carverauto/serviceradar

Fork 0

adding custom docker image stuff #2254

Merged

mfreeman451 merged 26 commits from refs/pull/2254/head into main

2025-10-01 16:34:02 +00:00

mfreeman451 commented

2025-09-30 03:31:28 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1675
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1675
Original created: 2025-09-30T03:31:28Z
Original updated: 2025-10-01T16:34:08Z
Original head: carverauto/serviceradar:bazel/custom_rbe_executor_image
Original base: main
Original merged: 2025-10-01T16:34:02Z by @mfreeman451

PR Type

Enhancement

Description

Add custom RBE executor Docker image with OCaml/opam
Configure Bazel remote build platform for custom image
Set up GitHub Actions workflow for image building
Update Bazel configuration to use custom platform

Diagram Walkthrough

flowchart LR
  A["Dockerfile.rbe"] --> B["Custom RBE Image"]
  B --> C["GitHub Container Registry"]
  D["BUILD file"] --> E["Bazel Platform Definition"]
  E --> F[".bazelrc Configuration"]
  G["GitHub Workflow"] --> C
  F --> H["Remote Build Execution"]

File Walkthrough

Relevant files

Configuration changes

.bazelrc

Configure Bazel for custom RBE platform

.bazelrc

Update remote build platform references from
@buildbuddy_toolchain//:platform to //docker:rbe_platform

+2/-2

Enhancement

build-rbe-image.yml `Add RBE image build workflow` .github/workflows/build-rbe-image.yml Add GitHub Actions workflow to build and push RBE Docker image Configure triggers for main branch pushes and PR changes Set up Docker Buildx with GitHub Container Registry publishing	+62/-0
BUILD `Define custom RBE platform configuration` docker/BUILD Define custom Bazel platform `rbe_platform` for remote execution Configure platform with Linux x86_64 constraints and clang toolchain Set container image to custom GitHub Container Registry image	+17/-0
Dockerfile.rbe `Add custom RBE Docker image` docker/Dockerfile.rbe Create custom RBE executor image based on Oracle Linux 9 with OCaml 5.2 Install build dependencies and opam 2.4.1 Configure OCaml packages including dune, lwt, and dream Set up hermetic build environment for BuildBuddy RBE	+76/-0

Imported from GitHub pull request. Original GitHub pull request: #1675 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1675 Original created: 2025-09-30T03:31:28Z Original updated: 2025-10-01T16:34:08Z Original head: carverauto/serviceradar:bazel/custom_rbe_executor_image Original base: main Original merged: 2025-10-01T16:34:02Z by @mfreeman451 --- ### **PR Type** Enhancement ___ ### **Description** - Add custom RBE executor Docker image with OCaml/opam - Configure Bazel remote build platform for custom image - Set up GitHub Actions workflow for image building - Update Bazel configuration to use custom platform ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Dockerfile.rbe"] --> B["Custom RBE Image"] B --> C["GitHub Container Registry"] D["BUILD file"] --> E["Bazel Platform Definition"] E --> F[".bazelrc Configuration"] G["GitHub Workflow"] --> C F --> H["Remote Build Execution"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Configuration changes</strong></td><td><table> <tr> <td> <details> <summary><strong>.bazelrc</strong><dd><code>Configure Bazel for custom RBE platform</code>                                    </dd></summary> <hr> .bazelrc <ul><li>Update remote build platform references from <br><code>@buildbuddy_toolchain//:platform</code> to <code>//docker:rbe_platform</code></ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1675/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832f">+2/-2</a>      </td> </tr> </table></td></tr><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>build-rbe-image.yml</strong><dd><code>Add RBE image build workflow</code>                                                          </dd></summary> <hr> .github/workflows/build-rbe-image.yml <ul><li>Add GitHub Actions workflow to build and push RBE Docker image<br> <li> Configure triggers for main branch pushes and PR changes<br> <li> Set up Docker Buildx with GitHub Container Registry publishing</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1675/files#diff-267c8680ad3f655b43d9bc8d7c55af4cef338efacdc9c90b3264ef9856a22493">+62/-0</a>    </td> </tr> <tr> <td> <details> <summary><strong>BUILD</strong><dd><code>Define custom RBE platform configuration</code>                                  </dd></summary> <hr> docker/BUILD <ul><li>Define custom Bazel platform <code>rbe_platform</code> for remote execution<br> <li> Configure platform with Linux x86_64 constraints and clang toolchain<br> <li> Set container image to custom GitHub Container Registry image</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1675/files#diff-997d64eedc645601c81b86be6b25f569abfff63aaa3a49ff88975988a14065fb">+17/-0</a>    </td> </tr> <tr> <td> <details> <summary><strong>Dockerfile.rbe</strong><dd><code>Add custom RBE Docker image</code>                                                            </dd></summary> <hr> docker/Dockerfile.rbe <ul><li>Create custom RBE executor image based on Oracle Linux 9 with OCaml <br>5.2<br> <li> Install build dependencies and opam 2.4.1<br> <li> Configure OCaml packages including dune, lwt, and dream<br> <li> Set up hermetic build environment for BuildBuddy RBE</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1675/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2">+76/-0</a>    </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-09-30 03:32:08 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1675#issuecomment-3349808742
Original created: 2025-09-30T03:32:08Z

