build: compress SDK with zstd

Rather than implicitly using BuildKit underneath `docker build`, switch to explicitly using it via `docker buildx build` with a custom builder. The default builder loads builds into Docker after they finish, which causes certain options - like zstd compression - to be ignored when pushing to a registry. `docker buildx build` doesn't really distinguish between "build" and "push" steps; a "push" is just a build where the output is sent to a registry rather than written to a tar archive or loaded into Docker. This breaks one of the main assumptions of the `publish-sdk` script, which expects the build to be done already. Rather than wiring up the build arguments as additional arguments to `publish-sdk`, replace it with `docker buildx imagetools create` as the tool for creating and replacing remote manifests. Signed-off-by: Ben Cressey <[email protected]>
bottlerocket-os · Feb 3, 2025 · 842f0fb · 842f0fb
1 parent 3afb4fd
commit 842f0fb
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 155 deletions.
diff --git a/Makefile b/Makefile
@@ -2,25 +2,67 @@ TOP := $(dir $(abspath $(firstword $(MAKEFILE_LIST))))
 
 HOST_ARCH ?= $(shell uname -m)
 DOCKER_ARCH ?= $(lastword $(subst :, ,$(filter $(HOST_ARCH):%,x86_64:amd64 aarch64:arm64)))
+DOCKER_ALT_ARCH ?= $(lastword $(subst :, ,$(filter $(HOST_ARCH):%,x86_64:arm64 aarch64:amd64)))
 UPSTREAM_SOURCE_FALLBACK ?= false
 
 VERSION := $(shell cat $(TOP)VERSION)
 SHORT_SHA := $(shell git rev-parse --short=8 HEAD)
 
-IMAGE_NAME ?= bottlerocket-sdk:$(VERSION)-$(SHORT_SHA)-$(DOCKER_ARCH)
+REGISTRY ?=
+REPOSITORY ?= bottlerocket-sdk
+IMAGE_NAME ?= $(REPOSITORY):$(VERSION)-$(SHORT_SHA)-$(DOCKER_ARCH)
+IMAGE_ALT_NAME ?= $(REPOSITORY):$(VERSION)-$(SHORT_SHA)-$(DOCKER_ALT_ARCH)
+MANIFEST ?= $(REPOSITORY):$(VERSION)
 
-all: sdk
+BUILDX_BUILDER ?= sdk-builder
 
-sdk:
-	@DOCKER_BUILDKIT=1 docker build . \
-		--tag $(IMAGE_NAME) \
-		--target sdk-golden \
-		--build-arg HOST_ARCH=$(HOST_ARCH) \
-		--build-arg UPSTREAM_SOURCE_FALLBACK=$(UPSTREAM_SOURCE_FALLBACK)
+BUILDX_BUILD_ARGS = $\
+	--build-arg HOST_ARCH=$(HOST_ARCH) $\
+	--build-arg UPSTREAM_SOURCE_FALLBACK=$(UPSTREAM_SOURCE_FALLBACK) $\
+	--target sdk-golden $\
+	--provenance=false $\
+	--sbom=false $\
+	--builder $(BUILDX_BUILDER)
 
-publish:
+BUILDX_LOAD_ARGS = $\
+	--tag $(IMAGE_NAME) \
+	--load
+
+BUILDX_PUSH_ARGS = $\
+	--output $\
+	type=registry,name=$(REGISTRY)/$(IMAGE_NAME),$\
+	compression=zstd,compression-level=22,force-compression=true,$\
+	oci-mediatypes=true,platform=linux/$(DOCKER_ARCH)
+
+all: build
+
+builder:
+	@docker buildx create \
+		--name $(BUILDX_BUILDER) \
+		--driver docker-container \
+		--node $(BUILDX_BUILDER)0
+
+build: builder
+	@docker buildx build . \
+		$(BUILDX_BUILD_ARGS) \
+		$(BUILDX_LOAD_ARGS)
+
+build-push: builder
 	@test $${REGISTRY?not set!}
-	@test $${REPOSITORY?not set!}
-	$(TOP)publish-sdk --registry=$(REGISTRY) --repository=$(REPOSITORY) --tag=$(VERSION) --short-sha=$(SHORT_SHA)
+	@docker buildx build . \
+		$(BUILDX_BUILD_ARGS) \
+		$(BUILDX_PUSH_ARGS)
+
+publish: build-push
+	@if docker buildx imagetools inspect $(REGISTRY)/$(IMAGE_ALT_NAME) >/dev/null 2>&1 ; then \
+		docker buildx imagetools create \
+			--tag $(REGISTRY)/$(MANIFEST) \
+			$(REGISTRY)/$(IMAGE_NAME) \
+			$(REGISTRY)/$(IMAGE_ALT_NAME) ; \
+	else \
+		docker buildx imagetools create \
+			--tag $(REGISTRY)/$(MANIFEST) \
+			$(REGISTRY)/$(IMAGE_NAME) ; \
+	fi
 
-.PHONY: all sdk publish
+.PHONY: all builder build build-push publish
diff --git a/publish-sdk b/publish-sdk