Use a minimal container for GOLANG/CAR chaincode

ghaskins · ghaskins · commit 8e2563d806ae · 2017-02-17T12:17:55.000-05:00
This patch implements a "pass-through" build of chaincode
within a docker container as an alternative to using standard
"docker build" + Dockerfile mechanisms.  The plain docker
build is somewhat limiting due to the resulting image that is
a superset composition of the build-time and run-time environments.
This superset can be problematic on several fronts, such as a
bloated image size, and additional security exposure associated with
applications that are not needed, etc.

Before this patch, chaincode containers were approximately 1.4GB.
After this patch, they are about 175MB.

Java chaincode has not been ported to this process

Change-Id: Ib4e9881a0c1bfd6fb2f098e105a61d82c5293b3d
Signed-off-by: Greg Haskins &lt;gregory.haskins@gmail.com&gt;
diff --git a/core/chaincode/chaincodetest.yaml b/core/chaincode/chaincodetest.yaml
@@ -349,20 +349,17 @@ chaincode:
         path:
         name:
 
-    golang:
+    # Generic builder environment, suitable for most chaincode types
+    builder: hyperledger/fabric-ccenv:$(ARCH)-$(PROJECT_VERSION)
 
-        # This is the basis for the Golang Dockerfile.  Additional commands will
-        # be appended depedendent upon the chaincode specification.
-        Dockerfile:  |
-          FROM hyperledger/fabric-ccenv:$(ARCH)-$(PROJECT_VERSION)
-          WORKDIR $GOPATH
+    golang:
+        # golang will never need more than baseos
+        runtime: hyperledger/fabric-baseos:$(ARCH)-$(BASE_VERSION)
 
     car:
-
-        # This is the basis for the CAR Dockerfile.  Additional commands will
-        # be appended depedendent upon the chaincode specification.
-        Dockerfile:  |
-          FROM hyperledger/fabric-ccenv:$(ARCH)-$(PROJECT_VERSION)
+        # car may need more facilities (JVM, etc) in the future as the catalog
+        # of platforms are expanded.  For now, we can just use baseos
+        runtime: hyperledger/fabric-baseos:$(ARCH)-$(BASE_VERSION)
 
     # timeout in millisecs for starting up a container and waiting for Register
     # to come through. 1sec should be plenty for chaincode unit tests
diff --git a/core/chaincode/platforms/car/platform.go b/core/chaincode/platforms/car/platform.go
@@ -21,6 +21,11 @@ import (
 	"io/ioutil"
 	"strings"
 
+	"bytes"
+	"fmt"
+	"io"
+
+	"github.com/hyperledger/fabric/core/chaincode/platforms/util"
 	cutil "github.com/hyperledger/fabric/core/container/util"
 	pb "github.com/hyperledger/fabric/protos/peer"
 )
@@ -51,10 +56,8 @@ func (carPlatform *Platform) GenerateDockerfile(cds *pb.ChaincodeDeploymentSpec)
 	var buf []string
 
 	//let the executable's name be chaincode ID's name
-	buf = append(buf, cutil.GetDockerfileFromConfig("chaincode.car.Dockerfile"))
-	buf = append(buf, "COPY codepackage.car /tmp/codepackage.car")
-	// invoking directly for maximum JRE compatiblity
-	buf = append(buf, "RUN java -jar /usr/local/bin/chaintool buildcar /tmp/codepackage.car -o /usr/local/bin/chaincode && rm /tmp/codepackage.car")
+	buf = append(buf, "FROM "+cutil.GetDockerfileFromConfig("chaincode.car.runtime"))
+	buf = append(buf, "ADD binpackage.tar /usr/local/bin")
 
 	dockerFileContents := strings.Join(buf, "\n")
 
@@ -63,5 +66,26 @@ func (carPlatform *Platform) GenerateDockerfile(cds *pb.ChaincodeDeploymentSpec)
 
 func (carPlatform *Platform) GenerateDockerBuild(cds *pb.ChaincodeDeploymentSpec, tw *tar.Writer) error {
 
