Swift #2500
Swift #2500
Conversation
|
@tianon thanks so much for reviewing what we have so far. I've opened the docs/ PR. |
|
Docs PR is passing! |
|
@swizzlr amazing! What else is left? |
|
@hamin In depth review by Docker people – including checking that your Dockerfile is good and the documentation isn't terrible. |
|
I'll help make this easier:
It would be lovely to have a "FROM llvm", but we don't.
We've added tests, and it's passing CI. |
|
Thanks @swizzlr -- I think we're down to just Dockerization review and docs review. 👍 Here's the full build context for simpler review: diff --git a/swift_latest/Dockerfile b/swift_latest/Dockerfile
new file mode 100644
index 0000000..be9a175
--- /dev/null
+++ b/swift_latest/Dockerfile
@@ -0,0 +1,31 @@
+FROM ubuntu:16.04
+MAINTAINER Haris Amin <[email protected]>
+
+# Install related packages and set LLVM 3.6 as the compiler
+RUN apt-get update && \
+ apt-get install -y build-essential wget clang-3.6 curl libedit-dev python2.7 python2.7-dev libicu-dev rsync libxml2 git libcurl4-openssl-dev && \
+ update-alternatives --install /usr/bin/clang clang /usr/bin/clang-3.6 100 && \
+ update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-3.6 100 && \
+ apt-get clean && \
+ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# Set Swift Path
+ENV PATH /usr/bin:$PATH
+# Everything up to here should cache nicely between Swift versions, assuming dev dependencies change little
+ENV SWIFT_BRANCH=swift-3.0.2-release SWIFT_VERSION=swift-3.0.2-RELEASE SWIFT_PLATFORM=ubuntu16.04
+
+# Install Swift keys
+RUN wget -q -O - https://swift.org/keys/all-keys.asc | gpg --import - && \
+ gpg --keyserver hkp://pool.sks-keyservers.net --refresh-keys Swift
+
+# Install Swift Ubuntu Snapshot
+RUN SWIFT_ARCHIVE_NAME=$SWIFT_VERSION-$SWIFT_PLATFORM && \
+ SWIFT_URL=https://swift.org/builds/$SWIFT_BRANCH/$(echo "$SWIFT_PLATFORM" | tr -d .)/$SWIFT_VERSION/$SWIFT_ARCHIVE_NAME.tar.gz && \
+ wget $SWIFT_URL && \
+ wget $SWIFT_URL.sig && \
+ gpg --verify $SWIFT_ARCHIVE_NAME.tar.gz.sig && \
+ tar -xvzf $SWIFT_ARCHIVE_NAME.tar.gz --directory / --strip-components=1 && \
+ rm -rf $SWIFT_ARCHIVE_NAME* /tmp/* /var/tmp/*
+
+# Print Installed Swift Version
+RUN swift --version |
|
Some general review notes after taking a look -- for any of the changes I'm requesting here, I'm happy to instead turn these into a PR against your repo directly. 👍
Any particular reason for Ubuntu? Available LLVM version? Officially supported by Swift upstream?
Just FYI, the
From https://packages.debian.org/jessie/build-essential (Ubuntu's page doesn't include the description):
I think rather than
Invoking
So, this method of download the PGP keys works, but it doesn't provide any additional download verification -- if someone were to compromise the https://swift.org infra (where we're also downloading the binaries from), they could give us a compromised For reference, here's a general pattern (with the Swift keys embedded) that we've found successful: RUN set -ex; \
for key in \
# pub 4096R/412B37AD 2015-11-19 [expires: 2017-11-18]
# Key fingerprint = 7463 A81A 4B2E EA1B 551F FBCF D441 C977 412B 37AD
# uid Swift Automatic Signing Key #1 <[email protected]>
7463A81A4B2EEA1B551FFBCFD441C977412B37AD \
# pub 4096R/21A56D5F 2015-11-28 [expires: 2017-11-27]
# Key fingerprint = 1BE1 E29A 084C B305 F397 D62A 9F59 7F4D 21A5 6D5F
# uid Swift 2.2 Release Signing Key <[email protected]>
1BE1E29A084CB305F397D62A9F597F4D21A56D5F \
# pub 4096R/91D306C6 2016-05-31 [expires: 2018-05-31]
# Key fingerprint = A3BA FD35 56A5 9079 C068 94BD 63BC 1CFE 91D3 06C6
# uid Swift 3.x Release Signing Key <[email protected]>
A3BAFD3556A59079C06894BD63BC1CFE91D306C6 \
; do \
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
done
This should be Also, it might be worth using
From what I can see, nothing in this $ docker run -it --rm swift swift
error: failed to launch REPL process: process launch failed: 'A' packet returned an error: 8Any idea why launching the REPL is failing? If we can get the REPL working, we can add |
|
Ah, the REPL bit is the reason you had $ docker run -it --rm --security-opt seccomp=unconfined swift swift
Welcome to Swift version 3.0.2 (swift-3.0.2-RELEASE). Type :help for assistance.
