address comments

2 weeks ago · 08ae6e8ca4
4 changed files with 63 additions and 35 deletions
--- a/docker/Dockerfile.foundationdb_large
+++ b/docker/Dockerfile.foundationdb_large
@ -1,7 +1,8 @@
 FROM golang:1.24 AS builder

-RUN apt-get update
-RUN apt-get install -y build-essential wget ca-certificates
+RUN apt-get update && \
+    apt-get install -y build-essential wget ca-certificates && \
+    rm -rf /var/lib/apt/lists/*

 ARG FDB_VERSION=7.4.5
 ENV FDB_VERSION=${FDB_VERSION}
@ -9,22 +10,24 @@ ARG TARGETARCH

 # Install FoundationDB client libraries with SHA256 checksum verification
 # Known SHA256 checksums for FoundationDB client packages (verified 2025-01-19)
-# To add checksums for new versions: run docker/get_fdb_checksum.sh <version>
+# To add checksums for new versions: run docker/get_fdb_checksum.sh <version> <arch>
 RUN cd /tmp && \
    case "${TARGETARCH}" in \
-        "amd64") FDB_ARCH="amd64" ;; \
-        "arm64") FDB_ARCH="arm64" ;; \
+        "amd64") FDB_ARCH="amd64"; PACKAGE_ARCH="amd64" ;; \
+        "arm64") FDB_ARCH="arm64"; PACKAGE_ARCH="aarch64" ;; \
        *) echo "Unsupported architecture: ${TARGETARCH}" >&2; exit 1 ;; \
    esac && \
    case "${FDB_VERSION}_${FDB_ARCH}" in \
        "7.4.5_amd64") \
            EXPECTED_SHA256="eea6b98cf386a0848655b2e196d18633662a7440a7ee061c10e32153c7e7e112" ;; \
        "7.4.5_arm64") \
-            EXPECTED_SHA256="TBD_RUN_get_fdb_checksum_for_arm64" ;; \
+            EXPECTED_SHA256="f2176b86b7e1b561c3632b4e6e7efb82e3b8f57c2ff0d0ac4671e742867508aa" ;; \
        "7.3.43_amd64") \
            EXPECTED_SHA256="c3fa0a59c7355b914a1455dac909238d5ea3b6c6bc7b530af8597e6487c1651a" ;; \
        "7.3.43_arm64") \
-            EXPECTED_SHA256="TBD_RUN_get_fdb_checksum_for_arm64" ;; \
+            echo "ERROR: FoundationDB ${FDB_VERSION} does not publish arm64 client packages." >&2; \
+            echo "Please upgrade to 7.4.5+ when targeting arm64." >&2; \
+            exit 1 ;; \
        *) \
            echo "ERROR: No checksum available for FDB version ${FDB_VERSION} on ${FDB_ARCH}" >&2; \
            echo "This is a security requirement. To add verification:" >&2; \
@ -33,7 +36,7 @@ RUN cd /tmp && \
            echo "Refusing to proceed without checksum verification." >&2; \
            exit 1 ;; \
    esac && \
-    PACKAGE="foundationdb-clients_${FDB_VERSION}-1_${FDB_ARCH}.deb" && \
+    PACKAGE="foundationdb-clients_${FDB_VERSION}-1_${PACKAGE_ARCH}.deb" && \
    wget --timeout=30 --tries=3 https://github.com/apple/foundationdb/releases/download/${FDB_VERSION}/${PACKAGE} && \
    echo "${EXPECTED_SHA256}  ${PACKAGE}" | sha256sum -c - || \
        (echo "ERROR: Checksum verification failed for FoundationDB ${FDB_VERSION} (${FDB_ARCH})" >&2; \
@ -47,12 +50,12 @@ RUN cd /tmp && \
 ENV CGO_CFLAGS="-I/usr/include/foundationdb"
 ENV CGO_LDFLAGS="-lfdb_c"

-# build SeaweedFS
-ARG BRANCH=master
-RUN mkdir -p /go/src/github.com/seaweedfs/ && \
-    git clone --depth 1 --branch ${BRANCH} https://github.com/seaweedfs/seaweedfs /go/src/github.com/seaweedfs/seaweedfs
-RUN cd /go/src/github.com/seaweedfs/seaweedfs/weed \
-  && export LDFLAGS="-X github.com/seaweedfs/seaweedfs/weed/util/version.COMMIT=$(git rev-parse --short HEAD)" \
+# build SeaweedFS from the local build context for reproducible images
+WORKDIR /go/src/github.com/seaweedfs/seaweedfs
+COPY . .
+RUN cd weed \
+  && COMMIT_SHA=$(git rev-parse --short HEAD 2>/dev/null || echo "unknown") \
+  && export LDFLAGS="-X github.com/seaweedfs/seaweedfs/weed/util/version.COMMIT=${COMMIT_SHA}" \
  && go install -tags "5BytesOffset foundationdb" -ldflags "${LDFLAGS}"


