc by default
+common --@rules_rust//rust/toolchain/channel=nightly
+
+# Use a custom workspace status command so that the git revision is included in
+# stamped binaries.
+common --workspace_status_command=bazel/workspace_status_command.sh
+
+# Prevents repeated setup-teardown of sandboxes for targets that are frequently
+# reused. This speeds up builds significantly in some cases, like when using a
+# toolchain with a hermetic sysroot, like we do.
+# See: https://github.com/bazelbuild/bazel/issues/16138
+# For a good summary of potential issues, ask Gemini a question like:
+# "Is there any reason I shouldn't enable --reuse_sandbox_directories" by default?
+common --reuse_sandbox_directories
+
+# https://github.com/bazelbuild/bazel/issues/9342
+# --experimental_check_desugar_deps (on by default) breaks Android builds.
+common --noexperimental_check_desugar_deps
+
+# Set the rustc --sysroot flag to one generated by the toolchains. This is needed to support
+# rebuilding the standard libraries for stage 0 and the restricted kernel wrapper.
+common --@rules_rust//rust/settings:experimental_toolchain_generated_sysroot=True
+
 # Setup clippy aspect to run clippy automatically on all rust targets
 # See: https://bazelbuild.github.io/rules_rust/rust_clippy.html
 build:clippy --aspects=@rules_rust//rust:defs.bzl%rust_clippy_aspect
@@ -32,13 +57,6 @@ build:clang-tidy --output_groups=report
 # Optionally override the .clang-tidy config file target
 build:clang-tidy --@bazel_clang_tidy//:clang_tidy_config=//:clang_tidy_config
 
-# Use nightly rustc by default
-common --@rules_rust//rust/toolchain/channel=nightly
-
-# Use a custom workspace status command so that the git revision is included in
-# stamped binaries.
-common --workspace_status_command=bazel/workspace_status_command.sh
-
 # CI specific config. This config should be safe to use from any presubmit and postsubmit jobs.
 
 # Fail immediately if the Bazel server lock cannot be acquired so that we can notice this in CI
@@ -47,6 +65,12 @@ build:ci --block_for_lock=false
 # Useful to determine how long individual steps are taking in CI.
 build:ci --show_timestamps
 
+# Always use optimization.
+build:ci --compilation_mode opt
+
+# Strip debug information from linked results.
+build:ci --linkopt=-Wl,--strip-all
+
 # --build_tag_filters=-noci allow us to skip broken/flaky/specialized test
 # targets during CI builds by adding tags = ["noci"]
 build:ci --build_tag_filters=-noci
@@ -62,15 +86,6 @@ build:ci --curses=no
 # Inline CI failures, since log files are hard to access in this enviroment
 build:ci --verbose_failures
 
-# Prevents repeated setup-teardown of sandboxes for targets that are frequently
-# reused. This speeds up builds significantly in some cases, like when using a
-# toolchain with a hermetic sysroot, like we do.
-# See: https://github.com/bazelbuild/bazel/issues/16138
-# For a good summary of potential issues, ask Gemini a question like:
-# "Is there any reason I shouldn't enable --reuse_sandbox_directories" by default?
-common --reuse_sandbox_directories
-
-
 # Always show test errors in CI
 test --test_output=errors
 # Show stdout/stderr in test output in CI
@@ -86,14 +101,6 @@ build:unsafe-fast-presubmit --remote_cache=https://storage.googleapis.com/oak-ba
 build:unsafe-fast-presubmit --remote_upload_local_results=true
 build:unsafe-fast-presubmit --google_default_credentials=true
 
-# https://github.com/bazelbuild/bazel/issues/9342
-# --experimental_check_desugar_deps (on by default) breaks Android builds
-common --noexperimental_check_desugar_deps
-
-# Set the rustc --sysroot flag to one generated by the toolchains. This is needed to support
-# rebuilding the standard libraries for stage 0 and the restricted kernel wrapper.
-common --@rules_rust//rust/settings:experimental_toolchain_generated_sysroot=True
-
 # Use a custom local bazelrc if present.
 #
 # To set up remote cache write credentials:

