Building container images with Bazel

Building containers with Bazel, and using Wolfi for the base images is faster, more reliable and provides much better caching capabilities. This allows us to build the containers in PRs pipelines, not only on the main branch. You'll find a lot of mentions of OCI throughout this document, which refers to the standard for container formats and runtime.

We use rules_oci and Wolfi to produce the container images.

See Bazel at Sourcegraph for general bazel info/setup.

Why using Bazel to build containers

Bazel being a build system, it's not just for compiling code, it can produce tarballs and all artefacts that we ship to customers. Our initial approach when we migrated to Bazel was to keep the existing Dockerfiles, and simply use the Bazel produced binaries instead of the old ones.

This sped up the CI significantly, but because Bazel is not aware of the image building process, every build on the main branch was recreating the Docker images, which is a time consuming process. In particular, the server image has been the slowest of them all, as it required to build all other service and to package them into a very large image that also contained all the third parties necessary to run them (such as git, p4, universal-ctags).

All of these additional steps can fail, due to transient network issues, or a a particular URL becoming unavailable. By switching to Bazel to produce the container images, we are leveraging its reproduceability and cacheability in exactly the same way we do for building binaries.

This results in more reliable and faster builds, fast enough that we can afford to build those images in PRs as Bazel will cache the result, meaning we don't rebuild them unless we have to, in a deterministic fashion.

Anatomy of a Bazel built containers

Containers are composed of multiple layers (conceptually, not talking about container layers):

  • Sourcegraph Base Image
    • Distroless base, powered by Wolfi
    • Packages common to all services.
  • Per Service Base Image
    • Packages specific to a given service
  • Service specific outputs (pkg_tar rules)
    • Configuration files, if needed
    • Binaries (targeting linux/amd64)
  • Image configuration (oci_image rules)
    • Environment variables
    • Entrypoint
  • Image tests (container_structure_test rules)
    • Check for correct permissions
    • Check presence of necessary packages
    • Check that binaries are runnable inside the image
  • Default publishing target (oci_push rules)
    • They all refer to our internal registry.
    • Please note that only enterprise variant is published.

The first two layers are handled by Wolfi and the rest if handled by Bazel.

Wolfi

See the dedicated page for Wolfi.

Bazel

Any output that should go in the image has to be declared with a pkg_tar rule. Example:

go_binary(
    name = "worker",
    embed = [":worker_lib"],
    visibility = ["//visibility:public"],
)

pkg_tar(
    name = "tar_worker",
    srcs = [":worker"],
)

Will create a tarball containing the outputs from the :frontend target, which can then be added to an image, through the tars attribute of the oci_image rule. Example:

oci_image(
    name = "image",
    # (...)
    tars = [":tar_worker"],
)

We can add this way as many tarballs we want. In practice, it's best to prefer having multiple smaller tarballs instead of of a big one, as it enabled to cache them individually, to avoid having to rebuild all of them on a tiny change.

The oci_image rule is used to express other aspect of the image we're building, such as the base image to use, the entry_point, environment variables and which user should the image run the entry point with. Example:

oci_image(
    name = "image",
    base = "@wolfi_base",
    entrypoint = [
        "/sbin/tini",
        "--",
        "/worker",
    ],
    env = {
        "MYVAR": "foobar",
    },
    tars = [":tar_worker"],
    user = "sourcegraph",
)

💡 Convention: we define environment variables on the the oci_image rule. We could hypothetically define some of them in the base image, on the Wolfi layer, but we much prefer to have everything easily readable in the Buildfile of a given service.

The definition for @wolfi_base (and other images) is located in dev/oci_deps.bzl.

Once we have an image being defined, we need an additional rule to turn it into a tarball that can be fed to docker load and later on be published. It defines the default tags for that image. Example:

oci_tarball(
    name = "image_tarball",
    image = ":image",
    repo_tags = ["worker:candidate"],
)

At this point, we can also write container tests, with the container_structure_test rule:

container_structure_test(
    name = "image_test",
    timeout = "short",
    configs = ["image_test.yaml"],
    driver = "docker",
    image = ":image",
    tags = ["requires-network"],
)

schemaVersion: "2.0.0"
commandTests:
  - name: "binary is runnable"
    command: "/worker"
    envVars:
      - key: "SANITY_CHECK"
        value: "true"

  - name: "not running as root"
    command: "/usr/bin/id"
    args:
      - -u
    excludedOutput: ["^0"]
    exitCode: 0

We can now build this image locally and run those tests as well.

💡 The image building process is much faster than the old Docker build scripts, and because most actions are cached, this makes it very easy to iterate locally on both the image definition and the container structure tests.

Example:

# Create a tarball that can be loaded in Docker of the worker service:
bazel build //cmd/worker:image_tarball

# Load the image in Docker:
docker load --input $(bazel cquery //cmd/worker:image_tarball  --output=files)

# Run the container structure tests
bazel test //cmd/worker:image_test

Finally, if and only if we want our image to be released on registries, we need to add the oci_push rule. It will take care of definining which registry to push on, as well as tagging the image, through a process referred as stamping that we will cover a bit further.

Apart from the image attribute which refers to the above oci_rule, repository refers to the internal (development) registry. Example:

oci_push(
    name = "candidate_push",
    image = ":image",
    repository = image_repository("worker"),
)

Pushing images on registries

Image are never pushed anywhere, unless we are on the main branch. Because we are definining a container_structure_test rulee, the bazel test //... job in CI will always build your image, even in branches. They will just be cached and never pushed.

On the main branch (or if branch is main_dry_run runtype), a final CI job, named Push OCI/Wolfi will select all oci_push rules in the repository and will stamp them before finally pushing them on the standard registries.

Stamping

Stamping refers to the process of marking artifacts in varied ways, so we can identify and how it was produced. It used at various levels in our pipeline, with the most two notables ones being the Version global that we ship within all our Go binaries and the image tags.

Example of stamps for Go rules:

go_library(
    name = "worker_lib",
    # (...)
    x_defs = {
        "github.com/sourcegraph/sourcegraph/internal/version.version": "{STABLE_VERSION}",
        "github.com/sourcegraph/sourcegraph/internal/version.timestamp": "{VERSION_TIMESTAMP}",
    },
)

Here we're stamping the worker_lib target by assigning STABLE_VERSION to internal/version.version. This is the equivalent of:

go build \
  -ldflags "-X github.com/sourcegraph/sourcegraph/internal/version.version=$VERSION -X github.com/sourcegraph/sourcegraph/internal/version.timestamp=$(date +%s)" # (...)

When we are building and testing our targets, we do not stamp our binaries with any specific versions. This enables to cache all outputs. But when we're releasing them, we do want to stamp them before releasing them in the wild.