@ -72,25 +75,27 @@ ARG FDB_VERSION=7.4.5
 ARG TARGETARCH
 RUN cd /tmp && \
    case "${TARGETARCH}" in \
-        "amd64") FDB_ARCH="amd64" ;; \
-        "arm64") FDB_ARCH="arm64" ;; \
+        "amd64") FDB_ARCH="amd64"; PACKAGE_ARCH="amd64" ;; \
+        "arm64") FDB_ARCH="arm64"; PACKAGE_ARCH="aarch64" ;; \
        *) echo "Unsupported architecture: ${TARGETARCH}" >&2; exit 1 ;; \
    esac && \
    case "${FDB_VERSION}_${FDB_ARCH}" in \
        "7.4.5_amd64") \
            EXPECTED_SHA256="eea6b98cf386a0848655b2e196d18633662a7440a7ee061c10e32153c7e7e112" ;; \
        "7.4.5_arm64") \
-            EXPECTED_SHA256="TBD_RUN_get_fdb_checksum_for_arm64" ;; \
+            EXPECTED_SHA256="f2176b86b7e1b561c3632b4e6e7efb82e3b8f57c2ff0d0ac4671e742867508aa" ;; \
        "7.3.43_amd64") \
            EXPECTED_SHA256="c3fa0a59c7355b914a1455dac909238d5ea3b6c6bc7b530af8597e6487c1651a" ;; \
        "7.3.43_arm64") \
-            EXPECTED_SHA256="TBD_RUN_get_fdb_checksum_for_arm64" ;; \
+            echo "ERROR: FoundationDB ${FDB_VERSION} does not publish arm64 client packages." >&2; \
+            echo "Please upgrade to 7.4.5+ when targeting arm64." >&2; \
+            exit 1 ;; \
        *) \
            echo "ERROR: No checksum available for FDB version ${FDB_VERSION} on ${FDB_ARCH}" >&2; \
            echo "Run docker/get_fdb_checksum.sh ${FDB_VERSION} ${FDB_ARCH} to get the checksum" >&2; \
            exit 1 ;; \
    esac && \
-    PACKAGE="foundationdb-clients_${FDB_VERSION}-1_${FDB_ARCH}.deb" && \
+    PACKAGE="foundationdb-clients_${FDB_VERSION}-1_${PACKAGE_ARCH}.deb" && \
    wget --timeout=30 --tries=3 https://github.com/apple/foundationdb/releases/download/${FDB_VERSION}/${PACKAGE} && \
    echo "${EXPECTED_SHA256}  ${PACKAGE}" | sha256sum -c - || \
        (echo "ERROR: Checksum verification failed for FoundationDB ${FDB_VERSION} (${FDB_ARCH})" >&2; exit 1) && \
--- a/docker/get_fdb_checksum.sh
+++ b/docker/get_fdb_checksum.sh
@ -16,12 +16,22 @@ fi
 FDB_VERSION="$1"
 FDB_ARCH="${2:-amd64}"

-if [ "$FDB_ARCH" != "amd64" ] && [ "$FDB_ARCH" != "arm64" ]; then
-    echo "Error: Architecture must be 'amd64' or 'arm64'" >&2
-    exit 1
-fi
-
-PACKAGE="foundationdb-clients_${FDB_VERSION}-1_${FDB_ARCH}.deb"
+case "$FDB_ARCH" in
+    "amd64")
+        CANONICAL_ARCH="amd64"
+        PACKAGE_ARCH="amd64"
+        ;;
+    "arm64"|"aarch64")
+        CANONICAL_ARCH="arm64"
+        PACKAGE_ARCH="aarch64"
+        ;;
+    *)
+        echo "Error: Architecture must be 'amd64', 'arm64', or 'aarch64'" >&2
+        exit 1
+        ;;
+esac
+
+PACKAGE="foundationdb-clients_${FDB_VERSION}-1_${PACKAGE_ARCH}.deb"
 URL="https://github.com/apple/foundationdb/releases/download/${FDB_VERSION}/${PACKAGE}"