-	return cutil.WriteBytesToPackage("codepackage.car", cds.CodePackage, tw)
+	// Bundle the .car file into a tar stream so it may be transferred to the builder container
+	codepackage, output := io.Pipe()
+	go func() {
+		tw := tar.NewWriter(output)
+
+		err := cutil.WriteBytesToPackage("codepackage.car", cds.CodePackage, tw)
+
+		tw.Close()
+		output.CloseWithError(err)
+	}()
+
+	binpackage := bytes.NewBuffer(nil)
+	err := util.DockerBuild(util.DockerBuildOptions{
+		Cmd:          "java -jar /usr/local/bin/chaintool buildcar /chaincode/input/codepackage.car -o /chaincode/output/chaincode",
+		InputStream:  codepackage,
+		OutputStream: binpackage,
+	})
+	if err != nil {
+		return fmt.Errorf("Error building CAR: %s", err)
+	}
+
+	return cutil.WriteBytesToPackage("binpackage.tar", binpackage.Bytes(), tw)
 }
diff --git a/core/chaincode/platforms/golang/platform.go b/core/chaincode/platforms/golang/platform.go
@@ -29,6 +29,7 @@ import (
 
 	"regexp"
 
+	"github.com/hyperledger/fabric/core/chaincode/platforms/util"
 	cutil "github.com/hyperledger/fabric/core/container/util"
 	pb "github.com/hyperledger/fabric/protos/peer"
 )
@@ -186,29 +187,35 @@ func (goPlatform *Platform) GetDeploymentPayload(spec *pb.ChaincodeSpec) ([]byte
 func (goPlatform *Platform) GenerateDockerfile(cds *pb.ChaincodeDeploymentSpec) (string, error) {
 
 	var buf []string
-	var err error
-
-	spec := cds.ChaincodeSpec
-
-	urlLocation, err := decodeUrl(spec)
-	if err != nil {
-		return "", fmt.Errorf("could not decode url: %s", err)
-	}
 
-	const env = "GOPATH=/tmp/codepackage:$GOPATH"
-	const flags = "-ldflags \"-linkmode external -extldflags '-static'\""
-
-	buf = append(buf, cutil.GetDockerfileFromConfig("chaincode.golang.Dockerfile"))
-	buf = append(buf, "ADD codepackage.tgz /tmp/codepackage")
-	//let the executable's name be chaincode ID's name
-	buf = append(buf, fmt.Sprintf("RUN %s go build %s -o /usr/local/bin/chaincode %s", env, flags, urlLocation))
-	buf = append(buf, "RUN rm -rf /tmp/codepackage") // FAB-2122: scrub source after it is no longer needed
+	buf = append(buf, "FROM "+cutil.GetDockerfileFromConfig("chaincode.golang.runtime"))
+	buf = append(buf, "ADD binpackage.tar /usr/local/bin")
 
 	dockerFileContents := strings.Join(buf, "\n")
 
 	return dockerFileContents, nil
 }
 
 func (goPlatform *Platform) GenerateDockerBuild(cds *pb.ChaincodeDeploymentSpec, tw *tar.Writer) error {
-	return cutil.WriteBytesToPackage("codepackage.tgz", cds.CodePackage, tw)
+	spec := cds.ChaincodeSpec
+
+	pkgname, err := decodeUrl(spec)
+	if err != nil {
+		return fmt.Errorf("could not decode url: %s", err)
+	}
+
+	const ldflags = "-linkmode external -extldflags '-static'"
+
+	codepackage := bytes.NewReader(cds.CodePackage)
+	binpackage := bytes.NewBuffer(nil)
+	err = util.DockerBuild(util.DockerBuildOptions{
+		Cmd:          fmt.Sprintf("GOPATH=/chaincode/input:$GOPATH go build -ldflags \"%s\" -o /chaincode/output/chaincode %s", ldflags, pkgname),
+		InputStream:  codepackage,
+		OutputStream: binpackage,
+	})
+	if err != nil {
+		return err
+	}
+
+	return cutil.WriteBytesToPackage("binpackage.tar", binpackage.Bytes(), tw)
 }
diff --git a/core/chaincode/platforms/util/utils.go b/core/chaincode/platforms/util/utils.go
@@ -8,6 +8,9 @@ import (
 	"os"
 	"path/filepath"
 
