Dockerfile.linux: harden reproducibility of build environment

plowsof · Sep 30, 2024 · 99c409d · 99c409d
1 parent 08e2eaf
commit 99c409d
Show file tree

Hide file tree

Showing 4 changed files with 833 additions and 272 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1 +1,4 @@
 *
+
+# Except shared_functions.sh
+!shared_functions.sh*
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -91,7 +91,7 @@ jobs:
     - name: create .tar
       run: tar -cf monero-wallet-gui.tar monero-wallet-gui.app
       working-directory: build/bin
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@v4
       with:
         name: ${{ github.job }}
         path: build/bin/monero-wallet-gui.tar
@@ -121,7 +121,7 @@ jobs:
       run: shasum -a256 /home/runner/work/monero-gui/monero-gui/build/release/bin/monero-wallet-gui
     - name: test qml
       run: xvfb-run -a /home/runner/work/monero-gui/monero-gui/build/release/bin/monero-wallet-gui --test-qml
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@v4
       with:
         name: ${{ github.job }}
         path: |
@@ -149,7 +149,7 @@ jobs:
       run: docker run --rm -v /home/runner/work/monero-gui/monero-gui:/monero-gui -w /monero-gui monero:build-env-windows sh -c 'make depends root=/depends target=x86_64-w64-mingw32 tag=win-x64 -j3'
     - name: sha256sum
       run: shasum -a256 /home/runner/work/monero-gui/monero-gui/build/x86_64-w64-mingw32/release/bin/monero-wallet-gui.exe
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@v4
       with:
         name: ${{ github.job }}
         path: |
@@ -177,7 +177,7 @@ jobs:
       run: docker run --rm -v /home/runner/work/monero-gui/monero-gui:/monero-gui -e THREADS=3 monero:build-env-android
     - name: Remove obsolete docker layers
       run: docker images -a | grep none | awk '{ print $3; }' | xargs docker rmi || true
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@v4
       with:
         name: ${{ github.job }}
         path: /home/runner/work/monero-gui/monero-gui/build/Android/release/android-build/monero-gui.apk
@@ -195,7 +195,7 @@ jobs:
         export OUTPUT="$VERSION.tar"
         echo "OUTPUT=$OUTPUT" >> $GITHUB_ENV
         /home/runner/.local/bin/git-archive-all --prefix "$VERSION/" --force-submodules "$OUTPUT"
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@v4
       with:
         name: ${{ env.OUTPUT }}
         path: /home/runner/work/monero-gui/monero-gui/${{ env.OUTPUT }}
diff --git a/Dockerfile.linux b/Dockerfile.linux
@@ -1,287 +1,61 @@
-FROM ubuntu:16.04
+#todo pin hash of shared_functions.sh
 
-ARG THREADS=1
-ARG QT_VERSION=v5.15.14-lts-lgpl
-
-ENV CFLAGS="-fPIC"
-ENV CPPFLAGS="-fPIC"
-ENV CXXFLAGS="-fPIC"
-ENV SOURCE_DATE_EPOCH=1397818193
-
-RUN apt update && \
-    apt install -y automake autopoint bison gettext git gperf libgl1-mesa-dev libglib2.0-dev \
-    libpng12-dev libpthread-stubs0-dev libsodium-dev libtool-bin libudev-dev libusb-1.0-0-dev mesa-common-dev \
-    pkg-config python wget xutils-dev
-
-RUN git clone -b xorgproto-2020.1 --depth 1 https://gitlab.freedesktop.org/xorg/proto/xorgproto && \
-    cd xorgproto && \
-    git reset --hard c62e8203402cafafa5ba0357b6d1c019156c9f36 && \
-    ./autogen.sh && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
-
-RUN git clone -b 1.12 --depth 1 https://gitlab.freedesktop.org/xorg/proto/xcbproto && \
-    cd xcbproto && \
-    git reset --hard 6398e42131eedddde0d98759067dde933191f049 && \
-    ./autogen.sh && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
-
-RUN git clone -b libXau-1.0.9 --depth 1 https://gitlab.freedesktop.org/xorg/lib/libxau && \
-    cd libxau && \
-    git reset --hard d9443b2c57b512cfb250b35707378654d86c7dea && \
-    ./autogen.sh --enable-shared --disable-static && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+# Stage 1: Confirm provided deb md5sums
+FROM ubuntu:16.04@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6 as verifypackages
 
