temp publish buildkitd

[gilescope]

There's a chicken and egg. Doing this to force a arm64 buildkit image.

[github-actions]

⚠️ Are we earthbuild yet?

Warning: "earthly" occurrences have increased by 72 (33.18%)

📈 Overall Progress

Branch	Total Count
main	217
This PR	289
Difference	+72 (33.18%)

---

Keep up the great work migrating from Earthly to Earthbuild! 🚀

💡 Tips for finding more occurrences

Run locally to see detailed breakdown:

./.github/scripts/count-earthly.sh

Note that the goal is not to reach 0.
There is anticipated to be at least some occurences of earthly in the source code due to backwards compatibility with config files and language constructs.

[gemini-code-assist]

Summary of Changes

Hello @gilescope, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a comprehensive set of new files to define and configure a specialized buildkitd image for Earthbuild, specifically targeting arm64 architecture. It integrates custom tooling, advanced BuildKit daemon settings, and robust Docker-in-Docker capabilities, along with system-level process management, to address a dependency challenge and enhance the build environment.

Highlights

• New BuildKit Image Definition: Introduced a new Dockerfile.earthbuild to create a specialized earthbuild buildkitd image, extending a base BuildKit image with Earthbuild-specific tooling, config templates, a debugger, and an entrypoint.
• BuildKit Daemon Configuration: Added several template files (buildkitd.cache.template, buildkitd.cacheduration.template, buildkitd.pprof.template, buildkitd.tcp.template, buildkitd.tls.template, buildkitd.toml.template) to configure various aspects of the BuildKit daemon, including cache policies, TCP transport, pprof debugging, and TLS settings.
• Docker-in-Docker (DinD) Support: Included scripts (docker-auto-install.sh, dockerd-wrapper.sh) to facilitate Docker-in-Docker functionality, enabling automatic installation of Docker and Docker Compose, and managing the dockerd lifecycle within the Earthbuild environment.
• OOM Adjustment and Process Monitoring: Implemented an OOM adjustment script (oom-adjust.sh.template) for buildkit-runc processes and a utility script (runc-ps) to list and display statistics for runc container processes.

Changelog

• Dockerfile.earthbuild
  • Added a new Dockerfile for building the earthbuild buildkitd image, including a Go-based debugger, CNI plugins, Git LFS, and SSH known hosts for GitHub, GitLab, and Bitbucket.
• earthbuild/buildkitd.cache.template
  • Added a template for BuildKit's OCI worker garbage collection policy, allowing configuration of keepBytes for source files and a catch-all policy.
• earthbuild/buildkitd.cacheduration.template
  • Added a template for BuildKit's OCI worker garbage collection policy, allowing configuration of keepDuration.
• earthbuild/buildkitd.pprof.template
  • Added a template to enable pprof debugging on 0.0.0.0:6060 for BuildKit.
• earthbuild/buildkitd.tcp.template
  • Added a template to configure TCP transport for BuildKit's gRPC on 0.0.0.0:8372.
• earthbuild/buildkitd.tls.template
  • Added a template to configure TLS settings for BuildKit's gRPC, specifying paths for certificate, key, and CA files.
• earthbuild/buildkitd.toml.template
  • Added a template for the main BuildKit daemon configuration file, integrating debug settings, root directory, insecure entitlements, worker settings, and placeholders for other configuration templates.
• earthbuild/cni-conf.json.template
  • Added a template for CNI network configuration, defining a bridge network with a specific subnet and MTU.
• earthbuild/docker-auto-install.sh
  • Added a script to automatically detect and install Docker Engine and Docker Compose based on the Linux distribution.
• earthbuild/dockerd-wrapper.sh
  • Added a wrapper script for dockerd to manage its lifecycle, handle cgroup v2, acquire file locks, retry startup, clean up Docker objects, and load images from files or an embedded registry.
• earthbuild/entrypoint.sh
  • Added an entrypoint script to initialize and run the earthbuild buildkitd daemon, handling ulimit, environment variable validation, cache versioning, iptables autodetection, Git credentials, CNI setup, BuildKit cache calculation, and OOM adjustment.
• earthbuild/oom-adjust.sh.template
  • Added a template for a script to adjust OOM scores for buildkit-runc processes and their children, excluding buildkit-runcinit.
• earthbuild/runc-ps
  • Added a script to list runc container processes, display their command arguments, and report total CPU and memory usage.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/buildkit.yml

Activity

• The pull request was created by gilescope with the title "temp publish buildkitd" and a description mentioning a "chicken and egg" problem, aiming to force an arm64 buildkit image.
• All changes involve the addition of new files, indicating the introduction of a new feature or a significant restructuring of the build environment setup.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request introduces a custom buildkitd image for earthbuild with several supporting scripts and templates. While the overall architecture is sound, there are several critical issues that need to be addressed: a typo in the Go version for the debugger build, missing dependencies (bc) in the Dockerfile, a logic error in the cache size calculation, and a potential script failure due to set -e combined with grep and missing directory checks. Additionally, there are security concerns regarding unverified binary downloads in the auto-install script.

[gemini-code-assist]

The entrypoint.sh script relies on the bc command for floating-point arithmetic and cache calculations (e.g., lines 176, 198, 199, 210). However, bc is not included in the apk add list, which will cause the entrypoint to fail during container startup.

RUN apk add --update --no-cache \
    bc \
    cni-plugins@edge-community \
    gettext \
    git-lfs \
    iptables \
    jq \
    openssh-client \
    pigz \
    util-linux \
    xz

[gemini-code-assist]

This line has two issues: 1) If /tmp/earthbuild/dind/ does not exist (e.g., on the first run), find will return an error and the script will exit due to set -e. 2) If no files match the grep -v filter, grep will return exit code 1, also causing the script to exit. Using find with a name filter and a directory check is more robust.

Suggested change

	find /tmp/earthbuild/dind/ -maxdepth 1 -mindepth 1 | grep -v cache_ | xargs -r rm -rf
	[ -d /tmp/earthbuild/dind/ ] && find /tmp/earthbuild/dind/ -maxdepth 1 -mindepth 1 ! -name "cache_*" -exec rm -rf {} + || true

[gemini-code-assist]

There is a logic error in the cache calculation. The comment states that the source file cache should be 10% of the overall cache, but the code uses a multiplier of 0.5 (50%).

Suggested change

	SOURCE_FILE_KEEP_BYTES="$(echo "($CACHE_SIZE_MB * 1024 * 1024 * 0.5) / 1" | bc)" # Note /1 division truncates to int
	SOURCE_FILE_KEEP_BYTES="$(echo "($CACHE_SIZE_MB * 1024 * 1024 * 0.1) / 1" | bc)" # Note /1 division truncates to int

[gemini-code-assist]

Downloading binaries directly from a third-party repository without verifying their checksums (e.g., SHA256) poses a significant security risk. An attacker could compromise the source or perform a MITM attack to execute arbitrary code. Please add checksum verification for all downloaded binaries.

[gemini-code-assist]

The Go version 1.25 is not yet released (current stable versions are 1.23 and 1.24). This is likely a typo and should be updated to a valid version.

FROM golang:1.24-alpine AS debugger

[gilescope]

We don't need to do this. buildkit is published from the earthbuild repo.