WS-207807 # Refine building flow

build-x2t-sandbox-rule.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -e
+
+buildah bud --format=docker --security-opt label=disable --userns=host --network=host --rm=true --layers=true --memory=0 \
+    --tag jcr.jianguoyun.net.cn/onlyoffice/x2t-sandbox-rulegen-builder --file ./build/x2t-snadbox-rulegen-ubuntu.dockerfile .
+
+cp -r ./x2t-sandbox-rulegen ./src
+podman run --rm --security-opt label=disable --network=host \
+    --volume .:/app \
+    --workdir /app \
+    jcr.jianguoyun.net.cn/onlyoffice/x2t-sandbox-rulegen-builder \
+    bash -c "/root/.cargo/bin/cargo build --release --features tracing-mode"
+rm -rf ./src/x2t-sandbox-rulegen
+
+sudo docker run --rm \
+    --volume .:/app \
+    --workdir /app \
+    jcr.jianguoyun.net.cn/onlyoffice/x2t-sandbox-rulegen-builder \
+    bash -c 'bash /app/generate-sandbox-rule.sh /var/www/onlyoffice/documentserver/server/FileConverter/bin/x2t /app/target/release/x2t-sandbox /app/data'

build-x2t-sandbox.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+buildah bud --format=docker --security-opt label=disable --userns=host --network=host --rm=true --layers=true --memory=0 \
+    --tag jcr.jianguoyun.net.cn/onlyoffice/x2r-sandbox-builder --file ./build/x2t-snadbox-ubuntu.dockerfile .
+
+podman run --rm --security-opt label=disable --network=host \
+    --volume .:/app \
+    --workdir /app/src \
+    jcr.jianguoyun.net.cn/onlyoffice/x2r-sandbox-builder \
+    bash -c "/root/.cargo/bin/cargo build --release"

build/Dockerfile.static-build

@@ -1,20 +0,0 @@
-ARG  REGISTRY=docker.io
-ARG  BUILDER_BASE=library/rust:alpine
-ARG  RUNTIME_BASE=library/alpine:latest
-
-FROM ${REGISTRY}/${BUILDER_BASE} as builder
-RUN  apk add --no-cache pkgconf libseccomp-static libseccomp-dev musl-dev
-COPY . /src
-WORKDIR /src
-RUN  cargo build --release
-
-FROM ${REGISTRY}/${RUNTIME_BASE} as base
-
-FROM base as runtime
-COPY --from=builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
-
-
-FROM ${REGISTRY}/${RUNTIME_BASE} as copy-to-data
-FROM base as copy-to-data
-COPY --from=builder /src/target/release/x2t-sandbox /x2t-sandbox
-CMD  ["cp", "-v", "/x2t-sandbox", "/data/x2t-sandbox"]

build/Dockerfile.ubuntu

@@ -1,20 +0,0 @@
-ARG  REGISTRY=docker.io
-ARG  BASE=library/ubuntu:20.04
-
-FROM ${REGISTRY}/${BASE} as base
-
-FROM base as builder
-RUN  ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && apt update && apt install build-essential libseccomp-dev curl pkg-config -y
-RUN  curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s - -y
-COPY . /src
-WORKDIR /src
-RUN  /root/.cargo/bin/cargo build --release
-
-FROM base as runtime
-RUN  apt update && apt install libseccomp2 -y && rm -rf /var/apt
-COPY --from=builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
-
-FROM base as copy-to-data
-COPY --from=builder /src/target/release/x2t-sandbox /x2t-sandbox
-CMD  ["cp", "-v", "x2t-sandbox", "/data/x2t-sandbox"]
-