-RUN git clone -b 1.12 --depth 1 https://gitlab.freedesktop.org/xorg/lib/libxcb && \
-    cd libxcb && \
-    git reset --hard d34785a34f28fa6a00f8ce00d87e3132ff0f6467 && \
-    ./autogen.sh --enable-shared --disable-static && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    make -j$THREADS clean && \
-    rm /usr/local/lib/libxcb-xinerama.so && \
-    ./autogen.sh --disable-shared --enable-static && \
-    make -j$THREADS && \
-    cp src/.libs/libxcb-xinerama.a /usr/local/lib/ && \
-    rm -rf $(pwd)
+RUN apt-get update && \
+    apt-get install -y gnupg2 xz-utils wget
 
-RUN git clone -b 0.4.0 --depth 1 https://gitlab.freedesktop.org/xorg/lib/libxcb-util && \
-    cd libxcb-util && \
-    git reset --hard acf790d7752f36e450d476ad79807d4012ec863b && \
-    git submodule init && \
-    git clone --depth 1 https://gitlab.freedesktop.org/xorg/util/xcb-util-m4 m4 && \
-    git -C m4 reset --hard c617eee22ae5c285e79e81ec39ce96862fd3262f && \
-    ./autogen.sh --enable-shared --disable-static && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+COPY shared_functions.sh shared_functions.sh
+RUN chmod +x shared_functions.sh
 
-RUN git clone -b 0.4.0 --depth 1 https://gitlab.freedesktop.org/xorg/lib/libxcb-image && \
-    cd libxcb-image && \
-    git reset --hard d882052fb2ce439c6483fce944ba8f16f7294639 && \
-    git submodule init && \
-    git clone --depth 1 https://gitlab.freedesktop.org/xorg/util/xcb-util-m4 m4 && \
-    git -C m4 reset --hard c617eee22ae5c285e79e81ec39ce96862fd3262f && \
-    ./autogen.sh --enable-shared --disable-static && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+# Single CMD with all required commands
+RUN /bin/bash -c "source shared_functions.sh && get_packages && verify_packages"
 
-RUN git clone -b 0.4.0 --depth 1 https://gitlab.freedesktop.org/xorg/lib/libxcb-keysyms && \
-    cd libxcb-keysyms && \
-    git reset --hard 0e51ee5570a6a80bdf98770b975dfe8a57f4eeb1 && \
-    git submodule init && \
-    git clone --depth 1 https://gitlab.freedesktop.org/xorg/util/xcb-util-m4 m4 && \
-    git -C m4 reset --hard c617eee22ae5c285e79e81ec39ce96862fd3262f && \
-    ./autogen.sh --enable-shared --disable-static && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+# Stage 2: Downloader
+FROM ubuntu:16.04@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6 as downloader
 
