Fix reproducible builds in Docker desktop images

Signed-off-by: Pedro Pombeiro <pombeirp@users.noreply.github.com>
2019-01-23 11:11:31 +01:00 · 2019-01-23 11:11:31 +01:00 · 63b340ea33
parent b1a1317065
commit 63b340ea33
14 changed files with 115 additions and 30 deletions
--- a/ci/Jenkinsfile.android
+++ b/ci/Jenkinsfile.android
@ -2,7 +2,8 @@ pipeline {
  agent { 
    docker {
      label 'linux'
-      image 'statusteam/status-build-android:1.1.0'
+      /* WARNING: remember to keep this up-to-date with the value in docker/android/Makefile */
+      image 'statusteam/status-build-android:1.1.0-16a42e06'
      args (
        "-v /home/jenkins/tmp:/var/tmp:rw "+
        "-v /home/jenkins/status-im.keystore:/tmp/status-im.keystore:ro"
--- a/ci/Jenkinsfile.linux
+++ b/ci/Jenkinsfile.linux
@ -3,7 +3,8 @@ pipeline {
    /* privileged mode is necessary for fuse */
    docker {
      label 'linux-new'
-      image 'statusteam/status-build-linux:1.1.0'
+      /* WARNING: remember to keep this up-to-date with the value in docker/linux/Makefile */
+      image 'statusteam/status-build-linux:1.1.0-f653fffb'
      args (
        "--privileged "+
        "-v /dev/fuse:/dev/fuse "+
--- a/ci/Jenkinsfile.windows
+++ b/ci/Jenkinsfile.windows
@ -3,7 +3,8 @@ pipeline {
    /* privileged mode is necessary for fuse */
    docker {
      label 'linux-new'
-      image 'statusteam/status-build-windows:1.1.0'
+      /* WARNING: remember to keep this up-to-date with the value in docker/windows/Makefile */
+      image 'statusteam/status-build-windows:1.1.0-c37b3fa2'
      args (
        "--privileged "+
        "-v /dev/fuse:/dev/fuse "+
--- a/docker/android/Dockerfile
+++ b/docker/android/Dockerfile
@ -1,5 +1,7 @@
 # This image is only for extracting and cleaning up NDK and SDK
-FROM statusteam/status-build-base:1.1.0 AS sdk_and_ndk
+ARG BASE_IMAGE_TAG
+
+FROM statusteam/status-build-base:1.1.0-${BASE_IMAGE_TAG} AS sdk_and_ndk

 ARG ANDROID_NDK_VERSION
 ARG ANDROID_SDK_VERSION
@ -38,7 +40,7 @@ RUN cd /usr/lib/android-ndk && rm -fr docs tests samples \
 && find sources -mindepth 2 -maxdepth 2 | grep -v 'gnu-libstdc' | xargs rm -fr

 ################################################################################
-FROM statusteam/status-build-base:1.1.0
+FROM statusteam/status-build-base:1.1.0-${BASE_IMAGE_TAG}

 ARG ANDROID_NDK_VERSION
 ARG ANDROID_SDK_VERSION
--- a/docker/android/Makefile
+++ b/docker/android/Makefile
@ -17,17 +17,20 @@ SDK_PLATFORM_VERSION=$(call  __toolversion, android-sdk-platform)
 SDK_BUILD_TOOLS_VERSION=$(call  __toolversion, android-sdk-build-tools)

 # WARNING: Remember to change the tag when updating the image
-IMAGE_TAG = 1.1.0
+BASE_IMAGE_TAG = $(shell cd ../base && make get-image-tag)
+DEPS_HASH = $(shell $(GIT_ROOT)/scripts/gen-deps-hash.sh -b $(BASE_IMAGE_TAG) -d android-ndk -d android-sdk -d android-sdk-platform -d android-sdk-build-tools)
+IMAGE_TAG = 1.1.0-$(DEPS_HASH)
 IMAGE_NAME = statusteam/status-build-android:$(IMAGE_TAG)

