diff --git a/.bazelrc b/.bazelrc index 158489f013..038dbc5be6 100644 --- a/.bazelrc +++ b/.bazelrc @@ -1,19 +1,44 @@ -# Bazel build defaults. -# incompatible_enable_cc_toolchain_resolution: -# Should not be needed after Bazel 7.0 is released. -# cxxopt='-std=c++17': -# Build C++ targets using C++17. -# -# --host_cxxopt='-std=c++17' -# Fix Abseil "C++ versions less than C++14 are not supported". -# -common --incompatible_enable_cc_toolchain_resolution --cxxopt='-std=c++17' --host_cxxopt='-std=c++17' +# Bazel defaults. + +# Should not be needed after Bazel 7.0 is released. +common --incompatible_enable_cc_toolchain_resolution + +# Build C++ targets using C++17. +# +common --cxxopt=-std=c++17 + +# Fix Abseil "C++ versions less than C++14 are not supported". +# +common --host_cxxopt=-std=c++17 # Required for cargo_build_script support before Bazel 7 # See: "Build script env is overridden by use_default_shell_env in Bazel 6" # https://github.com/bazelbuild/rules_rust/issues/2665 common --incompatible_merge_fixed_and_default_shell_env +# Use nightly rustc by default +common --@rules_rust//rust/toolchain/channel=nightly + +# Use a custom workspace status command so that the git revision is included in +# stamped binaries. +common --workspace_status_command=bazel/workspace_status_command.sh + +# Prevents repeated setup-teardown of sandboxes for targets that are frequently +# reused. This speeds up builds significantly in some cases, like when using a +# toolchain with a hermetic sysroot, like we do. +# See: https://github.com/bazelbuild/bazel/issues/16138 +# For a good summary of potential issues, ask Gemini a question like: +# "Is there any reason I shouldn't enable --reuse_sandbox_directories" by default? +common --reuse_sandbox_directories + +# https://github.com/bazelbuild/bazel/issues/9342 +# --experimental_check_desugar_deps (on by default) breaks Android builds. +common --noexperimental_check_desugar_deps + +# Set the rustc --sysroot flag to one generated by the toolchains. This is needed to support +# rebuilding the standard libraries for stage 0 and the restricted kernel wrapper. +common --@rules_rust//rust/settings:experimental_toolchain_generated_sysroot=True + # Setup clippy aspect to run clippy automatically on all rust targets # See: https://bazelbuild.github.io/rules_rust/rust_clippy.html build:clippy --aspects=@rules_rust//rust:defs.bzl%rust_clippy_aspect @@ -32,13 +57,6 @@ build:clang-tidy --output_groups=report # Optionally override the .clang-tidy config file target build:clang-tidy --@bazel_clang_tidy//:clang_tidy_config=//:clang_tidy_config -# Use nightly rustc by default -common --@rules_rust//rust/toolchain/channel=nightly - -# Use a custom workspace status command so that the git revision is included in -# stamped binaries. -common --workspace_status_command=bazel/workspace_status_command.sh - # CI specific config. This config should be safe to use from any presubmit and postsubmit jobs. # Fail immediately if the Bazel server lock cannot be acquired so that we can notice this in CI @@ -47,6 +65,12 @@ build:ci --block_for_lock=false # Useful to determine how long individual steps are taking in CI. build:ci --show_timestamps +# Always use optimization. +build:ci --compilation_mode opt + +# Strip debug information from linked results. +build:ci --linkopt=-Wl,--strip-all + # --build_tag_filters=-noci allow us to skip broken/flaky/specialized test # targets during CI builds by adding tags = ["noci"] build:ci --build_tag_filters=-noci @@ -62,15 +86,6 @@ build:ci --curses=no # Inline