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns

Supply chain and token scope:
The workflow logs into GHCR using GITHUB_TOKEN and pulls curl binaries over HTTPS. While acceptable, consider verifying downloads (checksum/signature) for the opam binary to prevent tampering, and ensure the GITHUB_TOKEN has least-privilege scopes for package write only.

⚡ Recommended focus areas for review

Platform Consistency

Verify that the custom platform label //docker:rbe_platform is published and available in all CI and developer environments using the remote config; otherwise remote builds may fail if the target does not exist or visibility is restricted.

build:remote --host_platform=//docker:rbe_platform
build:remote --platforms=//docker:rbe_platform

Exec Properties

Confirm that the container-image and dockerNetwork exec properties match the RBE executor’s expected property keys for your remote backend; mismatches are silently ignored, causing the default image/networking to be used.

exec_properties = {
    "OSFamily": "Linux",
    "dockerNetwork": "off",
    "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:latest",
},

Determinism and Caching

The image uses latest opam repo state and installs packages without pinning exact versions; this can cause non-reproducible builds and cache invalidations. Consider pinning commits or using lockfiles.

# Update opam repository and install required OCaml packages
RUN opam update \
    && git -C /home/opam/opam-repository fetch --depth=1 origin master \
    && git -C /home/opam/opam-repository reset --hard origin/master \
    && opam update \
    && opam remove -y mirage-crypto mirage-crypto-rng mirage-crypto-rng-lwt tls tls-lwt x509 || true

RUN eval $(opam env) \
    && opam install -y \
        dune \
        menhir \
        yojson \
        ppx_deriving \
        lwt \
        lwt_ppx \
        dream.1.0.0~alpha7 \
    && opam clean -a -c