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -113,9 +113,12 @@ jobs:
           set -o nounset
           set -o pipefail
           source ${{ matrix.buildconfig }}
+          export CI_JOB_TYPE=CONTINUOUS
           export RUST_BACKTRACE=1
           export RUST_LOG=debug
           export XDG_RUNTIME_DIR=/var/run
+          export JUST_TIMESTAMP=true
+          export JUST_TIMESTAMP_FORMAT=JUST:%H:%M:%S%.3f
           scripts/docker_pull
           scripts/docker_run "${BUILD_COMMAND[@]}"
 

diff --git a/justfile b/justfile
@@ -13,7 +13,7 @@ import? "justfile.local"
 # Same, but for a user-wide local Oak justfile (works with Git worktrees).
 import? "~/.oak_justfile.local"
 
-# Detect the CI job environemnt so that we can configure bazel commands accordingly.
+# Detect the CI job environment so that we can configure bazel commands accordingly.
 CI_JOB_TYPE:=env_var_or_default('CI_JOB_TYPE', 'LOCAL')
 BAZEL_CONFIG_FLAG := if CI_JOB_TYPE == "PRESUBMIT" {
     "--config=unsafe-fast-presubmit"
@@ -91,25 +91,25 @@ run_oak_functions_test: oak_orchestrator oak_functions_launcher oak_functions_en
 restricted_kernel_bzimage_and_provenance_subjects kernel_suffix:
     mkdir --parents oak_restricted_kernel_wrapper/bin
 
-    # Buidling in "opt" mode is required so that Rust won't try to prevent underflows.
+    # Building in "opt" mode is required so that Rust won't try to prevent underflows.
     # This check must be OFF otherwise checks will be too conservative and fail at runtime.
-    bazel build {{BAZEL_CONFIG_FLAG}} //oak_restricted_kernel_wrapper:oak_restricted_kernel_wrapper{{kernel_suffix}}_bin \
-        --platforms=//:x86_64-unknown-none \
-        --compilation_mode opt
+    bazel build {{BAZEL_CONFIG_FLAG}} \
+        --compilation_mode opt --platforms=//:x86_64-unknown-none \
+        //oak_restricted_kernel_wrapper:oak_restricted_kernel_wrapper{{kernel_suffix}}_bin
 
     # Create provenance subjects for a kernel bzImage, by extracting the setup data
     # and image to the output directory.
-    bazel build {{BAZEL_CONFIG_FLAG}} //oak_restricted_kernel_wrapper:oak_restricted_kernel_wrapper{{kernel_suffix}}_measurement \
-        --platforms=//:x86_64-unknown-none \
-        --compilation_mode opt
+    bazel build {{BAZEL_CONFIG_FLAG}} --platforms=//:x86_64-unknown-none \
+        //oak_restricted_kernel_wrapper:oak_restricted_kernel_wrapper{{kernel_suffix}}_measurement
 
     mkdir --parents generated
     cp --force --preserve=timestamps --no-preserve=mode \
         bazel-bin/oak_restricted_kernel_wrapper/oak_restricted_kernel_wrapper{{kernel_suffix}}* \
         generated
 
     # Place things where they were built in the cargo world for compatiblity.
-    cp --force --preserve=timestamps bazel-bin/oak_restricted_kernel_wrapper/oak_restricted_kernel_wrapper{{kernel_suffix}}_bin \
+    cp --force --preserve=timestamps \
+        bazel-bin/oak_restricted_kernel_wrapper/oak_restricted_kernel_wrapper{{kernel_suffix}}_bin \
         oak_restricted_kernel_wrapper/bin/wrapper_bzimage{{kernel_suffix}}
 
