diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index cfb40c9c9d..0d63f842df 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -178,7 +178,7 @@ jobs: - name: Get golangci-lint cache dir run: | - linter_ver=$(grep -Eo 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/Dockerfile | cut -d '=' -f 2) + linter_ver=$(grep -Eo 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/ubuntu-26.04/Dockerfile | cut -d '=' -f 2) ./.github/scripts/retry.sh -- go install "github.com/golangci/golangci-lint/cmd/golangci-lint@v$linter_ver" dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }') echo "LINT_CACHE_DIR=$dir" >> "$GITHUB_ENV" diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml index a2dce9553d..370530d53c 100644 --- a/.github/workflows/dogfood.yaml +++ b/.github/workflows/dogfood.yaml @@ -22,6 +22,11 @@ permissions: jobs: build_image: + strategy: + fail-fast: false + matrix: + image-version: ["22.04", "26.04", "nix"] + if: github.actor != 'dependabot[bot]' # Skip Dependabot PRs runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }} steps: @@ -41,6 +46,7 @@ jobs: # Pinning to 2.28 here, as Nix gets a "error: [json.exception.type_error.302] type must be array, but is string" # on version 2.29 and above. nix_version: "2.28.5" + if: matrix.image-version == 'nix' - uses: nix-community/cache-nix-action@7df957e333c1e5da7721f60227dbba6d06080569 # v7.0.2 with: @@ -60,10 +66,12 @@ jobs: purge-created: 0 # except the version with the `primary-key`, if it exists purge-primary-key: never + if: matrix.image-version == 'nix' - name: Get branch name id: branch-name uses: tj-actions/branch-names@5250492686b253f06fa55861556d1027b067aeb5 # v9.0.2 + if: matrix.image-version != 'nix' - name: "Branch name to Docker tag name" id: docker-tag-name @@ -73,12 +81,15 @@ jobs: echo "tag=${tag}" >> "$GITHUB_OUTPUT" env: BRANCH_NAME: ${{ steps.branch-name.outputs.current_branch }} + if: matrix.image-version != 'nix' - name: Set up Depot CLI uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1 + if: matrix.image-version != 'nix' - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + if: matrix.image-version != 'nix' - name: Login to DockerHub if: github.ref == 'refs/heads/main' @@ -87,23 +98,41 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - - name: Build and push Non-Nix image + - name: Build and push Ubuntu 22.04 image uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0 with: project: b4q6ltmpzh token: ${{ secrets.DEPOT_TOKEN }} buildx-fallback: true - context: "{{defaultContext}}:dogfood/coder" + context: "{{defaultContext}}:dogfood/coder/ubuntu-22.04" pull: true save: true push: ${{ github.ref == 'refs/heads/main' }} - tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest" + # TODO: move the `latest` tag to 26.04 soon. we don't want to transition + # it immediately because that would make workspaces switch to it + # automatically without any grace period. + tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:22.04,codercom/oss-dogfood:latest" + if: matrix.image-version == '22.04' + + - name: Build and push Ubuntu 26.04 image + uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0 + with: + project: b4q6ltmpzh + token: ${{ secrets.DEPOT_TOKEN }} + buildx-fallback: true + context: "{{defaultContext}}:dogfood/coder/ubuntu-26.04" + pull: true + save: true + push: ${{ github.ref == 'refs/heads/main' }} + tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:26.04" + if: matrix.image-version == '26.04' - name: Build Nix image run: nix build .#dev_image + if: matrix.image-version == 'nix' - name: Push Nix image - if: github.ref == 'refs/heads/main' + if: matrix.image-version == 'nix' && github.ref == 'refs/heads/main' run: | docker load -i result diff --git a/.gitignore b/.gitignore index abf76379f9..f94151d621 100644 --- a/.gitignore +++ b/.gitignore @@ -42,7 +42,6 @@ site/.swc .gen-golden # Build -bin/ build/ dist/ out/ diff --git a/Makefile b/Makefile index 1e51438858..a1afce77eb 100644 --- a/Makefile +++ b/Makefile @@ -718,7 +718,7 @@ lint/ts: site/node_modules/.installed lint/go: ./scripts/check_enterprise_imports.sh ./scripts/check_codersdk_imports.sh - linter_ver=$$(grep -oE 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/Dockerfile | cut -d '=' -f 2) + linter_ver=$$(grep -oE 'GOLANGCI_LINT_VERSION=\S+' dogfood/coder/ubuntu-26.04/Dockerfile | cut -d '=' -f 2) go run github.com/golangci/golangci-lint/cmd/golangci-lint@v$$linter_ver run go tool github.com/coder/paralleltestctx/cmd/paralleltestctx -custom-funcs="testutil.Context" ./... .PHONY: lint/go diff --git a/dogfood/coder/Makefile b/dogfood/coder/Makefile index 061530f50d..2403fae04c 100644 --- a/dogfood/coder/Makefile +++ b/dogfood/coder/Makefile @@ -1,10 +1,37 @@ -.PHONY: docker-build docker-push +# Use the branch name to differentiate test builds from actual pulled images, +# replacing forward slashes with hyphens, as forward slashes are not valid in +# tag names. +build_tag ?= $(shell git rev-parse --abbrev-ref HEAD | sed "s/\\//-/") -branch=$(shell git rev-parse --abbrev-ref HEAD) -build_tag=codercom/oss-dogfood:${branch} +build: build-ubuntu-22.04 build-ubuntu-26.04 +.PHONY: build -build: - DOCKER_BUILDKIT=1 docker build . -t ${build_tag} +build-ubuntu-22.04: + (cd ubuntu-22.04/ && DOCKER_BUILDKIT=1 docker build . -t "codercom/oss-dogfood:22.04-$(build_tag)") +.PHONY: build-ubuntu-22.04 -push: build +build-ubuntu-26.04: + (cd ubuntu-26.04/ && DOCKER_BUILDKIT=1 docker build . -t "codercom/oss-dogfood:26.04-$(build_tag)") +.PHONY: build-ubuntu-26.04 + +push: push-ubuntu-22.04 push-ubuntu-26.04 +.PHONY: push + +push-ubuntu-22.04: build-ubuntu-22.04 docker push ${build_tag} +.PHONY: push-ubuntu-22.04 + +push-ubuntu-26.04: build-ubuntu-26.04 + docker push ${build_tag} +.PHONY: push-ubuntu-26.04 + +update-keys: update-keys-ubuntu-22.04 update-keys-ubuntu-26.04 +.PHONY: update-keys + +update-keys-ubuntu-22.04: + ./ubuntu-22.04/update-keys.sh +.PHONY: update-keys-ubuntu-22.04 + +update-keys-ubuntu-26.04: + ./ubuntu-26.04/update-keys.sh +.PHONY: update-keys-ubuntu-26.04 diff --git a/dogfood/coder/main.tf b/dogfood/coder/main.tf index cf807684d8..665b16515e 100644 --- a/dogfood/coder/main.tf +++ b/dogfood/coder/main.tf @@ -124,12 +124,17 @@ data "coder_parameter" "repo_base_dir" { data "coder_parameter" "image_type" { type = "string" name = "Coder Image" - default = "codercom/oss-dogfood:latest" - description = "The Docker image used to run your workspace. Choose between nix and non-nix images." + default = "codercom/oss-dogfood:26.04" + description = "The Docker image used to run your workspace." option { icon = "/icon/coder.svg" - name = "Dogfood (Default)" - value = "codercom/oss-dogfood:latest" + name = "Ubuntu 26.04" + value = "codercom/oss-dogfood:26.04" + } + option { + icon = "/icon/coder.svg" + name = "Ubuntu 22.04" + value = "codercom/oss-dogfood:22.04" } option { icon = "/icon/nix.svg" @@ -770,7 +775,8 @@ resource "docker_image" "dogfood" { pull_triggers = [ data.docker_registry_image.dogfood.sha256_digest, sha1(join("", [for f in fileset(path.module, "files/*") : filesha1(f)])), - filesha1("Dockerfile"), + filesha1("ubuntu-22.04/Dockerfile"), + filesha1("ubuntu-26.04/Dockerfile"), filesha1("nix.hash"), ] keep_locally = true diff --git a/dogfood/coder/Dockerfile b/dogfood/coder/ubuntu-22.04/Dockerfile similarity index 100% rename from dogfood/coder/Dockerfile rename to dogfood/coder/ubuntu-22.04/Dockerfile diff --git a/dogfood/coder/configure-chrome-flags.sh b/dogfood/coder/ubuntu-22.04/configure-chrome-flags.sh similarity index 100% rename from dogfood/coder/configure-chrome-flags.sh rename to dogfood/coder/ubuntu-22.04/configure-chrome-flags.sh diff --git a/dogfood/coder/files/etc/apt/apt.conf.d/80-no-recommends b/dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/80-no-recommends similarity index 100% rename from dogfood/coder/files/etc/apt/apt.conf.d/80-no-recommends rename to dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/80-no-recommends diff --git a/dogfood/coder/files/etc/apt/apt.conf.d/80-retries b/dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/80-retries similarity index 100% rename from dogfood/coder/files/etc/apt/apt.conf.d/80-retries rename to dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/80-retries diff --git a/dogfood/coder/files/etc/apt/apt.conf.d/99-chrome-flags b/dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/99-chrome-flags similarity index 100% rename from dogfood/coder/files/etc/apt/apt.conf.d/99-chrome-flags rename to dogfood/coder/ubuntu-22.04/files/etc/apt/apt.conf.d/99-chrome-flags diff --git a/dogfood/coder/files/etc/apt/preferences.d/containerd b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/containerd similarity index 100% rename from dogfood/coder/files/etc/apt/preferences.d/containerd rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/containerd diff --git a/dogfood/coder/files/etc/apt/preferences.d/docker b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/docker similarity index 100% rename from dogfood/coder/files/etc/apt/preferences.d/docker rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/docker diff --git a/dogfood/coder/files/etc/apt/preferences.d/github-cli b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/github-cli similarity index 100% rename from dogfood/coder/files/etc/apt/preferences.d/github-cli rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/github-cli diff --git a/dogfood/coder/files/etc/apt/preferences.d/google-cloud b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/google-cloud similarity index 100% rename from dogfood/coder/files/etc/apt/preferences.d/google-cloud rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/google-cloud diff --git a/dogfood/coder/files/etc/apt/preferences.d/hashicorp b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/hashicorp similarity index 100% rename from dogfood/coder/files/etc/apt/preferences.d/hashicorp rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/hashicorp diff --git a/dogfood/coder/files/etc/apt/preferences.d/ppa b/dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/ppa similarity index 100% rename from dogfood/coder/files/etc/apt/preferences.d/ppa rename to dogfood/coder/ubuntu-22.04/files/etc/apt/preferences.d/ppa diff --git a/dogfood/coder/files/etc/apt/sources.list.d/docker.list b/dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/docker.list similarity index 100% rename from dogfood/coder/files/etc/apt/sources.list.d/docker.list rename to dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/docker.list diff --git a/dogfood/coder/files/etc/apt/sources.list.d/google-cloud.list b/dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/google-cloud.list similarity index 100% rename from dogfood/coder/files/etc/apt/sources.list.d/google-cloud.list rename to dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/google-cloud.list diff --git a/dogfood/coder/files/etc/apt/sources.list.d/hashicorp.list b/dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/hashicorp.list similarity index 100% rename from dogfood/coder/files/etc/apt/sources.list.d/hashicorp.list rename to dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/hashicorp.list diff --git a/dogfood/coder/files/etc/apt/sources.list.d/postgresql.list b/dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/postgresql.list similarity index 100% rename from dogfood/coder/files/etc/apt/sources.list.d/postgresql.list rename to dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/postgresql.list diff --git a/dogfood/coder/files/etc/apt/sources.list.d/ppa.list b/dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/ppa.list similarity index 100% rename from dogfood/coder/files/etc/apt/sources.list.d/ppa.list rename to dogfood/coder/ubuntu-22.04/files/etc/apt/sources.list.d/ppa.list diff --git a/dogfood/coder/files/etc/docker/daemon.json b/dogfood/coder/ubuntu-22.04/files/etc/docker/daemon.json similarity index 100% rename from dogfood/coder/files/etc/docker/daemon.json rename to dogfood/coder/ubuntu-22.04/files/etc/docker/daemon.json diff --git a/dogfood/coder/files/usr/local/bin/gh b/dogfood/coder/ubuntu-22.04/files/usr/local/bin/gh similarity index 100% rename from dogfood/coder/files/usr/local/bin/gh rename to dogfood/coder/ubuntu-22.04/files/usr/local/bin/gh diff --git a/dogfood/coder/files/usr/share/keyrings/ansible.