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1675#issuecomment-3349808742 Original created: 2025-09-30T03:32:08Z --- ## PR Reviewer Guide 🔍 Here are some key observations to aid the review process: <table> <tr><td>⏱️ <strong>Estimated effort to review</strong>: 3 🔵🔵🔵⚪⚪</td></tr> <tr><td>🧪 <strong>No relevant tests</strong></td></tr> <tr><td>🔒 <strong>Security concerns</strong><br><br> <strong>Supply chain and token scope:</strong><br> The workflow logs into GHCR using GITHUB_TOKEN and pulls curl binaries over HTTPS. While acceptable, consider verifying downloads (checksum/signature) for the opam binary to prevent tampering, and ensure the GITHUB_TOKEN has least-privilege scopes for package write only.</td></tr> <tr><td>⚡ <strong>Recommended focus areas for review</strong><br><br> <details><summary><a href='https://github.com/carverauto/serviceradar/pull/1675/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832fR80-R81'><strong>Platform Consistency</strong></a> Verify that the custom platform label `//docker:rbe_platform` is published and available in all CI and developer environments using the remote config; otherwise remote builds may fail if the target does not exist or visibility is restricted. </summary> ```txt build:remote --host_platform=//docker:rbe_platform build:remote --platforms=//docker:rbe_platform ``` </details> <details><summary><a href='https://github.com/carverauto/serviceradar/pull/1675/files#diff-997d64eedc645601c81b86be6b25f569abfff63aaa3a49ff88975988a14065fbR11-R15'><strong>Exec Properties</strong></a> Confirm that the `container-image` and `dockerNetwork` exec properties match the RBE executor’s expected property keys for your remote backend; mismatches are silently ignored, causing the default image/networking to be used. </summary> ```txt exec_properties = { "OSFamily": "Linux", "dockerNetwork": "off", "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:latest", }, ``` </details> <details><summary><a href='https://github.com/carverauto/serviceradar/pull/1675/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R47-R63'><strong>Determinism and Caching</strong></a> The image uses `latest` opam repo state and installs packages without pinning exact versions; this can cause non-reproducible builds and cache invalidations. Consider pinning commits or using lockfiles. </summary> ```txt # Update opam repository and install required OCaml packages RUN opam update \ && git -C /home/opam/opam-repository fetch --depth=1 origin master \ && git -C /home/opam/opam-repository reset --hard origin/master \ && opam update \ && opam remove -y mirage-crypto mirage-crypto-rng mirage-crypto-rng-lwt tls tls-lwt x509 || true RUN eval $(opam env) \ && opam install -y \ dune \ menhir \ yojson \ ppx_deriving \ lwt \ lwt_ppx \ dream.1.0.0~alpha7 \ && opam clean -a -c ``` </details> </td></tr> </table>

