From 7fe0e780cf4278feccd78290e7d6638e3ac4f79b Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Fri, 18 Jan 2019 16:03:46 +0000
Subject: [PATCH] Build zuul containers with dockerfile not pbrx

While pbrx is nice and all, it's quite the divergence from how
the rest of the container ecosystem works. Switch to using
Dockerfile and the python-builder image.

Bind mount ld.so.cache into bwrap context

When using images based on the python:slim base image, python
is installed in /usr/local and the linker needs to know to look
in /usr/local/lib for shared libraries.

Depends-On: https://review.openstack.org/632187
Change-Id: I84f6dd2a8e3222f7807103dcbb61bdadedfdd22d
---
 .zuul.yaml                         | 115 ++++++++++++++++++++++++++---
 Dockerfile                         |  53 +++++++++++++
 playbooks/quick-start/main.yaml    |   2 +
 playbooks/quick-start/run.yaml     |  11 +--
 zuul/driver/bubblewrap/__init__.py |   1 +
 5 files changed, 161 insertions(+), 21 deletions(-)
 create mode 100644 Dockerfile

diff --git a/.zuul.yaml b/.zuul.yaml
index 87d2a59f4e..693385cc0f 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -65,11 +65,109 @@
     post-run: playbooks/quick-start/post.yaml
     roles:
       - zuul: openstack-infra/zuul-jobs
+    vars:
+      docker_images:
+        - context: .
+          repository: zuul/zuul
+          target: zuul
+        - context: .
+          repository: zuul/zuul-executor
+          target: zuul-executor
+        - context: .
+          repository: zuul/zuul-fingergw
+          target: zuul-fingergw
+        - context: .
+          repository: zuul/zuul-merger
+          target: zuul-merger
+        - context: .
+          repository: zuul/zuul-scheduler
+          target: zuul-scheduler
+        - context: .
+          repository: zuul/zuul-web
+          target: zuul-web
+        - context: ../nodepool
+          repository: zuul/nodepool
+          target: nodepool
+        - context: ../nodepool
+          repository: zuul/nodepool-launcher
+          target: nodepool-launcher
+        - context: ../nodepool
+          repository: zuul/nodepool-builder
+          target: nodepool-builder
     required-projects:
-      - openstack/pbrx
       - openstack-infra/nodepool
       - openstack-infra/zuul
 