 build: $(ANDROID_NDK_ARCHIVE) $(ANDROID_SDK_ARCHIVE)
 	docker build \
-		--build-arg="ANDROID_NDK_VERSION=$(ANDROID_NDK_VERSION)" \
-		--build-arg="ANDROID_SDK_VERSION=$(ANDROID_SDK_VERSION)" \
-		--build-arg="SDK_PLATFORM_VERSION=$(SDK_PLATFORM_VERSION)" \
-		--build-arg="SDK_BUILD_TOOLS_VERSION=$(SDK_BUILD_TOOLS_VERSION)" \
-		--label="commit=$(GIT_COMMIT)" \
-		-t $(IMAGE_NAME) .
+        --build-arg="BASE_IMAGE_TAG=$(BASE_IMAGE_TAG)" \
+        --build-arg="ANDROID_NDK_VERSION=$(ANDROID_NDK_VERSION)" \
+        --build-arg="ANDROID_SDK_VERSION=$(ANDROID_SDK_VERSION)" \
+        --build-arg="SDK_PLATFORM_VERSION=$(SDK_PLATFORM_VERSION)" \
+        --build-arg="SDK_BUILD_TOOLS_VERSION=$(SDK_BUILD_TOOLS_VERSION)" \
+        --label="commit=$(GIT_COMMIT)" \
+        -t $(IMAGE_NAME) .

 $(ANDROID_NDK_ARCHIVE):
 	wget -q "$(ANDROID_NDK_URL)" -O "$(ANDROID_NDK_ARCHIVE)"
@ -39,11 +42,11 @@ $(ANDROID_SDK_ARCHIVE):

 test: ## Run build inside the image as a test
 	docker run -u $(shell id -u):$(shell id -g) \
-		--name android-test --rm \
+        --name android-test --rm \
        --tmpfs /var/tmp:rw,size=1G,exec,mode=1777 \
-		-v $(GIT_ROOT):/repo:rw \
-		-w /repo $(IMAGE_NAME) \
-		docker/android/build.sh
+        -v $(GIT_ROOT):/repo:rw \
+        -w /repo $(IMAGE_NAME) \
+        docker/android/build.sh

 push: build
 	docker push $(IMAGE_NAME)
--- a/docker/base/Makefile
+++ b/docker/base/Makefile
@ -4,9 +4,13 @@ GIT_COMMIT = $(shell git rev-parse --short HEAD)
 GIT_ROOT = $(shell git rev-parse --show-toplevel)

 # WARNING: Remember to change the tag when updating the image
-IMAGE_TAG = 1.1.0
+DEPS_HASH = $(shell $(GIT_ROOT)/scripts/gen-deps-hash.sh -d leiningen -d node -d yarn)
+IMAGE_TAG = 1.1.0-$(DEPS_HASH)
 IMAGE_NAME = statusteam/status-build-base:$(IMAGE_TAG)

+get-image-tag:
+	@echo $(DEPS_HASH)
+
 build: nvm_install.sh
 	docker build \
 		--build-arg="LEIN_VERSION=$(call __toolversion, leiningen)" \
--- a/docker/linux/Dockerfile
+++ b/docker/linux/Dockerfile
@ -1,4 +1,6 @@
-FROM statusteam/status-build-base:1.1.0 AS qt_build
+ARG BASE_IMAGE_TAG
+
+FROM statusteam/status-build-base:1.1.0-${BASE_IMAGE_TAG} AS qt_build

 ARG QT_VERSION
 ARG RNATIVE_VERSION
@ -36,7 +38,7 @@ RUN mkdir -p /tmp/qtci \
        '.*\/(qdoc|qgltf|linguist|designer|assistant|qhelpconverter|qmlprofiler)$' -delete \
 && rm -fr ${XDG_RUNTIME_DIR}

-FROM statusteam/status-build-base:1.1.0
+FROM statusteam/status-build-base:1.1.0-${BASE_IMAGE_TAG}

 ARG QT_VERSION
 ARG CMAKE_VERSION
@ -47,7 +49,8 @@ RUN ln -s /opt/qt/mkspecs /usr/local/mkspecs \