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/ansible.gpg similarity index 100% rename from dogfood/coder/files/usr/share/keyrings/ansible.gpg rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/ansible.gpg diff --git a/dogfood/coder/files/usr/share/keyrings/docker.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/docker.gpg similarity index 100% rename from dogfood/coder/files/usr/share/keyrings/docker.gpg rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/docker.gpg diff --git a/dogfood/coder/files/usr/share/keyrings/fish-shell.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/fish-shell.gpg similarity index 100% rename from dogfood/coder/files/usr/share/keyrings/fish-shell.gpg rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/fish-shell.gpg diff --git a/dogfood/coder/files/usr/share/keyrings/git-core.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/git-core.gpg similarity index 100% rename from dogfood/coder/files/usr/share/keyrings/git-core.gpg rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/git-core.gpg diff --git a/dogfood/coder/files/usr/share/keyrings/github-cli.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/github-cli.gpg similarity index 100% rename from dogfood/coder/files/usr/share/keyrings/github-cli.gpg rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/github-cli.gpg diff --git a/dogfood/coder/files/usr/share/keyrings/google-cloud.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/google-cloud.gpg similarity index 100% rename from dogfood/coder/files/usr/share/keyrings/google-cloud.gpg rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/google-cloud.gpg diff --git a/dogfood/coder/files/usr/share/keyrings/hashicorp.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/hashicorp.gpg similarity index 100% rename from dogfood/coder/files/usr/share/keyrings/hashicorp.gpg rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/hashicorp.gpg diff --git a/dogfood/coder/files/usr/share/keyrings/helix.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/helix.gpg similarity index 100% rename from dogfood/coder/files/usr/share/keyrings/helix.gpg rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/helix.gpg diff --git a/dogfood/coder/files/usr/share/keyrings/neovim.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/neovim.gpg similarity index 100% rename from dogfood/coder/files/usr/share/keyrings/neovim.gpg rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/neovim.gpg diff --git a/dogfood/coder/files/usr/share/keyrings/postgresql.gpg b/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/postgresql.gpg similarity index 100% rename from dogfood/coder/files/usr/share/keyrings/postgresql.gpg rename to dogfood/coder/ubuntu-22.04/files/usr/share/keyrings/postgresql.gpg diff --git a/dogfood/coder/update-keys.sh b/dogfood/coder/ubuntu-22.04/update-keys.sh similarity index 66% rename from dogfood/coder/update-keys.sh rename to dogfood/coder/ubuntu-22.04/update-keys.sh index 4d45f348bf..8ccdc3a5c0 100755 --- a/dogfood/coder/update-keys.sh +++ b/dogfood/coder/ubuntu-22.04/update-keys.sh @@ -15,11 +15,14 @@ gpg_flags=( --yes ) -pushd "$PROJECT_ROOT/dogfood/coder/files/usr/share/keyrings" +pushd "$PROJECT_ROOT/dogfood/coder/ubuntu-22.04/files/usr/share/keyrings" # Ansible PPA signing key -curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0X6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367" | - gpg "${gpg_flags[@]}" --output="ansible.gpg" +# This curl command is now resulting in a 404, causing the script to fail. +# Rather than fix, we're just upgrading to Ubuntu 26.04 which removed the +# dependency on this PPA. +# curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0X6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367" | +# gpg "${gpg_flags[@]}" --output="ansible.gpg" # Upstream Docker signing key curl "${curl_flags[@]}" "https://download.docker.com/linux/ubuntu/gpg" | @@ -37,10 +40,6 @@ curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0 curl "${curl_flags[@]}" "https://cli.github.com/packages/githubcli-archive-keyring.gpg" | gpg "${gpg_flags[@]}" --output="github-cli.gpg" -# Google Linux Software repository signing key (Chrome) -curl "${curl_flags[@]}" "https://dl.google.com/linux/linux_signing_key.pub" | - gpg "${gpg_flags[@]}" --output="google-chrome.gpg" - # Google Cloud signing key curl "${curl_flags[@]}" "https://packages.cloud.google.com/apt/doc/apt-key.gpg" | gpg "${gpg_flags[@]}" --output="google-cloud.gpg" @@ -53,24 +52,12 @@ curl "${curl_flags[@]}" "https://apt.releases.hashicorp.com/gpg" | curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x27642B9FD7F1A161FC2524E3355A4FA515D7C855" | gpg "${gpg_flags[@]}" --output="helix.gpg" -# Microsoft repository signing key (Edge) -curl "${curl_flags[@]}" "https://packages.microsoft.com/keys/microsoft.asc" | - gpg "${gpg_flags[@]}" --output="microsoft.gpg" - # Neovim signing key curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9DBB0BE9366964F134855E2255F96FCF8231B6DD" | gpg "${gpg_flags[@]}" --output="neovim.gpg" -# NodeSource signing key -curl "${curl_flags[@]}" "https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key" | - gpg "${gpg_flags[@]}" --output="nodesource.gpg" - # Upstream PostgreSQL signing key curl "${curl_flags[@]}" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" | gpg "${gpg_flags[@]}" --output="postgresql.gpg" -# Yarnpkg signing key -curl "${curl_flags[@]}" "https://dl.yarnpkg.com/debian/pubkey.gpg" | - gpg "${gpg_flags[@]}" --output="yarnpkg.gpg" - popd diff --git a/dogfood/coder/ubuntu-26.04/Dockerfile b/dogfood/coder/ubuntu-26.04/Dockerfile new file mode 100644 index 0000000000..4955d8ec46 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/Dockerfile @@ -0,0 +1,368 @@ +# 1.93.1 +FROM rust:slim@sha256:cf09adf8c3ebaba10779e5c23ff7fe4df4cccdab8a91f199b0c142c53fef3e1a AS rust-utils +# Install rust helper programs +ENV CARGO_INSTALL_ROOT=/tmp/ +# Use more reliable mirrors for Debian packages +RUN sed -i 's|http://deb.debian.org/debian|http://mirrors.edge.kernel.org/debian|g' /etc/apt/sources.list && \ + apt-get update || true +RUN apt-get update && apt-get install -y libssl-dev openssl pkg-config build-essential +RUN cargo install jj-cli typos-cli watchexec-cli + +FROM ubuntu:resolute@sha256:cc925e589b7543b910fea57a240468940003fbfc0515245a495dd0ad8fe7cef1 AS go + +# Install Go manually, so that we can control the version +ARG GO_VERSION=1.25.9 +ARG GO_CHECKSUM="00859d7bd6defe8bf84d9db9e57b9a4467b2887c18cd93ae7460e713db774bc1" + +# Boring Go is needed to build FIPS-compliant binaries. +RUN apt-get update && \ + apt-get install --yes curl && \ + curl --silent --show-error --location \ + "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \ + -o /usr/local/go.tar.gz && \ + echo "$GO_CHECKSUM /usr/local/go.tar.gz" | sha256sum -c && \ + rm -rf /var/lib/apt/lists/* + +ENV PATH=$PATH:/usr/local/go/bin +ARG GOPATH="/tmp/" +# Install Go utilities. +RUN apt-get update && \ + apt-get install --yes gcc && \ + mkdir --parents /usr/local/go && \ + tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1 && \ + mkdir --parents "$GOPATH" && \ + go env -w GOSUMDB=sum.golang.org && \ + # swag for Swagger doc generation + go install github.com/swaggo/swag/cmd/swag@v1.16.2 && \ + # goimports for updating imports + go install golang.org/x/tools/cmd/goimports@v0.41.0 && \ + # protoc-gen-go is needed to build sysbox from source + go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30.0 && \ + # drpc support for v2 + go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34 && \ + # migrate for migration support for v2 + go install github.com/golang-migrate/migrate/v4/cmd/migrate@v4.15.1 && \ + # Install the latest version of gopls for editors that support + # the language server protocol (v0.21.0+ required for Go 1.25) + go install golang.org/x/tools/gopls@v0.21.0 && \ + # gotestsum makes test output more readable + go install gotest.tools/gotestsum@v1.9.0 && \ + # sqlc for Go code generation + # Switched to coder/sqlc fork to fix ambiguous column bug, see: + # - https://github.com/coder/sqlc/pull/1 + # - https://github.com/sqlc-dev/sqlc/pull/4159 + (CGO_ENABLED=1 go install github.com/coder/sqlc/cmd/sqlc@aab4e865a51df0c43e1839f81a9d349b41d14f05) && \ + # ruleguard for checking custom rules, without needing to run all of + # golangci-lint. Check the go.mod in the release of golangci-lint that + # we're using for the version of go-critic that it embeds, then check + # the version of ruleguard in go-critic for that tag. + go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@v0.3.13 && \ + # shfmt for shell script formatting + go install mvdan.cc/sh/v3/cmd/shfmt@v3.12.0 && \ + # nfpm is used with `make build` to make release packages + go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.35.1 && \ + # yq v4 for processing YAML files (renamed to yq4 for scripts/lib.sh). + go install github.com/mikefarah/yq/v4@v4.44.3 && \ + mv /tmp/bin/yq /tmp/bin/yq4 && \ + # mockgen for generating mocks (v0.6.0+ required for Go 1.25) + go install go.uber.org/mock/mockgen@v0.6.0 && \ + # Reduce image size. + apt-get remove --yes gcc && \ + apt-get autoremove --yes && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* && \ + rm -rf /usr/local/go && \ + rm -rf /tmp/go/pkg && \ + rm -rf /tmp/go/src + +# alpine:3.18 +FROM us-docker.pkg.dev/coder-v2-images-public/public/alpine@sha256:fd032399cd767f310a1d1274e81cab9f0fd8a49b3589eba2c3420228cd45b6a7 AS proto +WORKDIR /tmp +RUN apk add curl unzip +RUN curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.4/protoc-23.4-linux-x86_64.zip && \ + unzip protoc.zip && \ + rm protoc.zip + +FROM ubuntu:resolute@sha256:cc925e589b7543b910fea57a240468940003fbfc0515245a495dd0ad8fe7cef1 + +SHELL ["/bin/bash", "-c"] + +# Install packages from apt repositories +ARG DEBIAN_FRONTEND="noninteractive" + +# Updated certificates are necessary to use the teraswitch mirror. +# This must be ran before copying in configuration since the config replaces +# the default mirror with teraswitch. +# Also enable the en_US.UTF-8 locale so that we don't generate multiple locales +# and unminimize to include man pages. +RUN apt-get update && \ + apt-get install --yes ca-certificates locales unminimize && \ + echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && \ + locale-gen && \ + yes | unminimize + +COPY files / + +# We used to copy /etc/sudoers.d/* in from files/ but this causes issues with +# permissions and layer caching. Instead, create the file directly. +RUN mkdir -p /etc/sudoers.d && \ + echo 'coder ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/nopasswd && \ + chmod 750 /etc/sudoers.d/ && \ + chmod 640 /etc/sudoers.d/nopasswd + +# Use more reliable mirrors for Ubuntu packages +RUN sed -i 's|http://archive.ubuntu.com/ubuntu/|http://mirrors.edge.kernel.org/ubuntu/|g; s|http://security.ubuntu.com/ubuntu/|http://mirrors.edge.kernel.org/ubuntu/|g' /etc/apt/sources.list.d/ubuntu.sources && \ + apt-get update --quiet && apt-get install --yes \ + ansible \ + apt-transport-https \ + apt-utils \ + asciinema \ + bash \ + bash-completion \ + bat \ + bats \ + bind9-dnsutils \ + build-essential \ + ca-certificates \ + containerd.io \ + crypto-policies \ + curl \ + docker-ce \ + docker-ce-cli \ + docker-compose-plugin \ + eza \ + fd-find \ + file \ + fish \ + gettext-base \ + git \ + gnupg \ + google-cloud-sdk \ + hx \ + htop \ + httpie \ + inetutils-tools \ + iproute2 \ + iputils-ping \ + iputils-tracepath \ + jq \ + kubectl \ + language-pack-en \ + less \ + libgbm-dev \ + libssl-dev \ + lsb-release \ + lsof \ + man \ + meld \ + ncdu \ + neovim \ + net-tools \ + openjdk-11-jdk-headless \ + openssh-server \ + openssl \ + pkg-config \ + postgresql-18 \ + python3 \ + python3-pip \ + ripgrep \ + rsync \ + screen \ + shellcheck \ + strace \ + sudo \ + tcptraceroute \ + termshark \ + tmux \ + traceroute \ + unzip \ + vim \ + wget \ + xauth \ + zip \ + zsh \ + zstd && \ + # Delete package cache to avoid consuming space in layer + apt-get clean && \ + # Configure FIPS-compliant policies + update-crypto-policies --set FIPS + +# Install Google Chrome directly from Google. Ubuntu 26.04 ships +# chromium-browser as a snap-only package, which does not work in +# Docker containers. +# configure-chrome-flags.sh is automatically run after dpkg operations +# by dogfood/coder/files/etc/apt/apt.conf.d/99-chrome-flags. +RUN chmod a+x /opt/configure-chrome-flags.sh && \ + wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb && \ + apt-get install --yes ./google-chrome-stable_current_amd64.deb && \ + rm google-chrome-stable_current_amd64.deb + +# Install Rust via rustup. Using rustup ensures we get a current stable +# toolchain. +ENV RUSTUP_HOME=/usr/local/rustup \ + CARGO_HOME=/usr/local/cargo +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \ + sh -s -- -y --default-toolchain stable --profile minimal +ENV PATH=$CARGO_HOME/bin:$PATH + +# NOTE: In scripts/Dockerfile.base we specifically install Terraform version 1.14.5. +# Installing the same version here to match. +RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.14.5/terraform_1.14.5_linux_amd64.zip" && \ + unzip /tmp/terraform.zip -d /usr/local/bin && \ + rm -f /tmp/terraform.zip && \ + chmod +x /usr/local/bin/terraform && \ + terraform --version + +# Install the docker buildx component. +RUN DOCKER_BUILDX_VERSION=$(curl -s "https://api.github.com/repos/docker/buildx/releases/latest" | grep '"tag_name":' | sed -E 's/.*"(v[^"]+)".*/\1/') && \ + mkdir -p /usr/local/lib/docker/cli-plugins && \ + curl -Lo /usr/local/lib/docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/${DOCKER_BUILDX_VERSION}/buildx-${DOCKER_BUILDX_VERSION}.linux-amd64" && \ + chmod a+x /usr/local/lib/docker/cli-plugins/docker-buildx + +# See https://github.com/cli/cli/issues/6175#issuecomment-1235984381 for proof +# the apt repository is unreliable +RUN GH_CLI_VERSION=$(curl -s "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \ + curl -L https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.deb -o gh.deb && \ + dpkg -i gh.deb && \ + rm gh.deb + +# Install Lazygit +# See https://github.com/jesseduffield/lazygit#ubuntu +RUN LAZYGIT_VERSION=$(curl -s "https://api.github.com/repos/jesseduffield/lazygit/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v*([^"]+)".*/\1/') && \ + curl -Lo lazygit.tar.gz "https://github.com/jesseduffield/lazygit/releases/latest/download/lazygit_${LAZYGIT_VERSION}_Linux_x86_64.tar.gz" && \ + tar xf lazygit.tar.gz -C /usr/local/bin lazygit && \ + rm lazygit.tar.gz + +# Install doctl +# See https://docs.digitalocean.com/reference/doctl/how-to/install +RUN DOCTL_VERSION=$(curl -s "https://api.github.com/repos/digitalocean/doctl/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') && \ + curl -L https://github.com/digitalocean/doctl/releases/download/v${DOCTL_VERSION}/doctl-${DOCTL_VERSION}-linux-amd64.tar.gz -o doctl.tar.gz && \ + tar xf doctl.tar.gz -C /usr/local/bin doctl && \ + rm doctl.tar.gz + +ARG NVM_INSTALL_SHA=bdea8c52186c4dd12657e77e7515509cda5bf9fa5a2f0046bce749e62645076d +# Install frontend utilities +ENV NVM_DIR=/usr/local/nvm +ENV NODE_VERSION=22.19.0 +RUN mkdir -p $NVM_DIR +RUN curl -o nvm_install.sh https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh && \ + echo "${NVM_INSTALL_SHA} nvm_install.sh" | sha256sum -c && \ + bash nvm_install.sh && \ + rm nvm_install.sh +RUN source $NVM_DIR/nvm.sh && \ + nvm install $NODE_VERSION && \ + nvm use $NODE_VERSION +ENV PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH +RUN corepack enable && \ + corepack prepare npm@10.8.1 --activate && \ + corepack prepare pnpm@10.14.0 --activate + +RUN pnpx playwright@1.47.0 install --with-deps chromium + +# Ensure PostgreSQL binaries are in the users $PATH. +RUN update-alternatives --install /usr/local/bin/initdb initdb /usr/lib/postgresql/18/bin/initdb 100 && \ + update-alternatives --install /usr/local/bin/postgres postgres /usr/lib/postgresql/18/bin/postgres 100 + +# Create links for injected dependencies +RUN ln --symbolic /var/tmp/coder/coder-cli/coder /usr/local/bin/coder && \ + ln --symbolic /var/tmp/coder/code-server/bin/code-server /usr/local/bin/code-server + +# Disable the PostgreSQL systemd service. +# Coder uses a custom timescale container to test the database instead. +RUN systemctl disable \ + postgresql + +# Configure systemd services for CVMs +RUN systemctl enable \ + docker \ + ssh && \ + # Workaround for envbuilder cache probing not working unless the filesystem is modified. + touch /tmp/.envbuilder-systemctl-enable-docker-ssh-workaround + +# Install tools with published releases, where that is the +# preferred/recommended installation method. +ARG GOLANGCI_LINT_VERSION=1.64.8 \ + HELM_VERSION=3.12.0 \ + KUBECTX_VERSION=0.9.4 \ + SYFT_VERSION=1.20.0 \ + COSIGN_VERSION=2.4.3 \ + BUN_VERSION=1.2.15 + +RUN \ + # golangci-lint performs static code analysis for our