 echo "Downloading FoundationDB ${FDB_VERSION} client package for ${FDB_ARCH}..."
@ -41,7 +51,7 @@ if wget --timeout=30 --tries=3 -q "${URL}"; then
    echo "${CHECKSUM}"
    echo ""
    echo "Add this to Dockerfile.foundationdb_large:"
-    echo "    \"${FDB_VERSION}_${FDB_ARCH}\") \\"
+    echo "    \"${FDB_VERSION}_${CANONICAL_ARCH}\") \\"
    echo "        EXPECTED_SHA256=\"${CHECKSUM}\" ;; \\"
 else
    echo "✗ Failed to download package from ${URL}" >&2
--- a/test/foundationdb/Dockerfile.build
+++ b/test/foundationdb/Dockerfile.build
@ -12,11 +12,19 @@ RUN apt-get update && apt-get install -y \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

-# Install FoundationDB client libraries (x86_64 emulation)
-RUN echo "🏗️ Installing FoundationDB AMD64 package with x86_64 emulation..." \
-    && wget -q https://github.com/apple/foundationdb/releases/download/${FOUNDATIONDB_VERSION}/foundationdb-clients_${FOUNDATIONDB_VERSION}-1_amd64.deb \
-    && dpkg -i foundationdb-clients_${FOUNDATIONDB_VERSION}-1_amd64.deb \
-    && rm foundationdb-clients_${FOUNDATIONDB_VERSION}-1_amd64.deb \
+# Install FoundationDB client libraries (x86_64 emulation) with checksum verification
+RUN set -euo pipefail \
+    && echo "🏗️ Installing FoundationDB AMD64 package with x86_64 emulation..." \
+    && case "${FOUNDATIONDB_VERSION}" in \
+        "7.4.5") EXPECTED_SHA256="eea6b98cf386a0848655b2e196d18633662a7440a7ee061c10e32153c7e7e112" ;; \
+        "7.3.43") EXPECTED_SHA256="c3fa0a59c7355b914a1455dac909238d5ea3b6c6bc7b530af8597e6487c1651a" ;; \
+        *) echo "Unsupported FoundationDB version ${FOUNDATIONDB_VERSION} for deterministic build" >&2; exit 1 ;; \
+    esac \
+    && PACKAGE="foundationdb-clients_${FOUNDATIONDB_VERSION}-1_amd64.deb" \
+    && wget -q https://github.com/apple/foundationdb/releases/download/${FOUNDATIONDB_VERSION}/${PACKAGE} \
+    && echo "${EXPECTED_SHA256}  ${PACKAGE}" | sha256sum -c - \
+    && dpkg -i ${PACKAGE} \
+    && rm ${PACKAGE} \
    && echo "🔍 Verifying FoundationDB installation..." \
    && ls -la /usr/include/foundationdb/ \
    && ls -la /usr/lib/*/libfdb_c* 2>/dev/null || echo "Library files:" \
--- a/test/foundationdb/Dockerfile.test
+++ b/test/foundationdb/Dockerfile.test
@ -8,10 +8,15 @@ RUN apt-get update && apt-get install -y \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

-# Download and install FoundationDB client libraries
-RUN wget -q https://github.com/apple/foundationdb/releases/download/7.4.5/foundationdb-clients_7.4.5-1_amd64.deb \
-    && dpkg -i foundationdb-clients_7.4.5-1_amd64.deb || apt-get install -f -y \
-    && rm foundationdb-clients_7.4.5-1_amd64.deb
+# Download and install FoundationDB client libraries with checksum verification
+RUN set -euo pipefail \
+    && FDB_VERSION="7.4.5" \
+    && EXPECTED_SHA256="eea6b98cf386a0848655b2e196d18633662a7440a7ee061c10e32153c7e7e112" \
+    && PACKAGE="foundationdb-clients_${FDB_VERSION}-1_amd64.deb" \
+    && wget -q https://github.com/apple/foundationdb/releases/download/${FDB_VERSION}/${PACKAGE} \
+    && echo "${EXPECTED_SHA256}  ${PACKAGE}" | sha256sum -c - \
+    && (dpkg -i ${PACKAGE} || apt-get install -f -y) \
+    && rm ${PACKAGE}

 # Set up Go environment for CGO
 ENV CGO_ENABLED=1