 # We have to do this because Jenkins doesn't let us
 # https://issues.jenkins-ci.org/browse/JENKINS-49076
-ENV PATH /opt/qt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ARG NODE_VERSION
+ENV PATH=/opt/qt/bin:/home/jenkins/.nvm/versions/node/v${NODE_VERSION}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

 RUN apt-get update \
 && add-apt-repository -y ppa:git-core/ppa \
--- a/docker/linux/Makefile
+++ b/docker/linux/Makefile
@ -8,18 +8,27 @@ QT_MD5SUM  = $(call __toolversion, qt_md5)
 QT_ARCHIVE = qt-opensource-linux-x64-$(QT_VERSION).run
 QT_URL = https://download.qt.io/archive/qt

-# WARNING: Remember to change the tag when updating the image
-IMAGE_TAG = 1.1.0
+# WARNING: Remember to update `ci/Jenkinsfile.*` with the same IMAGE_TAG value
+BASE_IMAGE_TAG = $(shell cd ../base && make get-image-tag)
+DEPS_HASH = $(shell $(GIT_ROOT)/scripts/gen-deps-hash.sh -b $(BASE_IMAGE_TAG) -d cmake -d node -d qt -d qtci -d react_native_desktop)
+IMAGE_TAG = 1.1.0-$(DEPS_HASH)
 IMAGE_NAME = statusteam/status-build-linux:$(IMAGE_TAG)

 build: $(QT_ARCHIVE)
+	@ if [ "${DEPS_HASH}" = "" ]; then \
+		echo "DEPS_HASH not set"; \
+		exit 1; \
+	fi
+
 	docker build \
+		--build-arg="BASE_IMAGE_TAG=$(BASE_IMAGE_TAG)" \
+		--build-arg="NODE_VERSION=$(call __toolversion, node)" \
 		--build-arg="QT_VERSION=$(QT_VERSION)" \
 		--build-arg="QT_CI_COMMIT=$(call __toolversion, qtci)" \
 		--build-arg="RNATIVE_VERSION=$(call __toolversion, react_native_desktop)" \
 		--build-arg="CMAKE_VERSION=$(call __toolversion, cmake)" \
 		--label="commit=$(GIT_COMMIT)" \
-		-t $(IMAGE_NAME) .; \
+		-t $(IMAGE_NAME) .

 $(QT_ARCHIVE):
 	wget $(QT_URL)/$(call __major_version__, $(QT_VERSION))/$(QT_VERSION)/$(QT_ARCHIVE)
--- a/docker/windows/Dockerfile
+++ b/docker/windows/Dockerfile
@ -1,4 +1,6 @@
-FROM statusteam/status-build-base:1.1.0
+ARG BASE_IMAGE_TAG
+
+FROM statusteam/status-build-base:1.1.0-${BASE_IMAGE_TAG}

 ARG RNATIVE_VERSION
 ARG CONAN_VERSION
--- a/docker/windows/Makefile
+++ b/docker/windows/Makefile
@ -3,17 +3,25 @@ __toolversion = $(shell $(GIT_ROOT)/scripts/toolversion $(1))
 GIT_COMMIT = $(shell git rev-parse --short HEAD)
 GIT_ROOT = $(shell git rev-parse --show-toplevel)

-# WARNING: Remember to change the tag when updating the image
-IMAGE_TAG = 1.1.0
+# WARNING: Remember to update `ci/Jenkinsfile.*` with the same IMAGE_TAG value
+BASE_IMAGE_TAG = $(shell cd ../base && make get-image-tag)
+DEPS_HASH = $(shell $(GIT_ROOT)/scripts/gen-deps-hash.sh -b $(BASE_IMAGE_TAG) -d cmake -d conan -d react_native_desktop)
+IMAGE_TAG = 1.1.0-$(DEPS_HASH)
 IMAGE_NAME = statusteam/status-build-windows:$(IMAGE_TAG)

 build:
+	@ if [ "${DEPS_HASH}" = "" ]; then \
+		echo "DEPS_HASH not set"; \
+		exit 1; \
+	fi
+
 	docker build \
+		--build-arg="BASE_IMAGE_TAG=$(BASE_IMAGE_TAG)" \
 		--build-arg="RNATIVE_VERSION=$(call __toolversion, react_native_desktop)" \
 		--build-arg="CONAN_VERSION=$(call __toolversion, conan)" \
 		--build-arg="CMAKE_VERSION=$(call __toolversion, cmake)" \
 		--label="commit=$(GIT_COMMIT)" \
-		-t $(IMAGE_NAME) .; \
+		-t $(IMAGE_NAME) .

