scionproto · katyatitkova · Oct 15, 2024 · Feb 20, 2025 · Feb 24, 2025 · Feb 24, 2025
diff --git a/.bazelrc b/.bazelrc
@@ -26,7 +26,7 @@ build --define gotags=sqlite_modernc,netgo
 build:osx --define gotags=sqlite_modernc
 
 ### options for test
-test --build_tests_only --print_relative_test_log_paths --test_output=errors --nobuild_python_zip
+test --build_tests_only --print_relative_test_log_paths --test_output=errors --nobuild_python_zip --spawn_strategy=remote,worker,processwrapper-sandbox,local
 
 ### predefined configurations (use with --config, eg. `bazel test --config=unit_all`)
 test:race --@io_bazel_rules_go//go/config:race

diff --git a/.buildkite/provision-agent.sh b/.buildkite/provision-agent.sh
@@ -5,9 +5,9 @@ set -euo pipefail
 # The installation scripts are no-ops when nothing has changed.
 # To circumvent running any checks (and cluttering the output), we only
 # rerun the scripts if any of them have changed since the last run.
-if sha1sum --check /tmp/buildkite-scionproto-runner-provision.sum --status; then
-  exit 0
-fi
+#if sha1sum --check /tmp/buildkite-scionproto-runner-provision.sum --status; then
+#  exit 0
+#fi
 
 echo "~~~ Install build tools"
 tools/install_bazel

diff --git a/WORKSPACE b/WORKSPACE
@@ -182,28 +182,27 @@ oci_pull(
 
 # Debian packaging
 http_archive(
-    name = "rules_debian_packages",
-    sha256 = "0ae3b332f9d894e57693ce900769d2bd1b693e1f5ea1d9cdd82fa4479c93bcc8",
-    strip_prefix = "rules_debian_packages-0.2.0",
-    url = "https://github.com/bazel-contrib/rules_debian_packages/releases/download/v0.2.0/rules_debian_packages-v0.2.0.tar.gz",
+    name = "rules_distroless",
+    sha256 = "6d1d739617e48fc3579781e694d3fabb08fc6c9300510982c01882732c775b8e",
+    strip_prefix = "rules_distroless-0.3.8",
+    url = "https://github.com/GoogleContainerTools/rules_distroless/releases/download/v0.3.8/rules_distroless-v0.3.8.tar.gz",
 )
 
-load("@rules_debian_packages//debian_packages:repositories.bzl", "rules_debian_packages_dependencies")
+load("@rules_distroless//distroless:dependencies.bzl", "distroless_dependencies")
 
-rules_debian_packages_dependencies(python_interpreter_target = python_interpreter)
+distroless_dependencies()
 
-load("@rules_debian_packages//debian_packages:defs.bzl", "debian_packages_repository")
+load("@rules_distroless//distroless:toolchains.bzl", "distroless_register_toolchains")
 
-debian_packages_repository(
-    name = "tester_debian10_packages",
-    default_arch = "amd64",
-    default_distro = "debian10",
-    lock_file = "//docker:tester_packages.lock",
-)
+distroless_register_toolchains()
+
+load("//docker:tester.bzl", "declare_tester_deb")
+
+declare_tester_deb()
 
-load("@tester_debian10_packages//:packages.bzl", tester_debian_packages_install_deps = "install_deps")
+load("@tester_deb//:packages.bzl", "tester_deb_packages")
 
-tester_debian_packages_install_deps()
+tester_deb_packages()
 
 # RPM packaging
 load("@rules_pkg//toolchains/rpm:rpmbuild_configure.bzl", "find_system_rpmbuild")

diff --git a/acceptance/cert_renewal/test.py b/acceptance/cert_renewal/test.py
@@ -120,7 +120,7 @@ def read_file(filename: str) -> str:
             "--trc",
             docker_dir / "certs/ISD1-B1-S1.trc",
             "--sciond",
-            self.execute_tester(isd_as, "sh", "-c",
+            self.execute_tester(isd_as, "bash", "-c",
                                 "echo $SCION_DAEMON").strip(),
             *self._local_flags(isd_as),
         ]
@@ -215,7 +215,7 @@ def _cs_configs(self) -> List[pathlib.Path]:
     def _local_flags(self, isd_as: ISD_AS) -> List[str]:
         return [
             "--local",
-            self.execute_tester(isd_as, "sh", "-c",
+            self.execute_tester(isd_as, "bash", "-c",
                                 "echo $SCION_LOCAL_ADDR").strip(),
         ]
 

diff --git a/docker/BUILD.bazel b/docker/BUILD.bazel
@@ -1,4 +1,3 @@
-load("@rules_debian_packages//debian_packages:defs.bzl", "debian_packages_lockfile")
 load(":scion_app.bzl", "scion_app_base", "scion_app_image")
 load(":tester.bzl", "scion_tester_image")
 load(":labels.bzl", "scion_labels")
@@ -77,20 +76,4 @@ scion_app_image(
     entrypoint = ["/app/gateway"],
 )
 