+# Image building jobs
+- secret:
+    name: zuul-dockerhub
+    data:
+      username: zuulzuul
+      password: !encrypted/pkcs1-oaep
+        - DFlbrDM5eUMptMGIVMXV1g455xOJLi92UYF08Z2/JlIGu3t6v052o9FKlVyj1ZmpXs5+2
+          JTa5jHkLTvTsYs9fCaNcQc2nmViCyWNlbOMzjB17uiZOaYFNs1sMqZcUZbGEz7Y8ds6Qq
+          NBXI10jWFPTah4QxUuBvUbT3vmjnUToCzexl5ZGhKgijcnROWfUsnlCdugpgoNIcPsUki
+          zty5FotDihnrC8n8vIomVK6EClY38ty97pLrADzFDd+Cos/OUlvi2xooUhzx8Bn020rJA
+          lqEU5v8LGXp5QkHx0MSDx6JY6KppJ/4p/yM+4By6l+A20zdcimxmgiNc9rMWPwDj7xsao
+          m7NAZWmWqOO0Xkhgt6WOfugwgt9X46sgs2+yDEfbnI5ok8uRbAB/4FWj/KdpyXwhcf+O2
+          wEfhxLwDbAoGONQPjb4YcZmCXtmR7Qe5t+n2jyczWXvrbaBDUQP5a+YtVNN/xhmQ7D740
+          POlxv7bLxJAixzqaQ3d8Rz9ZEv6zzRuhWph32UQtZ1JxSNww+EvmXm2eEi2Q2z6pT1Cx/
+          j2OrFyA2GL/UJOVb15VHKF6bgHPHWJtpjPFhqdcvBhVute4BWB+KPcWH+y+apHN1enK3H
+          tNJO9iqm34nKwSuj5ExmFw50LtwR5/9FyRuRPq/vBL+8y82v8FDmeYsBeobn5M=
+
+- job:
+    name: zuul-build-image
+    parent: build-docker-image
+    description: Build Docker images.
+    allowed-projects: openstack-infra/zuul
+    vars: &zuul_image_vars
+      docker_images:
+        - context: .
+          repository: zuul/zuul-base
+          target: zuul-base
+        - context: .
+          repository: zuul/zuul
+          target: zuul
+        - context: .
+          repository: zuul/zuul-executor
+          target: zuul-executor
+        - context: .
+          repository: zuul/zuul-fingergw
+          target: zuul-fingergw
+        - context: .
+          repository: zuul/zuul-merger
+          target: zuul-merger
+        - context: .
+          repository: zuul/zuul-scheduler
+          target: zuul-scheduler
+        - context: .
+          repository: zuul/zuul-web
+          target: zuul-web
+
+- job:
+    name: zuul-upload-image
+    parent: upload-docker-image
+    description: Build Docker images and upload to Docker Hub.
+    allowed-projects: openstack-infra/zuul
+    secrets: 
+      name: docker_credentials
+      secret: zuul-dockerhub
+      pass-to-parent: true
+    vars: *zuul_image_vars
+
+- job:
+    name: zuul-promote-image
+    parent: promote-docker-image
+    description: Promote previously uploaded Docker images.
+    allowed-projects: openstack-infra/zuul
+    secrets:
+      name: docker_credentials
+      secret: zuul-dockerhub
+      pass-to-parent: true
+    nodeset:
+      nodes: []
+    vars: *zuul_image_vars
+
 - project:
     check:
       jobs:
@@ -100,11 +198,9 @@
         - zuul-stream-functional
         - zuul-tox-remote
         - zuul-quick-start
-        - pbrx-build-container-images:
-            vars:
-              pbrx_prefix: zuul
         - nodepool-zuul-functional:
             voting: false
+        - zuul-build-image
     gate:
       jobs:
         - tox-docs
@@ -133,9 +229,7 @@
         - zuul-stream-functional
         - zuul-tox-remote
         - zuul-quick-start
-        - pbrx-build-container-images:
-            vars:
-              pbrx_prefix: zuul
+        - zuul-upload-image
     post:
       jobs:
         - publish-zuul-docs
@@ -145,10 +239,9 @@
               node_version: 8
               zuul_work_dir: "{{ zuul.project.src_dir }}/web"
               create_tarball_directory: build
-        - openstackzuul-pbrx-push-container-images:
-            vars:
-              pbrx_prefix: zuul
-
+    promote:
+      jobs:
+        - zuul-promote-image
     release:
       jobs:
         - release-zuul-python
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000000..4031bf5285
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,53 @@
+# Copyright (c) 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM opendevorg/python-builder as builder
+
+COPY . /tmp/src
+RUN /tmp/src/tools/install-js-tools.sh
+RUN assemble
+
+FROM opendevorg/python-base as zuul-base
+
+COPY --from=builder /output/ /output
+RUN echo "deb http://ftp.debian.org/debian stretch-backports main" >> /etc/apt/sources.list \
+  && apt-get update \
+  && apt-get install -t stretch-backports -y bubblewrap \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+RUN /output/install-from-bindep \
+  && pip install --cache-dir=/output/wheels -r /output/zuul_base/requirements.txt \
+  && rm -rf /output
+
+FROM zuul-base as zuul
+CMD ["/usr/local/bin/zuul"]
+
+FROM zuul-base as zuul-executor
+COPY --from=builder /output/ /output
+RUN pip install --cache-dir=/output/wheels -r /output/zuul_executor/requirements.txt \
+  && rm -rf /output
+CMD ["/usr/local/bin/zuul-executor"]
+
+FROM zuul-base as zuul-fingergw
+CMD ["/usr/local/bin/zuul-fingergw"]
+
+FROM zuul-base as zuul-merger
+CMD ["/usr/local/bin/zuul-merger"]
+
+FROM zuul-base as zuul-scheduler
+CMD ["/usr/local/bin/zuul-scheduler"]
+
+FROM zuul-base as zuul-web
+CMD ["/usr/local/bin/zuul-web"]
diff --git a/playbooks/quick-start/main.yaml b/playbooks/quick-start/main.yaml
index de8177eb35..4aeb1e7f54 100644
--- a/playbooks/quick-start/main.yaml
+++ b/playbooks/quick-start/main.yaml
@@ -9,6 +9,8 @@
   shell:
     cmd: docker-compose up -d
     chdir: ../../doc/source/admin/examples
+- name: Print list of images
+  command: docker image ls
 - name: Wait for Gerrit to start
   wait_for:
     host: localhost
diff --git a/playbooks/quick-start/run.yaml b/playbooks/quick-start/run.yaml
index 12945e7ea1..1f12db11ba 100644
--- a/playbooks/quick-start/run.yaml
+++ b/playbooks/quick-start/run.yaml
@@ -5,17 +5,8 @@
   roles:
     - name: install-docker
       use_upstream_docker: false
+    - build-docker-image
   tasks:
-    - name: Install pbrx software
-      command: python3 -m pip install src/git.openstack.org/openstack/pbrx
-      become: yes
-    - name: Build container images
-      command: 'pbrx --debug build-images --prefix=zuul'
-      args:
-        chdir: '{{ zuul.projects[item].src_dir }}'
-      loop:
-        - git.openstack.org/openstack-infra/nodepool
-        - git.openstack.org/openstack-infra/zuul
     - name: Install docker-compose and git-review
       package:
         name:
diff --git a/zuul/driver/bubblewrap/__init__.py b/zuul/driver/bubblewrap/__init__.py
index e4af62e424..b015d62796 100644
--- a/zuul/driver/bubblewrap/__init__.py
+++ b/zuul/driver/bubblewrap/__init__.py
@@ -193,6 +193,7 @@ class BubblewrapDriver(Driver, WrapperInterface):
             '--ro-bind', '/lib', '/lib',
             '--ro-bind', '/bin', '/bin',
             '--ro-bind', '/sbin', '/sbin',
+            '--ro-bind', '/etc/ld.so.cache', '/etc/ld.so.cache',
             '--ro-bind', '/etc/resolv.conf', '/etc/resolv.conf',
             '--ro-bind', '/etc/hosts', '/etc/hosts',
             '--ro-bind', '/etc/localtime', '/etc/localtime',