CI failures, since log files are hard to access in this enviroment build:ci --verbose_failures -# Prevents repeated setup-teardown of sandboxes for targets that are frequently -# reused. This speeds up builds significantly in some cases, like when using a -# toolchain with a hermetic sysroot, like we do. -# See: https://github.com/bazelbuild/bazel/issues/16138 -# For a good summary of potential issues, ask Gemini a question like: -# "Is there any reason I shouldn't enable --reuse_sandbox_directories" by default? -common --reuse_sandbox_directories - - # Always show test errors in CI test --test_output=errors # Show stdout/stderr in test output in CI @@ -86,14 +101,6 @@ build:unsafe-fast-presubmit --remote_cache=https://storage.googleapis.com/oak-ba build:unsafe-fast-presubmit --remote_upload_local_results=true build:unsafe-fast-presubmit --google_default_credentials=true -# https://github.com/bazelbuild/bazel/issues/9342 -# --experimental_check_desugar_deps (on by default) breaks Android builds -common --noexperimental_check_desugar_deps - -# Set the rustc --sysroot flag to one generated by the toolchains. This is needed to support -# rebuilding the standard libraries for stage 0 and the restricted kernel wrapper. -common --@rules_rust//rust/settings:experimental_toolchain_generated_sysroot=True - # Use a custom local bazelrc if present. # # To set up remote cache write credentials: diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4abe0b538e..a7be551a98 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -113,9 +113,12 @@ jobs: set -o nounset set -o pipefail source ${{ matrix.buildconfig }} + export CI_JOB_TYPE=CONTINUOUS export RUST_BACKTRACE=1 export RUST_LOG=debug export XDG_RUNTIME_DIR=/var/run + export JUST_TIMESTAMP=true + export JUST_TIMESTAMP_FORMAT=JUST:%H:%M:%S%.3f scripts/docker_pull scripts/docker_run "${BUILD_COMMAND[@]}" diff --git a/justfile b/justfile index d62a7d7f37..62ecbc8dae 100644 --- a/justfile +++ b/justfile @@ -13,7 +13,7 @@ import? "justfile.local" # Same, but for a user-wide local Oak justfile (works with Git worktrees). import? "~/.oak_justfile.local" -# Detect the CI job environemnt so that we can configure bazel commands accordingly. +# Detect the CI job environment so that we can configure bazel commands accordingly. CI_JOB_TYPE:=env_var_or_default('CI_JOB_TYPE', 'LOCAL') BAZEL_CONFIG_FLAG := if CI_JOB_TYPE == "PRESUBMIT" { "--config=unsafe-fast-presubmit" @@ -91,17 +91,16 @@ run_oak_functions_test: oak_orchestrator oak_functions_launcher oak_functions_en restricted_kernel_bzimage_and_provenance_subjects kernel_suffix: mkdir --parents oak_restricted_kernel_wrapper/bin - # Buidling in "opt" mode is required so that Rust won't try to prevent underflows. + # Building in "opt" mode is required so that Rust won't try to prevent underflows. # This check must be OFF otherwise checks will be too conservative and fail at runtime. - bazel build {{BAZEL_CONFIG_FLAG}} //oak_restricted_kernel_wrapper:oak_restricted_kernel_wrapper{{kernel_suffix}}_bin \ - --platforms=//:x86_64-unknown-none \ - --compilation_mode opt + bazel build {{BAZEL_CONFIG_FLAG}} \ + --compilation_mode opt --platforms=//:x86_64-unknown-none \ + //oak_restricted_kernel_wrapper:oak_restricted_kernel_wrapper{{kernel_suffix}}_bin # Create provenance subjects for a kernel bzImage, by extracting the setup data # and image to the output directory. - bazel build {{BAZEL_CONFIG_FLAG}} //oak_restricted_kernel_wrapper:oak_restricted_kernel_wrapper{{kernel_suffix}}_measurement \ - --platforms=//:x86_64-unknown-none \ - --compilation_mode opt + bazel build {{BAZEL_CONFIG_FLAG}} --platforms=//:x86_64-unknown-none \ + //oak_restricted_kernel_wrapper:oak_restricted_kernel_wrapper{{kernel_suffix}}_measurement mkdir --parents generated cp --force --preserve=timestamps --no-preserve=mode \ @@ -109,7 +108,8 @@ restricted_kernel_bzimage_and_provenance_subjects kernel_suffix: generated # Place things where they were built in the cargo world for compatiblity. - cp --force --preserve=timestamps bazel-bin/oak_restricted_kernel_wrapper/oak_restricted_kernel_wrapper{{kernel_suffix}}_bin \ + cp --force --preserve=timestamps \ + bazel-bin/oak_restricted_kernel_wrapper/oak_restricted_kernel_wrapper{{kernel_suffix}}_bin \ oak_restricted_kernel_wrapper/bin/wrapper_bzimage{{kernel_suffix}} # Create provenance subjects for a kernel bzImage, by extracting the setup data @@ -123,25 +123,24 @@ bzimage_provenance_subjects kernel_name bzimage_path output_dir: --kernel-image-output="{{output_dir}}/{{kernel_name}}_image" oak_restricted_kernel_bin_virtio_console_channel: - # Buidling in "opt" mode is required so that Rust won't try to prevent underflows. + # Building in "opt" mode is required so that Rust won't try to prevent underflows. # This check must be OFF otherwise checks will be too conservative and fail at runtime. - bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt \ - //oak_restricted_kernel_bin:oak_restricted_kernel_bin_virtio_console_channel \ - --platforms=//:x86_64-unknown-none + bazel build {{BAZEL_CONFIG_FLAG}} \ + --compilation_mode opt --platforms=//:x86_64-unknown-none \ + //oak_restricted_kernel_bin:oak_restricted_kernel_bin_virtio_console_channel oak_restricted_kernel_wrapper_virtio_console_channel: just restricted_kernel_bzimage_and_provenance_subjects _virtio_console_channel oak_restricted_kernel_bin_simple_io_channel: - bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt \ - //oak_restricted_kernel_bin:oak_restricted_kernel_bin_simple_io_channel \ - --platforms=//:x86_64-unknown-none + bazel build {{BAZEL_CONFIG_FLAG}} --platforms=//:x86_64-unknown-none \ + //oak_restricted_kernel_bin:oak_restricted_kernel_bin_simple_io_channel oak_restricted_kernel_wrapper_simple_io_channel: just restricted_kernel_bzimage_and_provenance_subjects _simple_io_channel oak_client_android_app: - bazel build {{BAZEL_CONFIG_FLAG}} --noexperimental_check_desugar_deps --compilation_mode opt \ + bazel build {{BAZEL_CONFIG_FLAG}} \ //java/src/main/java/com/google/oak/client/android:client_app # Copy out to a directory which does not change with bazel config and does # not interfere with cargo. It should be reused for other targets as well. @@ -159,21 +158,15 @@ wasm_release_crate name: all_wasm_test_crates: (wasm_release_crate "echo") (wasm_release_crate "key_value_lookup") (wasm_release_crate "invalid_module") (wasm_release_crate "oak_functions_test_module") (wasm_release_crate "oak_functions_sdk_abi_test_get_storage_item") (wasm_release_crate "oak_functions_sdk_abi_test_invoke_testing") stage0_bin: - bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt \ - //stage0_bin:stage0_bin \ - --platforms=//:x86_64-firmware - - mkdir --parents generated + bazel build {{BAZEL_CONFIG_FLAG}} --platforms=//:x86_64-firmware \ + //stage0_bin:stage0_bin cp --force --preserve=timestamps --no-preserve=mode \ bazel-bin/stage0_bin/stage0_bin \ artifacts/stage0_bin stage0_bin_tdx: - bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt \ - //stage0_bin_tdx:stage0_bin_tdx \ - --platforms=//:x86_64-firmware - - mkdir --parents