 push: build
 	docker push $(IMAGE_NAME)
--- a/scripts/gen-deps-hash.sh
+++ b/scripts/gen-deps-hash.sh
@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+################################################################################
+# This tool fetches versions of build tools from the .TOOLVERSIONS
+# file in project root and calculates a single hash that represents
+# the combined versions of all the specified tools.
+################################################################################
+
+GIT_ROOT=$(git rev-parse --show-toplevel)
+toolversion="${GIT_ROOT}/scripts/toolversion"
+
+usage () {
+  echo "Usage: gen-deps-hash [-b <base_hash>] -d <dep-name-1> [-d <dep-name-n>]" >&2
+  echo
+  echo "This script calculates a hash representing the required versions of the specified tools"
+  exit 0
+}
+
+# some options parsing
+deps=()
+while getopts "hb:d:" opt; do
+  case $opt in
+    b) base_hash="$OPTARG";;
+    d)
+      version=$($toolversion "$OPTARG")
+      if [ $? -ne 0 ]; then
+        echo "ERROR: $OPTARG not found in .TOOLVERSIONS"
+        exit 1
+      fi
+      deps+=("$OPTARG $version")
+      ;;
+    h)  usage;;
+    \?) echo "Invalid option: -$OPTARG" >&2; exit 1;;
+  esac
+done
+
+if [ ${#deps[@]} -eq 0 ]; then
+  echo "ERROR: No dependencies specified"
+  echo
+  usage
+fi
+
+IFS=$'\n' sorted_deps=($(sort <<<"${deps[*]}"))
+unset IFS
+
+hash=$(echo "${base_hash}${sorted_deps[@]}" | md5sum | cut -f1 -d" ")
+echo "${hash:0:8}"
--- a/scripts/prepare-for-platform.sh
+++ b/scripts/prepare-for-platform.sh
@ -1,5 +1,7 @@
 #!/bin/bash

+set -e
+
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
--- a/scripts/run-environment-check.sh
+++ b/scripts/run-environment-check.sh
@ -56,7 +56,7 @@ fi

 if [[ $PLATFORM == 'android' ]]; then
  _localPropertiesPath=./android/local.properties
-  if ! grep -Fq "ndk.dir" $_localPropertiesPath; then
+  if ! grep -Fq "ndk.dir" $_localPropertiesPath > /dev/null; then
    if [ -z $ANDROID_NDK_HOME ]; then
      echo -e "${GREEN}NDK directory not configured, please run 'make setup' or add the line to ${_localPropertiesPath}!${NC}"
      exit 1
--- a/scripts/toolversion
+++ b/scripts/toolversion
@ -14,7 +14,7 @@ TOOL_VERSIONS_FILE="${GIT_ROOT}/.TOOLVERSIONS"
 usage () {
  echo "Usage: toolversion [-c] <name>" >&2
  echo
-  echo "This script extract tooling versions from ${TOOL_VERSIONS_FILE}"
+  echo "This script extracts tooling versions from ${TOOL_VERSIONS_FILE}"
  exit 0
 }

@ -33,7 +33,9 @@ if [[ -z "${1}" ]]; then usage; fi
 NAME=${1}

 getColumn () {
-    awk -F';' "/^${NAME};/{print \$${1}}" "${TOOL_VERSIONS_FILE}"
+    local out=$(awk -F';' "/^${NAME};/{print \$${1}}" "${TOOL_VERSIONS_FILE}")
+    [ -z "$out" ] && exit 1
+    echo "$out"
 }

 if [[ $CHECKSUM ]]; then