build/Dockerfile.ubuntu-build-with-tracer

@@ -1,50 +0,0 @@
-ARG  REGISTRY=docker.io
-ARG  BASE_IMAGE=library/ubuntu:20.04
-
-ARG  ONLYOFFICE_IMAGE=onlyoffice/documentserver:7.5
-
-FROM ${REGISTRY}/${BASE_IMAGE} as base
-
-FROM base as runtime-slim-base
-RUN  apt update && apt install libseccomp2 -y && rm -rf /var/apt
-
-FROM ${REGISTRY}/${ONLYOFFICE_IMAGE} as runtime-base
-RUN  apt update && apt install libseccomp2 -y && rm -rf /var/apt
-
-FROM base as builder-base
-RUN  ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && apt update && apt install build-essential libseccomp-dev curl pkg-config -y
-RUN  curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s - -y
-COPY Cargo.toml Cargo.lock build.rs /src/
-COPY src /src/src
-COPY x2t-sandbox-rulegen /src/x2t-sandbox-rulegen
-WORKDIR /src
-
-FROM builder-base as tracer-builder
-RUN  /root/.cargo/bin/cargo build --release --features tracing-mode
-
-FROM runtime-slim-base as runtime-tracer
-COPY --from=tracer-builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
-ENTRYPOINT ["/usr/local/bin/x2t-sandbox"]
-
-
-FROM runtime-base as tracer-generate-syscalls
-COPY data /data
-COPY --from=tracer-builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
-RUN  bash -c 'set -euo pipefail; for filename in $(ls /data/ | grep "\.xml$"); do /usr/local/bin/x2t-sandbox -l $filename.out /var/www/onlyoffice/documentserver/server/FileConverter/bin/x2t /data/$filename; done'
-RUN  cat *.out | sort | uniq > x2t-syscalls.txt
-
-FROM builder-base as sandbox-builder
-COPY --from=tracer-generate-syscalls /x2t-syscalls.txt /src/x2t-syscalls.txt
-RUN  /root/.cargo/bin/cargo build --release --features tracing-mode
-
-FROM runtime-base as onlyoffice-output
-COPY --from=sandbox-builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
-
-FROM base as copy-tracer-to-data
-COPY --from=tracer-builder /src/target/release/x2t-sandbox /x2t-sandbox
-CMD  ["cp", "-v", "x2t-sandbox", "/data/x2t-sandbox"]
-
-FROM base as copy-to-data
-COPY --from=sandbox-builder /src/target/release/x2t-sandbox /x2t-sandbox
-CMD  ["cp", "-v", "x2t-sandbox", "/data/x2t-sandbox"]
-

build/Dockerfile.ubuntu-env-override

@@ -1,25 +0,0 @@
-ARG  REGISTRY=docker.io
-ARG  BASE=library/ubuntu:20.04
-
-FROM ${REGISTRY}/${BASE} as base
-
-FROM base as builder
-RUN  ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && apt update && apt install build-essential libseccomp-dev curl pkg-config -y
-RUN  curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s - -y
-COPY Cargo.toml Cargo.lock build.rs /src/
-COPY src /src/src
-COPY x2t-sandbox-rulegen /src/x2t-sandbox-rulegen
-WORKDIR /src
-ARG  X2T_SYSCALLS
-ENV  X2T_SYSCALLS=${X2T_SYSCALLS}
-RUN  test ! -z "${X2T_SYSCALLS}" || { echo please set X2T_SYSCALLS with --build-arg X2T_SYSCALLS="open:close:read:write:..."; exit 1; }
-RUN  /root/.cargo/bin/cargo build --release
-
-FROM base as runtime
-RUN  apt update && apt install libseccomp2 -y && rm -rf /var/apt
-COPY --from=builder /src/target/release/x2t-sandbox /usr/local/bin/x2t-sandbox
-
-FROM base as copy-to-data
-COPY --from=builder /src/target/release/x2t-sandbox /x2t-sandbox
-CMD  ["cp", "-v", "x2t-sandbox", "/data/x2t-sandbox"]
-

build/x2t-snadbox-rulegen-ubuntu.dockerfile

@@ -0,0 +1,11 @@
+ARG BASE_IMAGE=nexus.jianguoyun.net.cn/infra/documentserver:7.3.3-2
+
+FROM ${BASE_IMAGE}
+
+RUN ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
+    apt-get update && \
+    apt-get install -y build-essential libseccomp-dev curl pkg-config libseccomp2 && \
+    rm -rf /var/lib/apt/lists/*
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s - -y
+
+ENTRYPOINT []

build/x2t-snadbox-ubuntu.dockerfile

@@ -0,0 +1,9 @@
+ARG BASE_IMAGE=ubuntu:22.04
+
+FROM ${BASE_IMAGE}
+
+RUN ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
+    apt-get update && \
+    apt-get install -y build-essential libseccomp-dev curl pkg-config libseccomp2 && \
+    rm -rf /var/lib/apt/lists/*
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s - -y

data/Doc.xml

@@ -1,7 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <TaskQueueDataConvert>
-    <m_sFileFrom>
-        /data/Doc.docx</m_sFileFrom>
+    <m_sFileFrom>/data/Doc.docx</m_sFileFrom>
     <m_sFileTo>/data/Doc.bin</m_sFileTo>
     <m_nFormatTo>8192</m_nFormatTo>
     <m_sThemeDir>./themes</m_sThemeDir>

generate-sandbox-rule.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -euox pipefail
+
+if [ $# -ne 3 ]; then
+    echo "Usage: $0 <x2t abs path> <x2t-sandbox abs path> <xml data abs path>"
+    exit 1
+fi
+
+X2T=$1
+X2T_SANDBOX=$2
+DATA=$3
+
+for filename in $(ls ${DATA} | grep "\.xml$"); do
+    ${X2T_SANDBOX} -l ${filename}.out ${X2T} ${DATA}/${filename}
+done
+
+cat ./*.out | sort | uniq > x2t-syscalls.txt