Go code + curl --silent --show-error --location --fail "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" | \ + tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" && \ + # Helm is necessary for deploying Coder + curl --silent --show-error --location --fail "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | \ + tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 linux-amd64/helm && \ + # kubens and kubectx for managing Kubernetes namespaces and contexts + curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \ + tar --extract --gzip --directory=/usr/local/bin --file=- kubectx && \ + curl --silent --show-error --location --fail "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubens_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \ + tar --extract --gzip --directory=/usr/local/bin --file=- kubens && \ + # Anchore Syft for SBOM generation + curl --silent --show-error --location --fail "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | \ + tar --extract --gzip --directory=/usr/local/bin --file=- syft && \ + # Sigstore Cosign for artifact signing and attestation + curl --silent --show-error --location --fail --output /usr/local/bin/cosign "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64" && \ + chmod a=rx /usr/local/bin/cosign && \ + # Install Bun JavaScript runtime to /usr/local/bin + curl --silent --show-error --location --fail "https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-linux-x64.zip" --output /tmp/bun.zip && \ + unzip -q /tmp/bun.zip -d /tmp && \ + mv /tmp/bun-linux-x64/bun /usr/local/bin/ && \ + chmod a=rx /usr/local/bin/bun && \ + rm -rf /tmp/bun.zip /tmp/bun-linux-x64 && \ + apt-get clean && rm -rf /var/lib/apt/lists/* + +# Add coder user and allow use of docker/sudo. +# Ubuntu 26.04 ships a default "ubuntu" user at UID 1000; +# remove it so we can create "coder" with that UID. +RUN userdel -r ubuntu && \ + useradd coder \ + --create-home \ + --shell=/bin/bash \ + --groups=docker \ + --uid=1000 \ + --user-group + +# Adjust OpenSSH config +RUN echo "PermitUserEnvironment yes" >>/etc/ssh/sshd_config && \ + echo "X11Forwarding yes" >>/etc/ssh/sshd_config && \ + echo "X11UseLocalhost no" >>/etc/ssh/sshd_config + +# We avoid copying the extracted directory since COPY slows to minutes when there +# are a lot of small files. +COPY --from=go /usr/local/go.tar.gz /usr/local/go.tar.gz +RUN mkdir /usr/local/go && \ + tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1 + +ENV PATH=$PATH:/usr/local/go/bin + +RUN update-alternatives --install /usr/local/bin/gofmt gofmt /usr/local/go/bin/gofmt 100 + +COPY --from=go /tmp/bin /usr/local/bin +COPY --from=rust-utils /tmp/bin /usr/local/bin +COPY --from=proto /tmp/bin /usr/local/bin +COPY --from=proto /tmp/include /usr/local/bin/include + +USER coder + +# Ensure go bins are in the 'coder' user's path. Note that no go bins are +# installed in this docker file, as they'd be mounted over by the persistent +# home volume. +ENV PATH="/home/coder/go/bin:${PATH}" + +# Override CARGO_HOME so cargo registry/cache writes go to the coder +# user's home directory instead of the root-owned /usr/local/cargo. +# The rustup-installed binaries remain on PATH via /usr/local/cargo/bin. +ENV CARGO_HOME="/home/coder/.cargo" + +# This setting prevents Go from using the public checksum database for +# our module path prefixes. It is required because these are in private +# repositories that require authentication. +# +# For details, see: https://golang.org/ref/mod#private-modules +ENV GOPRIVATE="coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder" + +# Increase memory allocation to NodeJS +ENV NODE_OPTIONS="--max-old-space-size=8192" diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-no-recommends b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-no-recommends new file mode 100644 index 0000000000..8cb79c9638 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-no-recommends @@ -0,0 +1,6 @@ +// Do not install recommended packages by default +APT::Install-Recommends "0"; + +// Do not install suggested packages by default (this is already +// the Ubuntu default) +APT::Install-Suggests "0"; diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-retries b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-retries new file mode 100644 index 0000000000..d7ee518525 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/80-retries @@ -0,0 +1 @@ +APT::Acquire::Retries "3"; diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/99-chrome-flags b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/99-chrome-flags new file mode 100644 index 0000000000..7d02aded16 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/apt.conf.d/99-chrome-flags @@ -0,0 +1,3 @@ +// Re-apply Chrome desktop-file flags after any package operation so +// that a google-chrome-stable upgrade does not silently drop them. +DPkg::Post-Invoke { "/opt/configure-chrome-flags.sh 2>/dev/null || true"; }; diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/containerd b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/containerd new file mode 100644 index 0000000000..ab0b8f9891 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/containerd @@ -0,0 +1,6 @@ +# Ref: https://github.com/nestybox/sysbox/issues/879 +# We need to pin containerd to a specific version to avoid breaking +# Docker-in-Docker. +Package: containerd.io +Pin: version 1.7.23-1 +Pin-Priority: 1001 diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker new file mode 100644 index 0000000000..8bf06ea2ee --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker @@ -0,0 +1,23 @@ +# Ignore all packages from this repository by default +Package: * +Pin: origin download.docker.com +Pin-Priority: 1 + +# Docker Community Edition +# We need to pin docker-ce to a specific version because containerd is pinned +# to an older version. Newer major versions of docker-ce require a version of +# containerd.io greater than our pinned version. +Package: docker-ce +Pin: origin download.docker.com +Pin: version 5:29.