qodo-code-review[bot] commented

2025-09-30 03:33:18 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1675#issuecomment-3349810803
Original created: 2025-09-30T03:33:18Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Use immutable tags for RBE image The `docker/BUILD` file hardcodes the mutable `:latest` tag for the RBE container image, which harms build reproducibility. It is recommended to use an immutable tag, like a git commit SHA, and automate the update of this tag in the build configuration. Examples: docker/BUILD [14] `"container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:latest",` .github/workflows/build-rbe-image.yml [50] `type=raw,value=latest,enable={{is_default_branch}}` Solution Walkthrough: Before: `# docker/BUILD platform( name = "rbe_platform", exec_properties = { "container-image": "docker://ghcr.io/.../rbe-executor:latest", }, ... ) # .github/workflows/build-rbe-image.yml # on: push to main # ... # steps: # - build and push docker image with tag 'latest'` After: `# docker/BUILD platform( name = "rbe_platform", exec_properties = { "container-image": "docker://ghcr.io/.../rbe-executor:sha-abcdef", }, ... ) # .github/workflows/build-rbe-image.yml # on: push to main # ... # steps: # - build and push docker image with git SHA tag # - (new step) create a commit/PR to update docker/BUILD # with the new image tag` Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies a critical design flaw where using the mutable `:latest` tag for the RBE image in `docker/BUILD` undermines build reproducibility, a core principle for reliable build systems.	High
Security	Verify checksum of downloaded binary Add a step to verify the checksum of the downloaded `opam` binary to ensure its integrity and prevent potential execution of malicious code. docker/Dockerfile.rbe [37-40] -RUN curl -fsSL https://github.com/ocaml/opam/releases/download/2.4.1/opam-2.4.1-x86_64-linux \ - -o /usr/local/bin/opam \ - && chmod +x /usr/local/bin/opam \ - && opam --version +RUN set -eux; \ + OPAM_VERSION="2.4.1"; \ + OPAM_CHECKSUM="e432b36f72bdc953534a62a74b43c683b6e8b51333a3a3a1f1b409b889341295"; \ + OPAM_URL="https://github.com/ocaml/opam/releases/download/${OPAM_VERSION}/opam-${OPAM_VERSION}-x86_64-linux"; \ + curl -fsSL "${OPAM_URL}" -o /usr/local/bin/opam; \ + echo "${OPAM_CHECKSUM} /usr/local/bin/opam" \| sha256sum -c -; \ + chmod +x /usr/local/bin/opam; \ + opam --version Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion addresses a significant security risk by recommending checksum verification for a downloaded executable, which is a critical practice to prevent supply chain attacks.	High
Possible issue	Improve Dockerfile for build reproducibility To improve build reproducibility and error handling in the Dockerfile, pin the `opam-repository` to a specific commit, remove the redundant `opam update`, and move the `opam remove` command with `\|\| true` to a separate `RUN` step. docker/Dockerfile.rbe [48-52] +# Pin opam-repository to a specific commit for reproducible builds +ARG OPAM_REPO_COMMIT=a6521575232906237a6121a3030263c388965d22 RUN opam update \ - && git -C /home/opam/opam-repository fetch --depth=1 origin master \ - && git -C /home/opam/opam-repository reset --hard origin/master \ - && opam update \ - && opam remove -y mirage-crypto mirage-crypto-rng mirage-crypto-rng-lwt tls tls-lwt x509 \|\| true + && git -C /home/opam/opam-repository fetch --depth=1 origin ${OPAM_REPO_COMMIT} \ + && git -C /home/opam/opam-repository reset --hard ${OPAM_REPO_COMMIT} \ + && opam update +# This command might fail if packages are not installed; run it separately. +RUN opam remove -y mirage-crypto mirage-crypto-rng mirage-crypto-rng-lwt tls tls-lwt x509 \|\| true + Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies multiple issues that harm build reproducibility and mask potential errors, offering a robust solution that significantly improves the reliability of the Docker image build.	Medium
Possible issue	✅ ~~Pin container image to an immutable tag~~ Suggestion Impact: The commit changed the container image from :latest to a specific version tag (v1.0.3), pinning the image instead of using latest. code diff: `- "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:latest", + "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:v1.0.3", },` Replace the `:latest` tag for the RBE container image with an immutable tag, such as one based on a Git commit SHA, to ensure build reproducibility. docker/BUILD [14] `-"container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:latest", +"container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:main-SOME_COMMIT_SHA", # TODO: Pin to a specific, immutable image tag/digest` `[Suggestion processed]` Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that using the `:latest` tag undermines build reproducibility, which is a critical best practice for the CI/CD infrastructure being introduced.	Medium