1> print("hi");
hi |
|
@tianon let me answer a couple of the questions for you. With ubuntu 16.04, that's because aswift is officially supporting that version. I think they might have 16.10 support too but we are trying to only support Ubuntu LTS releases if possible. Regarding the swift repl not working, this has been a thorn for us for a little while. Our solution this far has been to create the container using the '--privilege ' flag which we know is not advised. We think it's an issue that at some point broke with the swift tolling and docker but are not sure. Regarding the other comments I think they all make sense. What do you think @swizzlr ? |
|
@tianon wow, thank you so much for that amazing feedback! Pardon our dust in places, a lot of the crud was due to various incantations to get it to work in the early days. To clarify one thing – do you want the REPL to be working before approving? https://bugs.swift.org/browse/SR-54 shows that the tight integration between REPL and LLDB means that it would be a seriously heavy bit of work to make the REPL not require kernel privileges (this would be an interesting task – perhaps LLDB could have a |
|
@tianon @hamin I've updated the PR with a checklist based on Tianon's feedback. Tianon, please feel free to check things off if you're satisfied. I will open PRs today, based on your feedback! @tianon As Haris mentioned, Swift on Linux officially supports Ubuntu up to 16.10 and back to 14.04 (all current LTS releases plus latest stable). We thought that choosing the latest LTS release would be the safest thing to do, but please correct us if you think another version may be better. |
|
@tianon I've seen other projects support multiple ubuntu versions before... I guess we could do that with Ubuntu 16.10 but is there a particular convention for docker images regarding that? |
|
I'm totally +:100: on LTS -- I was more curious about Ubuntu specifically, but sounds like it's one that upstream officially supports/recommends, which is great (please do stick to LTS :smile:). :+1: I don't necessarily need the REPL to be working -- I think unconfined seccomp is a fine workaround for now (and worth documenting in the description with a link to the discussion/bugs about it). Totally unconfined is still a bit hairy, but not anywhere close to as bad as |
|
Regarding |
|
Alright: swiftlang/swift-docker#46 @tianon @hamin feedback incorporated, dockerfile is more organized, more secure and SUBSTANTIALLY less noisy when building. Not sure what key standards have been set on for |
|
@tianon alright, done! thank you so much for everything you've done so far! |
|
Documentation updated with info about running the REPL. Who does the extra dockerization review? @tianon |
|
@tianon What an awful week it's been! Perhaps finalizing Swift as an official docker image could be what we all need! Is there anything else needed? |
diff --git a/swift_latest/Dockerfile b/swift_latest/Dockerfile
new file mode 100644
index 0000000..c248cbb
--- /dev/null
+++ b/swift_latest/Dockerfile
@@ -0,0 +1,56 @@
+FROM ubuntu:16.04
+MAINTAINER Haris Amin <[email protected]>
+
+# Install related packages and set LLVM 3.6 as the compiler
+RUN apt-get -q update && \
+ apt-get -q install -y \
+ make \
+ libc6-dev \
+ clang-3.6 \
+ curl \
+ libedit-dev \
+ python2.7 \
+ python2.7-dev \
+ libicu-dev \
+ rsync \
+ libxml2 \
+ git \
+ libcurl4-openssl-dev \
+ && update-alternatives --quiet --install /usr/bin/clang clang /usr/bin/clang-3.6 100 \
+ && update-alternatives --quiet --install /usr/bin/clang++ clang++ /usr/bin/clang++-3.6 100 \
+ && rm -r /var/lib/apt/lists/*
+