-### Tester image with more tools for scripting in integration tests
-# This is a debian image with additional packages installed. The
-# packages are added to the image as layers created with
-# rules_debian_packages.
-#
-# Generate lockfile with:
-# bazel run //docker:tester_debian_packages.generate
-# Update snapshots with:
-# bazel run //docker:tester_debian_packages.update
-debian_packages_lockfile(
-    name = "tester_debian10_packages",
-    lock_file = "tester_packages.lock",
-    packages_file = "tester_packages.yaml",
-    snapshots_file = "tester_snapshots.yaml",
-)
-
 scion_tester_image()
diff --git a/docker/tester.bzl b/docker/tester.bzl
@@ -1,25 +1,61 @@
+load("@aspect_bazel_lib//lib:tar.bzl", "tar")
 load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file")
+load("@rules_distroless//apt:index.bzl", "deb_index")
 load("@rules_oci//oci:defs.bzl", "oci_image", "oci_tarball")
 load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
-load("@tester_debian10_packages//:packages.bzl", "debian_package_layer")
+
+# NOTE: This list needs to be in-sync with tester_deb.yaml
+# We could potentially generate this with a buildozer rule if it becomes
+# too cumbersome to maintain.
+PACKAGES = [
+    "@tester_deb//bash",
+    "@tester_deb//bridge-utils",
+    "@tester_deb//iperf3",
+    "@tester_deb//iproute2",
+    "@tester_deb//iptables",
+    "@tester_deb//iputils-ping",
+    "@tester_deb//net-tools",
+    "@tester_deb//netcat-openbsd",
+    "@tester_deb//openssh-client",
+    "@tester_deb//openssh-server",
+    "@tester_deb//procps",
+    "@tester_deb//rsync",
+    "@tester_deb//telnet",
+    "@tester_deb//tshark",
+    "@tester_deb//wget",
+]
+
+def declare_tester_deb():
+    deb_index(
+        name = "tester_deb",
+        lock = "//docker:tester_deb.lock.json",
+        manifest = "//docker:tester_deb.yaml",
+    )
 
 def scion_tester_image():
+    # Required to avoid https://github.com/GoogleContainerTools/rules_distroless/issues/36
     pkg_tar(
-        name = "tester_layer_packages",
+        name = "tester_layer_deb",
         deps = [
-            debian_package_layer("bridge-utils"),
-            debian_package_layer("iperf3"),
-            debian_package_layer("iptables"),
-            debian_package_layer("netcat-openbsd"),
-            debian_package_layer("openssh-server"),
-            debian_package_layer("openssh-client"),
-            debian_package_layer("procps"),
-            debian_package_layer("telnet"),
-            debian_package_layer("tshark"),
-            debian_package_layer("wget"),
+            "%s/amd64" % package
+            for package in PACKAGES
+        ],
+    )
+
+    tar(
+        name = "tester_layer_sh_symlink",
+        mtree = [
+            "./usr/bin/sh type=link link=/usr/bin/bash",
+            "./bin type=link link=/usr/bin mode=0777 uid=0 gid=0",
         ],
     )
 
+    remap_deb_tars(
+        name = "tester_layer_deb_remapped",
+        src = "tester_layer_deb",
+        out = "tester_layer_deb_remapped.tar",
+    )
+
     pkg_tar(
         name = "tester_layer_bin",
         srcs = [
@@ -54,7 +90,8 @@ def scion_tester_image():
         workdir = "/share",
         cmd = ["tail", "-f", "/dev/null"],
         tars = [
-            ":tester_layer_packages",
+            ":tester_layer_deb_remapped",
+            ":tester_layer_sh_symlink",
             ":tester_layer_share",
             ":tester_layer_tools_integration",
             ":tester_layer_bin",
@@ -76,3 +113,34 @@ def scion_tester_image():
         out = "tester.tar",
         visibility = ["//visibility:public"],
     )
+
+def remap_deb_tars(name, src, out):
+    # The tars created by rules_distroless have proper directories instead of symlinks
+    # which overwrite the symlinks in the base image. This will result in a broken image.
+    # To counter this, we move the contents of the supposedly symlinked sources to the
+    # symlink target directories, remove the source directories and create symlinks to the
+    # target directories.
+    #
+    # See: https://github.com/GoogleContainerTools/rules_distroless/issues/53
+    native.genrule(
+        name = name,
+        srcs = [src],
+        outs = [out],
+        cmd = " ; ".join([
+            "SCRATCH=$$(mktemp -d )",
+            "REALOUT=$$(realpath $@)",
+            "mkdir -p $$SCRATCH/bundle",
+            "echo $$SCRATCH/bundle",
+            "tar -xf $(location " + src + ") -C $$SCRATCH/bundle",
+            "cd $$SCRATCH/bundle",
+            "[ -e bin ] && rsync -av bin/ usr/bin/ && rm -rf bin && ln -s /usr/bin bin || true",
+            "ls bin",
+            "[ -e sbin ] && rsync -av sbin/ usr/sbin/ && rm -rf sbin && ln -s /usr/sbin sbin || true",
+            "[ -e lib ] && rsync -av lib/ usr/lib/ && rm -rf lib && ln -s /usr/lib lib || true",
+            "[ -e lib64 ] && rsync -av lib64/ usr/lib64/ && rm -rf lib64 && ln -s /usr/lib64 lib64 || true",
+            "[ -e var/run ] && rsync -av var/run/ run/ && rm -rf var/run && ln -s /run var/run || true",
+            "[ -e var/lock ] && rsync -av var/lock/ run/lock/ && rm -rf var/lock && ln -s /run/lock var/lock || true",
+            "tar --sort=name --owner=root:0 --group=root:0 --mtime='UTC 2019-01-01' -cf $$REALOUT .",
+            "rm -rf $$SCRATCH",
+        ]),
+    )