generated + bazel build {{BAZEL_CONFIG_FLAG}} --platforms=//:x86_64-firmware \ + //stage0_bin_tdx:stage0_bin_tdx cp --force --preserve=timestamps --no-preserve=mode \ bazel-bin/stage0_bin_tdx/stage0_bin_tdx \ artifacts/stage0_bin_tdx @@ -187,8 +180,7 @@ stage0_provenance_subjects output_dir="stage0_bin/bin/subjects": stage0_bin --attestation-measurements-output-dir={{output_dir}} stage1_cpio: - bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt \ - //oak_containers/stage1:stage1_cpio + bazel build {{BAZEL_CONFIG_FLAG}} //oak_containers/stage1:stage1_cpio cp --force --preserve=timestamps --no-preserve=mode \ bazel-bin/oak_containers/stage1/stage1.cpio \ artifacts/stage1.cpio @@ -204,7 +196,7 @@ oak_containers_kernel: artifacts/oak_containers_kernel oak_containers_launcher: - env cargo build --release --package='oak_containers_launcher' + cargo build --release --package=oak_containers_launcher # Profile the Wasm execution and generate a flamegraph. profile_wasm: @@ -219,15 +211,18 @@ bazel_wasm name: # Oak Containers Hello World entry point. oak_containers_hello_world_container_bundle_tar: - env bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt //oak_containers/examples/hello_world/trusted_app:bundle.tar - # bazel-bin symlink doesn't exist outside of the docker container, this makes the file available to the kokoro script. - cp --force --preserve=timestamps bazel-bin/oak_containers/examples/hello_world/trusted_app/bundle.tar artifacts/rust_hello_world_trusted_bundle.tar + bazel build {{BAZEL_CONFIG_FLAG}} //oak_containers/examples/hello_world/trusted_app:bundle.tar + # bazel-bin symlink doesn't exist outside of the docker container, this + # makes the file available to the kokoro script. + cp --force --preserve=timestamps \ + bazel-bin/oak_containers/examples/hello_world/trusted_app/bundle.tar \ + artifacts/rust_hello_world_trusted_bundle.tar cc_oak_containers_hello_world_container_bundle_tar: - env bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt //cc/containers/hello_world_trusted_app:bundle.tar + bazel build {{BAZEL_CONFIG_FLAG}} //cc/containers/hello_world_trusted_app:bundle.tar oak_containers_hello_world_untrusted_app: - env cargo build --release --package='oak_containers_hello_world_untrusted_app' + cargo build --release --package=oak_containers_hello_world_untrusted_app # Oak Functions Containers entry point. @@ -235,18 +230,21 @@ oak_functions_containers_app_bundle_tar: bazel build {{BAZEL_CONFIG_FLAG}} oak_functions_containers_app:bundle oak_functions_containers_app:bundle_insecure oak_functions_containers_launcher: - bazel build {{BAZEL_CONFIG_FLAG}} -c opt oak_functions_containers_launcher + bazel build {{BAZEL_CONFIG_FLAG}} oak_functions_containers_launcher cp --preserve=timestamps --force \ bazel-bin/oak_functions_containers_launcher/oak_functions_containers_launcher \ artifacts/oak_functions_containers_launcher oak_functions_launcher: - bazel build {{BAZEL_CONFIG_FLAG}} -c opt oak_functions_launcher + bazel build {{BAZEL_CONFIG_FLAG}} oak_functions_launcher cp --preserve=timestamps --force \ bazel-bin/oak_functions_launcher/oak_functions_launcher \ artifacts/oak_functions_launcher -all_oak_functions_containers_binaries: stage0_bin stage1_cpio oak_containers_kernel oak_containers_system_image oak_functions_containers_app_bundle_tar oak_functions_containers_launcher oak_functions_launcher +all_oak_functions_containers_binaries: stage0_bin stage1_cpio \ + oak_containers_kernel oak_containers_system_image \ + oak_functions_containers_app_bundle_tar