treewide: Add remote execution support
This adds support for remote execution by adding a target to build
a sandbox OCI image.
Change-Id: I848f705b7ea7311e20945ee8676cc7a52c8c33aa
Reviewed-on: https://review.monogon.dev/c/monogon/+/3783
Reviewed-by: Leopold Schabel <leo@monogon.tech>
Tested-by: Jenkins CI
diff --git a/build/mirror_proxy/README.md b/build/mirror_proxy/README.md
index 55ce82c..a4b1c46 100644
--- a/build/mirror_proxy/README.md
+++ b/build/mirror_proxy/README.md
@@ -9,7 +9,7 @@
This is expected to run with a given bucket name and a hardcoded set of credentials which are used to authenticate requests. When an authenticated request is received, the mirror will download uncached data if it isn't in the cache yet. This is expected to be used by trusted users, e.g. employees.
-Users should deploy a .netrc inside their home folder based on the following template to allow bazel to authenticate against the mirror.
+There are two ways to authenticate with bazel. Either with the credential helper or a .netrc file, which a user should deploy a inside their home folder based on the following template to allow bazel to authenticate against the mirror.
`~/.netrc`
```
diff --git a/build/platforms/BUILD.bazel b/build/platforms/BUILD.bazel
index a238039..217350a 100644
--- a/build/platforms/BUILD.bazel
+++ b/build/platforms/BUILD.bazel
@@ -29,3 +29,15 @@
],
visibility = ["//visibility:public"],
)
+
+platform(
+ name = "remote_amd64",
+ constraint_values = [
+ "@platforms//cpu:x86_64",
+ "@platforms//os:linux",
+ ],
+ exec_properties = {
+ "container-image": "docker://gcr.io/monogon-infra/sandbox",
+ "OSFamily": "linux",
+ },
+)
diff --git a/build/remote_worker/BUILD.bazel b/build/remote_worker/BUILD.bazel
new file mode 100644
index 0000000..742d684
--- /dev/null
+++ b/build/remote_worker/BUILD.bazel
@@ -0,0 +1,59 @@
+load("@aspect_bazel_lib//lib:expand_template.bzl", "expand_template")
+load("@bazel_skylib//rules:write_file.bzl", "write_file")
+load("@rules_oci//oci:defs.bzl", "oci_image", "oci_push")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_mklink")
+load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
+
+# Because bazeldnf writes multiple files when using their symlink feature,
+# we have to do them manually with a second layer.
+# https://github.com/rmohr/bazeldnf/issues/88
+pkg_mklink(
+ name = "ld-link",
+ link_name = "usr/bin/ld",
+ target = "/usr/bin/ld.bfd",
+)
+
+pkg_tar(
+ name = "links",
+ srcs = [
+ ":ld-link",
+ ],
+)
+
+oci_image(
+ name = "remote_worker_image",
+ base = "@distroless_base",
+ entrypoint = [],
+ tags = ["no-remote"],
+ tars = [
+ "//third_party/sandboxroot:sandbox",
+ ":links",
+ ],
+ visibility = ["//visibility:private"],
+ workdir = "/root",
+)
+
+write_file(
+ name = "tags_tmpl",
+ out = "tags.txt.tmpl",
+ content = [
+ "BUILD_VERSION",
+ ],
+)
+
+# Use the value of --embed_label under --stamp, otherwise use a deterministic constant
+# value to ensure cache hits for actions that depend on this.
+expand_template(
+ name = "stamped",
+ out = "_stamped.tags.txt",
+ stamp_substitutions = {"BUILD_VERSION": "{{STABLE_MONOGON_metropolis_version}}"},
+ substitutions = {"BUILD_VERSION": "0.0.0"},
+ template = "tags_tmpl",
+)
+
+oci_push(
+ name = "remote_worker_push",
+ image = ":remote_worker_image",
+ remote_tags = ":stamped",
+ repository = "gcr.io/monogon-infra/sandbox",
+)