-RUN git clone -b 0.3.9 --depth 1 https://gitlab.freedesktop.org/xorg/lib/libxcb-render-util && \
-    cd libxcb-render-util && \
-    git reset --hard 0317caf63de532fd7a0493ed6afa871a67253747 && \
-    git submodule init && \
-    git clone --depth 1 https://gitlab.freedesktop.org/xorg/util/xcb-util-m4 m4 && \
-    git -C m4 reset --hard c617eee22ae5c285e79e81ec39ce96862fd3262f && \
-    ./autogen.sh --enable-shared --disable-static && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
-
-RUN git clone -b 0.4.1 --depth 1 https://gitlab.freedesktop.org/xorg/lib/libxcb-wm && \
-    cd libxcb-wm && \
-    git reset --hard 24eb17df2e1245885e72c9d4bbb0a0f69f0700f2 && \
-    git submodule init && \
-    git clone --depth 1 https://gitlab.freedesktop.org/xorg/util/xcb-util-m4 m4 && \
-    git -C m4 reset --hard c617eee22ae5c285e79e81ec39ce96862fd3262f && \
-    ./autogen.sh --enable-shared --disable-static && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
-
-RUN git clone -b xkbcommon-0.5.0 --depth 1 https://github.com/xkbcommon/libxkbcommon && \
-    cd libxkbcommon && \
-    git reset --hard c43c3c866eb9d52cd8f61e75cbef1c30d07f3a28 && \
-    ./autogen.sh --prefix=/usr --enable-shared --disable-static --enable-x11 --disable-docs && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
-
-RUN git clone -b v1.3 --depth 1 https://github.com/madler/zlib && \
-    cd zlib && \
-    git reset --hard 09155eaa2f9270dc4ed1fa13e2b4b2613e6e4851 && \
-    ./configure --static && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
-
-RUN git clone -b VER-2-10-2 --depth 1 https://git.savannah.gnu.org/git/freetype/freetype2.git && \
-    cd freetype2 && \
-    git reset --hard 132f19b779828b194b3fede187cee719785db4d8 && \
-    ./autogen.sh && \
-    ./configure --disable-shared --enable-static --with-zlib=no && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+ENV SOURCE_DATE_EPOCH=1397818193
 
-RUN wget https://github.com/libexpat/libexpat/releases/download/R_2_4_8/expat-2.4.8.tar.bz2 && \
-    echo "a247a7f6bbb21cf2ca81ea4cbb916bfb9717ca523631675f99b3d4a5678dcd16 expat-2.4.8.tar.bz2" | sha256sum -c && \
-    tar -xf expat-2.4.8.tar.bz2 && \
-    rm expat-2.4.8.tar.bz2 && \
-    cd expat-2.4.8 && \
-    ./configure --enable-static --disable-shared --prefix=/usr && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+WORKDIR /sources
 
-RUN git clone -b 2.13.92 --depth 1 https://gitlab.freedesktop.org/fontconfig/fontconfig && \
-    cd fontconfig && \
-    git reset --hard b1df1101a643ae16cdfa1d83b939de2497b1bf27 && \
-    ./autogen.sh --disable-shared --enable-static --sysconfdir=/etc --localstatedir=/var && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+COPY shared_functions.sh /sources/shared_functions.sh
+RUN chmod +x /sources/shared_functions.sh
 
-RUN git clone -b release-64-2 --depth 1 https://github.com/unicode-org/icu && \
-    cd icu/icu4c/source && \
-    git reset --hard e2d85306162d3a0691b070b4f0a73e4012433444 && \
-    ./configure --disable-shared --enable-static --disable-tests --disable-samples && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+# Single CMD with all required commands
+RUN /bin/bash -c "source shared_functions.sh && get_debs_downloader && download_all_tarballs"
 
-RUN wget https://boostorg.jfrog.io/artifactory/main/release/1.80.0/source/boost_1_80_0.tar.gz && \
-    echo "4b2136f98bdd1f5857f1c3dea9ac2018effe65286cf251534b6ae20cc45e1847 boost_1_80_0.tar.gz" | sha256sum -c && \
-    tar -xzf boost_1_80_0.tar.gz && \
-    rm boost_1_80_0.tar.gz && \
-    cd boost_1_80_0 && \
-    ./bootstrap.sh && \
-    ./b2 --with-atomic --with-system --with-filesystem --with-thread --with-date_time --with-chrono --with-regex --with-serialization --with-program_options --with-locale variant=release link=static runtime-link=static cflags="${CFLAGS}" cxxflags="${CXXFLAGS}" install -a --prefix=/usr && \
-    rm -rf $(pwd)
+# Stage 3: Git Cloner
+FROM ubuntu:16.04@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6 as gitcloner
 