oak_functions_containers_launcher \ + oak_functions_launcher ensure_no_std package: RUSTFLAGS="-C target-feature=+sse,+sse2,+ssse3,+sse4.1,+sse4.2,+avx,+avx2,+rdrand,-soft-float" cargo build --target=x86_64-unknown-none --package='{{package}}' @@ -269,8 +267,11 @@ kokoro_build_binaries_rust: all_enclave_apps oak_restricted_kernel_bin_virtio_co kokoro_verify_buildconfigs: ./scripts/test_buildconfigs buildconfigs/*.sh +# Builds and tests all Oak Container binaries. oak_containers_tests: - bazel test {{BAZEL_CONFIG_FLAG}} //oak_containers/... //oak_containers/examples/hello_world/untrusted_app:oak_containers_hello_world_untrusted_app_tests + bazel test {{BAZEL_CONFIG_FLAG}} \ + //oak_containers/... \ + //oak_containers/examples/hello_world/untrusted_app:oak_containers_hello_world_untrusted_app_tests kokoro_oak_containers: stage1_cpio oak_functions_containers_app_bundle_tar oak_containers_tests containers_placer_artifacts @@ -360,7 +361,6 @@ cargo-clippy: env --chdir=$(dirname "$workspace") cargo clippy --all-features --all-targets --no-deps -- --deny=warnings done - cargo-lockfiles: #!/bin/sh echo $CARGO_LOCKFILES_LIST_CMD @@ -391,7 +391,6 @@ cargo-udeps: env --chdir=$(dirname "$workspace") cargo udeps --all-targets --backend=depinfo --workspace done - check-format: bazel build {{BAZEL_CONFIG_FLAG}} linter && bazel-bin/linter/linter --verbose @@ -455,22 +454,22 @@ containers_placer_artifacts: cp --force --preserve=timestamps bazel-bin/oak_containers/orchestrator/bin/oak_containers_orchestrator artifacts cp --force --preserve=timestamps bazel-bin/oak_containers/syslogd/oak_containers_syslogd artifacts -bazel_build_opt target: - bazel build {{BAZEL_CONFIG_FLAG}} --compilation_mode opt --linkopt=-Wl,--strip-all "{{target}}" - -bazel_build_copy package target: (bazel_build_opt package+":"+target) - cp --force --preserve=timestamps "./bazel-bin/{{package}}/{{target}}" artifacts +bazel_build_copy package target: + bazel build {{BAZEL_CONFIG_FLAG}} "{{package}}:{{target}}" + cp --force --preserve=timestamps "bazel-bin/{{package}}/{{target}}" artifacts oak_containers_agent: (bazel_build_copy "oak_containers/agent" "bin/oak_containers_agent") oak_containers_orchestrator: (bazel_build_copy "oak_containers/orchestrator" "bin/oak_containers_orchestrator") oak_containers_syslogd: (bazel_build_copy "oak_containers/syslogd" "oak_containers_syslogd") -oak_containers_system_image: (bazel_build_opt "oak_containers/system_image:oak_containers_system_image") +oak_containers_system_image: + bazel build {{BAZEL_CONFIG_FLAG}} oak_containers/system_image:oak_containers_system_image cp --force --preserve=timestamps \ bazel-bin/oak_containers/system_image/oak_containers_system_image.tar.xz \ artifacts -oak_containers_nvidia_system_image: (bazel_build_opt "oak_containers/system_image:oak_containers_nvidia_system_image") +oak_containers_nvidia_system_image: + bazel build {{BAZEL_CONFIG_FLAG}} oak_containers/system_image:oak_containers_nvidia_system_image cp --force --preserve=timestamps \ bazel-bin/oak_containers/system_image/oak_containers_nvidia_system_image.tar.xz \ artifacts diff --git a/scripts/test_buildconfigs b/scripts/test_buildconfigs index 4fa60b2f70..c9e08a3fa1 100755 --- a/scripts/test_buildconfigs +++ b/scripts/test_buildconfigs @@ -7,6 +7,13 @@ # scripts/test_buildconfigs buildconfigs/*.sh set -e +export CI_JOB_TYPE=CONTINUOUS +export RUST_BACKTRACE=1 +export RUST_LOG=debug +export XDG_RUNTIME_DIR=/var/run +export JUST_TIMESTAMP=true +export JUST_TIMESTAMP_FORMAT=JUST:%H:%M:%S%.3f + check_buildconfig () { buildconfig="$1"