+# Everything up to here should cache nicely between Swift versions, assuming dev dependencies change little
+ENV SWIFT_BRANCH=swift-3.0.2-release \
+ SWIFT_VERSION=swift-3.0.2-RELEASE \
+ SWIFT_PLATFORM=ubuntu16.04 \
+ PATH=/usr/bin:$PATH
+
+# Download GPG keys, signature and Swift package, then unpack and cleanup
+RUN SWIFT_URL=https://swift.org/builds/$SWIFT_BRANCH/$(echo "$SWIFT_PLATFORM" | tr -d .)/$SWIFT_VERSION/$SWIFT_VERSION-$SWIFT_PLATFORM.tar.gz \
+ && curl -fSsL $SWIFT_URL -o swift.tar.gz \
+ && curl -fSsL $SWIFT_URL.sig -o swift.tar.gz.sig \
+ && export GNUPGHOME="$(mktemp -d)" \
+ && set -e; \
+ for key in \
+ # pub 4096R/412B37AD 2015-11-19 [expires: 2017-11-18]
+ # Key fingerprint = 7463 A81A 4B2E EA1B 551F FBCF D441 C977 412B 37AD
+ # uid Swift Automatic Signing Key #1 <[email protected]>
+ 7463A81A4B2EEA1B551FFBCFD441C977412B37AD \
+ # pub 4096R/21A56D5F 2015-11-28 [expires: 2017-11-27]
+ # Key fingerprint = 1BE1 E29A 084C B305 F397 D62A 9F59 7F4D 21A5 6D5F
+ # uid Swift 2.2 Release Signing Key <[email protected]>
+ 1BE1E29A084CB305F397D62A9F597F4D21A56D5F \
+ # pub 4096R/91D306C6 2016-05-31 [expires: 2018-05-31]
+ # Key fingerprint = A3BA FD35 56A5 9079 C068 94BD 63BC 1CFE 91D3 06C6
+ # uid Swift 3.x Release Signing Key <[email protected]>
+ A3BAFD3556A59079C06894BD63BC1CFE91D306C6 \
+ ; do \
+ gpg --quiet --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
+ done \
+ && gpg --batch --verify --quiet swift.tar.gz.sig swift.tar.gz \
+ && tar -xzf swift.tar.gz --directory / --strip-components=1 \
+ && rm -r "$GNUPGHOME" swift.tar.gz.sig swift.tar.gz
+
+# Print Installed Swift Version
+RUN swift --versionBuild test of #2500; c03f413 ( $ bashbrew build swift:3.0.2
Building bashbrew/cache:a4affb128ed89fb65d8dbb8002b984788dfebb96f699b69f835bafc1a97b9b90 (swift:3.0.2)
Tagging swift:3.0.2
Tagging swift:3.0
Tagging swift:3
Tagging swift:latest
$ test/run.sh swift:3.0.2
testing swift:3.0.2
'utc' [1/5]...passed
'cve-2014--shellshock' [2/5]...passed
'no-hard-coded-passwords' [3/5]...passed
'override-cmd' [4/5]...passed
'swift-hello-world' [5/5]...passed
|
|
@yosifkit - thanks so much! I'll fixup the docs today but please merge when ready! |
|
❤️❤️❤️❤️👌👌👌😍😍😍😍❤️❤️❤️❤️ |
Hi all,
Mario Ponticello got in touch with us last year regarding an official Swift image. He's apparently no longer with Docker, but all the same we'd love to take him up on this offer.
A few notes:
We are drafting documentation here: Documentation: Official Docker Image swiftlang/swift-docker#43, and will provide it as a PR to the docs repo in the next 24-48 hoursWe'd love more information about how these image manifest files could be auto-generated from the GitHub repo, and also to find out how automated builds work/are authenticated.
Happy new year!
Dockerization Review Feedback
Replacemaintainerwithlabelinstructionbuild-essentialfrom package list (investigate make and libc6-dev)apt-get clean(no op)--batchwgetto use -O to simplify file handlingrm -rfthe/tmpand/var/tmpdirectories – if not, remove that instructionChecklist for Review
NOTE: This checklist is intended for the use of the Official Images maintainers both to track the status of your PR and to help inform you and others of where we're at. As such, please leave the "checking" of items to the repository maintainers. If there is a point below for which you would like to provide additional information or note completion, please do so by commenting on the PR. Thanks! (and thanks for staying patient with us ❤️)
foobarneeds Node.js, hasFROM node:...instead of grabbingnodevia other means been considered?)ifFROM scratch, tarballs only exist in a single commit within the associated history?