-RUN wget https://www.openssl.org/source/openssl-1.1.1u.tar.gz && \
-    echo "e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6 openssl-1.1.1u.tar.gz" | sha256sum -c && \
-    tar -xzf openssl-1.1.1u.tar.gz && \
-    rm openssl-1.1.1u.tar.gz && \
-    cd openssl-1.1.1u && \
-    ./config no-shared no-zlib-dynamic --prefix=/usr --openssldir=/usr && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+WORKDIR /sources
 
-RUN wget https://www.nlnetlabs.nl/downloads/unbound/unbound-1.16.2.tar.gz && \
-    echo "2e32f283820c24c51ca1dd8afecfdb747c7385a137abe865c99db4b257403581 unbound-1.16.2.tar.gz" | sha256sum -c && \
-    tar -xzf unbound-1.16.2.tar.gz && \
-    rm unbound-1.16.2.tar.gz && \
-    cd unbound-1.16.2 && \
-    ./configure --disable-shared --enable-static --without-pyunbound --with-libexpat=/usr --with-ssl=/usr --with-libevent=no --without-pythonmodule --disable-flto --with-pthreads --with-libunbound-only --with-pic && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+COPY shared_functions.sh /sources/shared_functions.sh
+RUN chmod +x /sources/shared_functions.sh
 
-RUN rm /usr/lib/x86_64-linux-gnu/libX11.a && \
-    rm /usr/lib/x86_64-linux-gnu/libXext.a && \
-    rm /usr/lib/x86_64-linux-gnu/libX11-xcb.a && \
-    git clone git://code.qt.io/qt/qt5.git -b ${QT_VERSION} --depth 1 && \
-    cd qt5 && \
-    git clone git://code.qt.io/qt/qtbase.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qtdeclarative.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qtgraphicaleffects.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qtimageformats.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qtmultimedia.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qtquickcontrols.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qtquickcontrols2.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qtsvg.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qttools.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qttranslations.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qtx11extras.git -b ${QT_VERSION} --depth 1 && \
-    git clone git://code.qt.io/qt/qtxmlpatterns.git -b ${QT_VERSION} --depth 1 && \
-    sed -ri s/\(Libs:.*\)/\\1\ -lexpat/ /usr/local/lib/pkgconfig/fontconfig.pc && \
-    sed -ri s/\(Libs:.*\)/\\1\ -lz/ /usr/local/lib/pkgconfig/freetype2.pc && \
-    sed -ri s/\(Libs:.*\)/\\1\ -lXau/ /usr/local/lib/pkgconfig/xcb.pc && \
-    sed -i s/\\/usr\\/X11R6\\/lib64/\\/usr\\/local\\/lib/ qtbase/mkspecs/linux-g++-64/qmake.conf && \
-    ./configure --prefix=/usr -platform linux-g++-64 -opensource -confirm-license -release -static -no-avx \
-    -opengl desktop -qpa xcb -xcb -xcb-xlib -feature-xlib -system-freetype -fontconfig -glib \
-    -no-dbus -no-feature-qml-worker-script -no-linuxfb -no-openssl -no-sql-sqlite -no-kms -no-use-gold-linker \
-    -qt-harfbuzz -qt-libjpeg -qt-libpng -qt-pcre -qt-zlib \
-    -skip qt3d -skip qtandroidextras -skip qtcanvas3d -skip qtcharts -skip qtconnectivity -skip qtdatavis3d \
-    -skip qtdoc -skip qtgamepad -skip qtlocation -skip qtmacextras -skip qtnetworkauth -skip qtpurchasing \
-    -skip qtscript -skip qtscxml -skip qtsensors -skip qtserialbus -skip qtserialport -skip qtspeech -skip qttools \
-    -skip qtvirtualkeyboard -skip qtwayland -skip qtwebchannel -skip qtwebengine -skip qtwebsockets -skip qtwebview \
-    -skip qtwinextras -skip qtx11extras -skip gamepad -skip serialbus -skip location -skip webengine \
-    -nomake examples -nomake tests -nomake tools && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    cd qttools/src/linguist/lrelease && \
-    ../../../../qtbase/bin/qmake && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    cd ../../../.. && \
-    rm -rf $(pwd)
+RUN /bin/bash -c "source shared_functions.sh && get_debs_gitcloner"
+RUN --network=none /bin/bash -c "source shared_functions.sh && install_debs_gitcloner" 
+RUN /bin/bash -c "source shared_functions.sh && clone_git_repos"
 