 # Create provenance subjects for a kernel bzImage, by extracting the setup data
@@ -123,25 +123,24 @@ bzimage_provenance_subjects kernel_name bzimage_path output_dir:
         --kernel-image-output="{{output_dir}}/{{kernel_name}}_image"
 
 oak_restricted_kernel_bin_virtio_console_channel:
-    # Buidling in "opt" mode is required so that Rust won't try to prevent underflows.
+    # Building in "opt" mode is required so that Rust won't try to prevent underflows.
     # This check must be OFF otherwise checks will be too conservative and fail at runtime.
-    bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt \
-    //oak_restricted_kernel_bin:oak_restricted_kernel_bin_virtio_console_channel \
-        --platforms=//:x86_64-unknown-none
+    bazel build {{BAZEL_CONFIG_FLAG}} \
+         --compilation_mode opt --platforms=//:x86_64-unknown-none \
+        //oak_restricted_kernel_bin:oak_restricted_kernel_bin_virtio_console_channel
 
 oak_restricted_kernel_wrapper_virtio_console_channel:
     just restricted_kernel_bzimage_and_provenance_subjects _virtio_console_channel
 
 oak_restricted_kernel_bin_simple_io_channel:
-    bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt \
-        //oak_restricted_kernel_bin:oak_restricted_kernel_bin_simple_io_channel \
-        --platforms=//:x86_64-unknown-none
+    bazel build {{BAZEL_CONFIG_FLAG}} --platforms=//:x86_64-unknown-none \
+        //oak_restricted_kernel_bin:oak_restricted_kernel_bin_simple_io_channel
 
 oak_restricted_kernel_wrapper_simple_io_channel:
     just restricted_kernel_bzimage_and_provenance_subjects _simple_io_channel
 
 oak_client_android_app:
-    bazel build {{BAZEL_CONFIG_FLAG}} --noexperimental_check_desugar_deps --compilation_mode opt \
+    bazel build {{BAZEL_CONFIG_FLAG}} \
         //java/src/main/java/com/google/oak/client/android:client_app
     # Copy out to a directory which does not change with bazel config and does
     # not interfere with cargo. It should be reused for other targets as well.
@@ -159,21 +158,15 @@ wasm_release_crate name:
 all_wasm_test_crates: (wasm_release_crate "echo") (wasm_release_crate "key_value_lookup") (wasm_release_crate "invalid_module") (wasm_release_crate "oak_functions_test_module") (wasm_release_crate "oak_functions_sdk_abi_test_get_storage_item") (wasm_release_crate "oak_functions_sdk_abi_test_invoke_testing")
 
 stage0_bin:
-    bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt \
-        //stage0_bin:stage0_bin \
-        --platforms=//:x86_64-firmware
-
-    mkdir --parents generated
+    bazel build {{BAZEL_CONFIG_FLAG}} --platforms=//:x86_64-firmware \
+        //stage0_bin:stage0_bin
     cp --force --preserve=timestamps --no-preserve=mode \
         bazel-bin/stage0_bin/stage0_bin \
         artifacts/stage0_bin
 
 stage0_bin_tdx:
-    bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt \
-        //stage0_bin_tdx:stage0_bin_tdx \
-        --platforms=//:x86_64-firmware
-
-    mkdir --parents generated
+    bazel build {{BAZEL_CONFIG_FLAG}} --platforms=//:x86_64-firmware \
+        //stage0_bin_tdx:stage0_bin_tdx
     cp --force --preserve=timestamps --no-preserve=mode \
         bazel-bin/stage0_bin_tdx/stage0_bin_tdx \
         artifacts/stage0_bin_tdx
@@ -187,8 +180,7 @@ stage0_provenance_subjects output_dir="stage0_bin/bin/subjects": stage0_bin
         --attestation-measurements-output-dir={{output_dir}}
 
 stage1_cpio:
-    bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt \
-        //oak_containers/stage1:stage1_cpio
+    bazel build {{BAZEL_CONFIG_FLAG}} //oak_containers/stage1:stage1_cpio
     cp --force --preserve=timestamps --no-preserve=mode \
         bazel-bin/oak_containers/stage1/stage1.cpio \
         artifacts/stage1.cpio
@@ -204,7 +196,7 @@ oak_containers_kernel:
         artifacts/oak_containers_kernel
 
 oak_containers_launcher:
-    env cargo build --release --package='oak_containers_launcher'
+    cargo build --release --package=oak_containers_launcher
 