* +Pin-Priority: 500 + +# Docker command-line tool +Package: docker-ce-cli +Pin: origin download.docker.com +Pin-Priority: 500 + +# containerd runtime +Package: containerd.io +Pin: origin download.docker.com +Pin-Priority: 500 diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/github-cli b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/github-cli new file mode 100644 index 0000000000..d2dce9f5f3 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/github-cli @@ -0,0 +1,8 @@ +# Ignore all packages from this repository by default +Package: * +Pin: origin cli.github.com +Pin-Priority: 1 + +Package: gh +Pin: origin cli.github.com +Pin-Priority: 500 diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/google-cloud b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/google-cloud new file mode 100644 index 0000000000..637b0e9bb3 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/google-cloud @@ -0,0 +1,19 @@ +# Ignore all packages from this repository by default +Package: * +Pin: origin packages.cloud.google.com +Pin-Priority: 1 + +# Google Cloud SDK for gcloud and gsutil CLI tools +Package: google-cloud-sdk +Pin: origin packages.cloud.google.com +Pin-Priority: 500 + +# Datastore emulator for working with the licensor +Package: google-cloud-sdk-datastore-emulator +Pin: origin packages.cloud.google.com +Pin-Priority: 500 + +# Kubectl for working with Kubernetes (GKE) +Package: kubectl +Pin: origin packages.cloud.google.com +Pin-Priority: 500 diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/hashicorp b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/hashicorp new file mode 100644 index 0000000000..4323f331cc --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/hashicorp @@ -0,0 +1,14 @@ +# Ignore all packages from this repository by default +Package: * +Pin: origin apt.releases.hashicorp.com +Pin-Priority: 1 + +# Packer for creating virtual machine disk images +Package: packer +Pin: origin apt.releases.hashicorp.com +Pin-Priority: 500 + +# Terraform for managing infrastructure +Package: terraform +Pin: origin apt.releases.hashicorp.com +Pin-Priority: 500 diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list new file mode 100644 index 0000000000..76fa2962d1 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list @@ -0,0 +1 @@ +deb [signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu resolute stable diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/google-cloud.list b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/google-cloud.list new file mode 100644 index 0000000000..24df98effe --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/google-cloud.list @@ -0,0 +1 @@ +deb [signed-by=/usr/share/keyrings/google-cloud.gpg] https://packages.cloud.google.com/apt cloud-sdk main diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/hashicorp.list b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/hashicorp.list new file mode 100644 index 0000000000..5658e0df72 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/hashicorp.list @@ -0,0 +1 @@ +deb [signed-by=/usr/share/keyrings/hashicorp.gpg] https://apt.releases.hashicorp.com noble main diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/postgresql.list b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/postgresql.list new file mode 100644 index 0000000000..28aa067cf4 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/postgresql.list @@ -0,0 +1 @@ +deb [signed-by=/usr/share/keyrings/postgresql.gpg] https://apt.postgresql.org/pub/repos/apt resolute-pgdg main diff --git a/dogfood/coder/ubuntu-26.04/files/etc/docker/daemon.json b/dogfood/coder/ubuntu-26.04/files/etc/docker/daemon.json new file mode 100644 index 0000000000..c2cbc52c3c --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/etc/docker/daemon.json @@ -0,0 +1,3 @@ +{ + "registry-mirrors": ["https://mirror.gcr.io"] +} diff --git a/dogfood/coder/ubuntu-26.04/files/opt/configure-chrome-flags.sh b/dogfood/coder/ubuntu-26.04/files/opt/configure-chrome-flags.sh new file mode 100644 index 0000000000..ee2e9bbaef --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/opt/configure-chrome-flags.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# Adds launch flags to all Google Chrome .desktop files so that Chrome +# works correctly in headless / GPU-less environments (e.g. Coder +# workspaces running inside Docker containers). +# +# This script is idempotent. + +set -euo pipefail + +CHROME_FLAGS=( + --use-gl=angle + --use-angle=swiftshader + --disable-dev-shm-usage + --no-first-run + --no-default-browser-check + --disable-background-networking + --disable-sync + --start-maximized +) + +FLAGS_STR="${CHROME_FLAGS[*]}" + +for desktop_file in /usr/share/applications/google-chrome*.desktop /usr/share/applications/com.google.Chrome*.desktop; do + [ -f "$desktop_file" ] || continue + # Skip if flags are already present. + if grep -q -- '--use-gl=angle' "$desktop_file"; then + continue + fi + # Insert flags after the binary path on every Exec= line. + sed -i "s|Exec=/usr/bin/google-chrome-stable|Exec=/usr/bin/google-chrome-stable ${FLAGS_STR}|" "$desktop_file" +done diff --git a/dogfood/coder/ubuntu-26.04/files/usr/local/bin/gh b/dogfood/coder/ubuntu-26.04/files/usr/local/bin/gh new file mode 100755 index 0000000000..8d8168c70b --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/files/usr/local/bin/gh @@ -0,0 +1,32 @@ +#!