-RUN git clone -b v1.0.26 --depth 1 https://github.com/libusb/libusb && \
-    cd libusb && \
-    git reset --hard 4239bc3a50014b8e6a5a2a59df1fff3b7469543b && \
-    ./autogen.sh --disable-shared --enable-static && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+# Stage 4: Builder
+FROM ubuntu:16.04@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6 as builder
 
-RUN git clone -b hidapi-0.13.1 --depth 1 https://github.com/libusb/hidapi && \
-    cd hidapi && \
-    git reset --hard 4ebce6b5059b086d05ca7e091ce04a5fd08ac3ac && \
-    ./bootstrap && \
-    ./configure --disable-shared --enable-static && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+ARG THREADS=3
+ARG QT_VERSION=v5.15.14-lts-lgpl
 
-RUN git clone -b v4.3.4 --depth 1 https://github.com/zeromq/libzmq && \
-    cd libzmq && \
-    git reset --hard 4097855ddaaa65ed7b5e8cb86d143842a594eebd && \
-    ./autogen.sh && \
-    ./configure --disable-shared --enable-static --disable-libunwind --with-libsodium && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+ENV CFLAGS="-fPIC"
+ENV CPPFLAGS="-fPIC"
+ENV CXXFLAGS="-fPIC"
 
-RUN git clone -b libgpg-error-1.45 --depth 1 git://git.gnupg.org/libgpg-error.git && \
-    cd libgpg-error && \
-    git reset --hard dbac537e5e865fb6f3aa8596d213aa8c47a9dea1 && \
-    ./autogen.sh && \
-    ./configure --disable-shared --enable-static --disable-doc --disable-tests && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+WORKDIR /sources
 
-RUN git clone -b libgcrypt-1.10.1 --depth 1 git://git.gnupg.org/libgcrypt.git && \
-    cd libgcrypt && \
-    git reset --hard ae0e567820c37f9640440b3cff77d7c185aa6742 && \
-    ./autogen.sh && \
-    ./configure --disable-shared --enable-static --disable-doc && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+# Copy sources from downloader and gitcloner stages
+COPY --from=downloader /sources /sources
+COPY --from=gitcloner /sources /sources
 
-RUN git clone -b v21.5 --depth 1 https://github.com/protocolbuffers/protobuf && \
-    cd protobuf && \
-    git reset --hard ab840345966d0fa8e7100d771c92a73bfbadd25c && \
-    ./autogen.sh && \
-    ./configure --enable-static --disable-shared && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+COPY shared_functions.sh /sources/shared_functions.sh
+RUN chmod +x /sources/shared_functions.sh
 
-RUN git clone -b v3.24.0 --depth 1 https://github.com/Kitware/CMake && \
-    cd CMake && \
-    git reset --hard 4be24f031a4829db75b85062cc67125035d8831e && \
-    ./bootstrap && \
-    make -j$THREADS && \
-    make -j$THREADS install && \
-    rm -rf $(pwd)
+# Build with --network=none
+RUN /bin/bash -c "ls -la"
+RUN --network=none /bin/bash -c "source shared_functions.sh && install_debs_downloader && install_debs_tarballs && extract_all_tarballs && build_all"