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1675#issuecomment-3349810803 Original created: 2025-09-30T03:33:18Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Use immutable tags for RBE image</summary> ___ **The <code>docker/BUILD</code> file hardcodes the mutable <code>:latest</code> tag for the RBE container <br>image, which harms build reproducibility. It is recommended to use an immutable <br>tag, like a git commit SHA, and automate the update of this tag in the build <br>configuration.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1675/files#diff-997d64eedc645601c81b86be6b25f569abfff63aaa3a49ff88975988a14065fbR14-R14">docker/BUILD [14]</a> </summary> ```starlark "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:latest", ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1675/files#diff-267c8680ad3f655b43d9bc8d7c55af4cef338efacdc9c90b3264ef9856a22493R50-R50">.github/workflows/build-rbe-image.yml [50]</a> </summary> ```yaml type=raw,value=latest,enable={{is_default_branch}} ``` </details> ### Solution Walkthrough: #### Before: ```yaml # docker/BUILD platform( name = "rbe_platform", exec_properties = { "container-image": "docker://ghcr.io/.../rbe-executor:latest", }, ... ) # .github/workflows/build-rbe-image.yml # on: push to main # ... # steps: # - build and push docker image with tag 'latest' ``` #### After: ```yaml # docker/BUILD platform( name = "rbe_platform", exec_properties = { "container-image": "docker://ghcr.io/.../rbe-executor:sha-abcdef", }, ... ) # .github/workflows/build-rbe-image.yml # on: push to main # ... # steps: # - build and push docker image with git SHA tag # - (new step) create a commit/PR to update docker/BUILD # with the new image tag ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: This suggestion correctly identifies a critical design flaw where using the mutable `:latest` tag for the RBE image in `docker/BUILD` undermines build reproducibility, a core principle for reliable build systems. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>Security</td> <td> <details><summary>Verify checksum of downloaded binary</summary> ___ **Add a step to verify the checksum of the downloaded <code>opam</code> binary to ensure its <br>integrity and prevent potential execution of malicious code.** [docker/Dockerfile.rbe [37-40]](https://github.com/carverauto/serviceradar/pull/1675/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R37-R40) ```diff -RUN curl -fsSL https://github.com/ocaml/opam/releases/download/2.4.1/opam-2.4.1-x86_64-linux \ - -o /usr/local/bin/opam \ - && chmod +x /usr/local/bin/opam \ - && opam --version +RUN set -eux; \ + OPAM_VERSION="2.4.1"; \ + OPAM_CHECKSUM="e432b36f72bdc953534a62a74b43c683b6e8b51333a3a3a1f1b409b889341295"; \ + OPAM_URL="https://github.com/ocaml/opam/releases/download/${OPAM_VERSION}/opam-${OPAM_VERSION}-x86_64-linux"; \ + curl -fsSL "${OPAM_URL}" -o /usr/local/bin/opam; \ + echo "${OPAM_CHECKSUM} /usr/local/bin/opam" | sha256sum -c -; \ + chmod +x /usr/local/bin/opam; \ + opam --version ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: This suggestion addresses a significant security risk by recommending checksum verification for a downloaded executable, which is a critical practice to prevent supply chain attacks. </details></details></td><td align=center>High </td></tr><tr><td rowspan=2>Possible issue</td> <td> <details><summary>Improve Dockerfile for build reproducibility</summary> ___ **To improve build reproducibility and error handling in the Dockerfile, pin the <br><code>opam-repository</code> to a specific commit, remove the redundant <code>opam update</code>, and move <br>the <code>opam remove</code> command with <code>|| true</code> to a separate <code>RUN</code> step.** [docker/Dockerfile.rbe [48-52]](https://github.com/carverauto/serviceradar/pull/1675/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R48-R52) ```diff +# Pin opam-repository to a specific commit for reproducible builds +ARG OPAM_REPO_COMMIT=a6521575232906237a6121a3030263c388965d22 RUN opam update \ - && git -C /home/opam/opam-repository fetch --depth=1 origin master \ - && git -C /home/opam/opam-repository reset --hard origin/master \ - && opam update \ - && opam remove -y mirage-crypto mirage-crypto-rng mirage-crypto-rng-lwt tls tls-lwt x509 || true + && git -C /home/opam/opam-repository fetch --depth=1 origin ${OPAM_REPO_COMMIT} \ + && git -C /home/opam/opam-repository reset --hard ${OPAM_REPO_COMMIT} \ + && opam update +# This command might fail if packages are not installed; run it separately. +RUN opam remove -y mirage-crypto mirage-crypto-rng mirage-crypto-rng-lwt tls tls-lwt x509 || true + ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion correctly identifies multiple issues that harm build reproducibility and mask potential errors, offering a robust solution that significantly improves the reliability of the Docker image build. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>✅ <s>Pin container image to an immutable tag</s></summary> ___ <details><summary><b>Suggestion Impact:</b></summary>The commit changed the container image from :latest to a specific version tag (v1.0.3), pinning the image instead of using latest. code diff: ```diff - "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:latest", + "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:v1.0.3", }, ``` </details> ___ **Replace the <code>:latest</code> tag for the RBE container image with an immutable tag, such <br>as one based on a Git commit SHA, to ensure build reproducibility.** [docker/BUILD [14]](https://github.com/carverauto/serviceradar/pull/1675/files#diff-997d64eedc645601c81b86be6b25f569abfff63aaa3a49ff88975988a14065fbR14-R14) ```diff -"container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:latest", +"container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor:main-SOME_COMMIT_SHA", # TODO: Pin to a specific, immutable image tag/digest ``` `[Suggestion processed]` <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies that using the `:latest` tag undermines build reproducibility, which is a critical best practice for the CI/CD infrastructure being introduced. </details></details></td><td align=center>Medium </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>