/bin/sh +# +# Wrapper for the GitHub CLI (`gh`) that ensures authentication via +# `coder external-auth` when no other credentials are available. +# +# Precedence: +# 1. GH_TOKEN / GITHUB_TOKEN already set in environment +# 2. Existing `gh auth` login (e.g. `gh auth login`) +# 3. Fresh token from `coder external-auth access-token github` + +REAL_GH="/usr/bin/gh" + +# If GH_TOKEN or GITHUB_TOKEN is already set, defer to the real gh. +if [ -n "${GH_TOKEN:-}" ] || [ -n "${GITHUB_TOKEN:-}" ]; then + exec "$REAL_GH" "$@" +fi + +# If the user has manually logged in via `gh auth login`, use that. +if "$REAL_GH" auth status >/dev/null 2>&1; then + exec "$REAL_GH" "$@" +fi + +# Fall back to Coder's external auth for a fresh token (only in a workspace). +if [ "${CODER:-}" = "true" ]; then + TOKEN=$(coder external-auth access-token github 2>/dev/null) + if [ -n "$TOKEN" ]; then + GITHUB_TOKEN="$TOKEN" exec "$REAL_GH" "$@" + fi +fi + +# Nothing worked; run gh anyway and let it show its own auth error. +exec "$REAL_GH" "$@" diff --git a/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/docker.gpg b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/docker.gpg new file mode 100644 index 0000000000..e5dc8cfda8 Binary files /dev/null and b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/docker.gpg differ diff --git a/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/github-cli.gpg b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/github-cli.gpg new file mode 100644 index 0000000000..eddea90bd7 Binary files /dev/null and b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/github-cli.gpg differ diff --git a/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/google-cloud.gpg b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/google-cloud.gpg new file mode 100644 index 0000000000..3b28500f95 Binary files /dev/null and b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/google-cloud.gpg differ diff --git a/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/hashicorp.gpg b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/hashicorp.gpg new file mode 100644 index 0000000000..674dd40c42 Binary files /dev/null and b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/hashicorp.gpg differ diff --git a/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/postgresql.gpg b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/postgresql.gpg new file mode 100644 index 0000000000..afa15cb108 Binary files /dev/null and b/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings/postgresql.gpg differ diff --git a/dogfood/coder/ubuntu-26.04/update-keys.sh b/dogfood/coder/ubuntu-26.04/update-keys.sh new file mode 100755 index 0000000000..5d0b687eb2 --- /dev/null +++ b/dogfood/coder/ubuntu-26.04/update-keys.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash + +set -euo pipefail + +PROJECT_ROOT="$(git rev-parse --show-toplevel)" + +curl_flags=( + --silent + --show-error + --location +) + +gpg_flags=( + --dearmor + --yes +) + +pushd "$PROJECT_ROOT/dogfood/coder/ubuntu-26.04/files/usr/share/keyrings" + +# Upstream Docker signing key +curl "${curl_flags[@]}" "https://download.docker.com/linux/ubuntu/gpg" | + gpg "${gpg_flags[@]}" --output="docker.gpg" + +# GitHub CLI signing key +curl "${curl_flags[@]}" "https://cli.github.com/packages/githubcli-archive-keyring.gpg" | + gpg "${gpg_flags[@]}" --output="github-cli.gpg" + +# Google Cloud signing key +curl "${curl_flags[@]}" "https://packages.cloud.google.com/apt/doc/apt-key.gpg" | + gpg "${gpg_flags[@]}" --output="google-cloud.gpg" + +# Hashicorp signing key +curl "${curl_flags[@]}" "https://apt.releases.hashicorp.com/gpg" | + gpg "${gpg_flags[@]}" --output="hashicorp.gpg" + +# Upstream PostgreSQL signing key +curl "${curl_flags[@]}" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" | + gpg "${gpg_flags[@]}" --output="postgresql.gpg" + +popd diff --git a/scripts/check_go_versions.sh b/scripts/check_go_versions.sh index 8349960bd5..b48153858c 100755 --- a/scripts/check_go_versions.sh +++ b/scripts/check_go_versions.sh @@ -3,7 +3,8 @@ # This script ensures that the same version of Go is referenced in all of the # following files: # - go.mod -# - dogfood/coder/Dockerfile +# - dogfood/coder/ubuntu-22.04/Dockerfile +# - dogfood/coder/ubuntu-26.04/Dockerfile # - flake.nix # - .github/actions/setup-go/action.yml # The version of Go in go.mod is considered the source of truth. @@ -18,18 +19,23 @@ cdroot IGNORE_NIX=${IGNORE_NIX:-false} GO_VERSION_GO_MOD=$(grep -Eo 'go [0-9]+\.[0-9]+\.[0-9]+' ./go.mod | cut -d' ' -f2) -GO_VERSION_DOCKERFILE=$(grep -Eo 'ARG GO_VERSION=[0-9]+\.[0-9]+\.[0-9]+' ./dogfood/coder/Dockerfile | cut -d'=' -f2) +GO_VERSION_DOCKERFILE_2204=$(grep -Eo 'ARG GO_VERSION=[0-9]+\.[0-9]+\.[0-9]+' ./dogfood/coder/ubuntu-22.04/Dockerfile | cut -d'=' -f2) +GO_VERSION_DOCKERFILE_2604=$(grep -Eo 'ARG GO_VERSION=[0-9]+\.[0-9]+\.[0-9]+' ./dogfood/coder/ubuntu-26.04/Dockerfile | cut -d'=' -f2) GO_VERSION_SETUP_GO=$(yq '.inputs.version.default' .github/actions/setup-go/action.yaml) GO_VERSION_FLAKE_NIX=$(grep -Eo '\bgo_[0-9]+_[0-9]+\b' ./flake.nix) # Convert to major.minor format. GO_VERSION_FLAKE_NIX_MAJOR_MINOR=$(echo "$GO_VERSION_FLAKE_NIX" | cut -d '_' -f 2-3 | tr '_' '.') log "INFO : go.mod : $GO_VERSION_GO_MOD" -log "INFO : dogfood/coder/Dockerfile : $GO_VERSION_DOCKERFILE" +log "INFO : dogfood/coder/ubuntu-22.04/Dockerfile : $GO_VERSION_DOCKERFILE_2204" +log "INFO : dogfood/coder/ubuntu-26.04/Dockerfile : $GO_VERSION_DOCKERFILE_2604" log "INFO : setup-go/action.yaml : $GO_VERSION_SETUP_GO" log "INFO : flake.nix : $GO_VERSION_FLAKE_NIX_MAJOR_MINOR" -if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_DOCKERFILE" ]; then - error "Go version mismatch between go.mod and dogfood/coder/Dockerfile:" +if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_DOCKERFILE_2204" ]; then + error "Go version mismatch between go.mod and dogfood/coder/ubuntu-22.04/Dockerfile:" +fi +if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_DOCKERFILE_2604" ]; then + error "Go version mismatch between go.mod and dogfood/coder/ubuntu-26.04/Dockerfile:" fi if [ "$GO_VERSION_GO_MOD" != "$GO_VERSION_SETUP_GO" ]; then