 # Profile the Wasm execution and generate a flamegraph.
 profile_wasm:
@@ -219,34 +211,40 @@ bazel_wasm name:
 # Oak Containers Hello World entry point.
 
 oak_containers_hello_world_container_bundle_tar:
-    env bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt //oak_containers/examples/hello_world/trusted_app:bundle.tar
-    # bazel-bin symlink doesn't exist outside of the docker container, this makes the file available to the kokoro script.
-    cp --force --preserve=timestamps bazel-bin/oak_containers/examples/hello_world/trusted_app/bundle.tar artifacts/rust_hello_world_trusted_bundle.tar
+    bazel build {{BAZEL_CONFIG_FLAG}} //oak_containers/examples/hello_world/trusted_app:bundle.tar
+    # bazel-bin symlink doesn't exist outside of the docker container, this
+    # makes the file available to the kokoro script.
+    cp --force --preserve=timestamps \
+        bazel-bin/oak_containers/examples/hello_world/trusted_app/bundle.tar \
+        artifacts/rust_hello_world_trusted_bundle.tar
 
 cc_oak_containers_hello_world_container_bundle_tar:
-    env bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt //cc/containers/hello_world_trusted_app:bundle.tar
+    bazel build {{BAZEL_CONFIG_FLAG}} //cc/containers/hello_world_trusted_app:bundle.tar
 
 oak_containers_hello_world_untrusted_app:
-    env cargo build --release --package='oak_containers_hello_world_untrusted_app'
+    cargo build --release --package=oak_containers_hello_world_untrusted_app
 
 # Oak Functions Containers entry point.
 
 oak_functions_containers_app_bundle_tar:
     bazel build {{BAZEL_CONFIG_FLAG}} oak_functions_containers_app:bundle oak_functions_containers_app:bundle_insecure
 
 oak_functions_containers_launcher:
-    bazel build {{BAZEL_CONFIG_FLAG}} -c opt oak_functions_containers_launcher
+    bazel build {{BAZEL_CONFIG_FLAG}} oak_functions_containers_launcher
     cp --preserve=timestamps --force \
         bazel-bin/oak_functions_containers_launcher/oak_functions_containers_launcher \
         artifacts/oak_functions_containers_launcher
 
 oak_functions_launcher:
-    bazel build {{BAZEL_CONFIG_FLAG}} -c opt oak_functions_launcher
+    bazel build {{BAZEL_CONFIG_FLAG}} oak_functions_launcher
     cp --preserve=timestamps --force \
         bazel-bin/oak_functions_launcher/oak_functions_launcher \
         artifacts/oak_functions_launcher
 
-all_oak_functions_containers_binaries: stage0_bin stage1_cpio oak_containers_kernel oak_containers_system_image oak_functions_containers_app_bundle_tar oak_functions_containers_launcher oak_functions_launcher
+all_oak_functions_containers_binaries: stage0_bin stage1_cpio \
+    oak_containers_kernel oak_containers_system_image \
+    oak_functions_containers_app_bundle_tar oak_functions_containers_launcher \
+    oak_functions_launcher
 
 ensure_no_std package:
     RUSTFLAGS="-C target-feature=+sse,+sse2,+ssse3,+sse4.1,+sse4.2,+avx,+avx2,+rdrand,-soft-float" cargo build --target=x86_64-unknown-none --package='{{package}}'
@@ -269,8 +267,11 @@ kokoro_build_binaries_rust: all_enclave_apps oak_restricted_kernel_bin_virtio_co
 kokoro_verify_buildconfigs:
     ./scripts/test_buildconfigs buildconfigs/*.sh
 
+# Builds and tests all Oak Container binaries.
 oak_containers_tests:
-    bazel test {{BAZEL_CONFIG_FLAG}} //oak_containers/... //oak_containers/examples/hello_world/untrusted_app:oak_containers_hello_world_untrusted_app_tests
+    bazel test {{BAZEL_CONFIG_FLAG}} \
+        //oak_containers/... \
+        //oak_containers/examples/hello_world/untrusted_app:oak_containers_hello_world_untrusted_app_tests
 
 kokoro_oak_containers: stage1_cpio oak_functions_containers_app_bundle_tar oak_containers_tests containers_placer_artifacts
 
@@ -360,7 +361,6 @@ cargo-clippy:
         env --chdir=$(dirname "$workspace") cargo clippy --all-features --all-targets --no-deps -- --deny=warnings
     done
 
-
 cargo-lockfiles:
     #!/bin/sh
     echo $CARGO_LOCKFILES_LIST_CMD
@@ -391,7 +391,6 @@ cargo-udeps:
         env --chdir=$(dirname "$workspace") cargo udeps --all-targets --backend=depinfo --workspace
     done
 
-
 check-format:
     bazel build {{BAZEL_CONFIG_FLAG}} linter && bazel-bin/linter/linter --verbose
 
@@ -455,22 +454,22 @@ containers_placer_artifacts:
     cp --force --preserve=timestamps bazel-bin/oak_containers/orchestrator/bin/oak_containers_orchestrator artifacts
     cp --force --preserve=timestamps bazel-bin/oak_containers/syslogd/oak_containers_syslogd artifacts
 
-bazel_build_opt target:
-    bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt --linkopt=-Wl,--strip-all "{{target}}"
-
-bazel_build_copy package target: (bazel_build_opt package+":"+target)
-    cp --force --preserve=timestamps "./bazel-bin/{{package}}/{{target}}" artifacts
+bazel_build_copy package target:
+    bazel build {{BAZEL_CONFIG_FLAG}} "{{package}}:{{target}}"
+    cp --force --preserve=timestamps "bazel-bin/{{package}}/{{target}}" artifacts
 
 oak_containers_agent: (bazel_build_copy "oak_containers/agent" "bin/oak_containers_agent")
 oak_containers_orchestrator: (bazel_build_copy "oak_containers/orchestrator" "bin/oak_containers_orchestrator")
 oak_containers_syslogd: (bazel_build_copy "oak_containers/syslogd" "oak_containers_syslogd")
 
-oak_containers_system_image: (bazel_build_opt "oak_containers/system_image:oak_containers_system_image")
+oak_containers_system_image:
+    bazel build {{BAZEL_CONFIG_FLAG}} oak_containers/system_image:oak_containers_system_image
     cp --force --preserve=timestamps \
         bazel-bin/oak_containers/system_image/oak_containers_system_image.tar.xz \
         artifacts
 
-oak_containers_nvidia_system_image: (bazel_build_opt "oak_containers/system_image:oak_containers_nvidia_system_image")
+oak_containers_nvidia_system_image:
+    bazel build {{BAZEL_CONFIG_FLAG}} oak_containers/system_image:oak_containers_nvidia_system_image
     cp --force --preserve=timestamps \
         bazel-bin/oak_containers/system_image/oak_containers_nvidia_system_image.tar.xz \
         artifacts
diff --git a/scripts/test_buildconfigs b/scripts/test_buildconfigs
@@ -7,6 +7,13 @@
 #     scripts/test_buildconfigs buildconfigs/*.sh
 set -e
 
+export CI_JOB_TYPE=CONTINUOUS
+export RUST_BACKTRACE=1
+export RUST_LOG=debug
+export XDG_RUNTIME_DIR=/var/run
+export JUST_TIMESTAMP=true
+export JUST_TIMESTAMP_FORMAT=JUST:%H:%M:%S%.3f
+
 check_buildconfig () {
   buildconfig="$1"