+	"io"
+
+	"github.com/fsouza/go-dockerclient"
 	"github.com/hyperledger/fabric/common/util"
 	cutil "github.com/hyperledger/fabric/core/container/util"
 	"github.com/op/go-logging"
@@ -90,3 +93,126 @@ func IsCodeExist(tmppath string) error {
 
 	return nil
 }
+
+type DockerBuildOptions struct {
+	Image        string
+	Env          []string
+	Cmd          string
+	InputStream  io.Reader
+	OutputStream io.Writer
+}
+
+//-------------------------------------------------------------------------------------------
+// DockerBuild
+//-------------------------------------------------------------------------------------------
+// This function allows a "pass-through" build of chaincode within a docker container as
+// an alternative to using standard "docker build" + Dockerfile mechanisms.  The plain docker
+// build is somewhat limiting due to the resulting image that is a superset composition of
+// the build-time and run-time environments.  This superset can be problematic on several
+// fronts, such as a bloated image size, and additional security exposure associated with
+// applications that are not needed, etc.
+//
+// Therefore, this mechanism creates a pipeline consisting of an ephemeral docker
+// container that accepts source code as input, runs some function (e.g. "go build"), and
+// outputs the result.  The intention is that this output will be consumed as the basis of
+// a streamlined container by installing the output into a downstream docker-build based on
+// an appropriate minimal image.
+//
+// The input parameters are fairly simple:
+//      - Image:        (optional) The builder image to use or "chaincode.builder"
+//      - Env:          (optional) environment variables for the build environment.
+//      - Cmd:          The command to execute inside the container.
+//      - InputStream:  A tarball of files that will be expanded into /chaincode/input.
+//      - OutputStream: A tarball of files that will be gathered from /chaincode/output
+//                      after successful execution of Cmd.
+//-------------------------------------------------------------------------------------------
+func DockerBuild(opts DockerBuildOptions) error {
+	client, err := cutil.NewDockerClient()
+	if err != nil {
+		return fmt.Errorf("Error creating docker client: %s", err)
+	}
+
+	if opts.Image == "" {
+		opts.Image = cutil.GetDockerfileFromConfig("chaincode.builder")
+		if opts.Image == "" {
+			return fmt.Errorf("No image provided and \"chaincode.builder\" default does not exist")
+		}
+	}
+
+	//-----------------------------------------------------------------------------------
+	// Create an ephemeral container, armed with our Env/Cmd
+	//-----------------------------------------------------------------------------------
+	container, err := client.CreateContainer(docker.CreateContainerOptions{
+		Config: &docker.Config{
+			Image:        opts.Image,
+			Env:          opts.Env,
+			Cmd:          []string{"/bin/sh", "-c", opts.Cmd},
+			AttachStdout: true,
+			AttachStderr: true,
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("Error creating container: %s", err)
+	}
+	defer client.RemoveContainer(docker.RemoveContainerOptions{ID: container.ID})
+
+	//-----------------------------------------------------------------------------------
+	// Upload our input stream
+	//-----------------------------------------------------------------------------------
+	err = client.UploadToContainer(container.ID, docker.UploadToContainerOptions{
+		Path:        "/chaincode/input",
+		InputStream: opts.InputStream,
+	})
+	if err != nil {
+		return fmt.Errorf("Error uploading input to container: %s", err)
+	}
+
+	//-----------------------------------------------------------------------------------
+	// Attach stdout buffer to capture possible compilation errors
+	//-----------------------------------------------------------------------------------
+	stdout := bytes.NewBuffer(nil)
+	_, err = client.AttachToContainerNonBlocking(docker.AttachToContainerOptions{
+		Container:    container.ID,
+		OutputStream: stdout,
+		ErrorStream:  stdout,
+		Logs:         true,
+		Stdout:       true,
+		Stderr:       true,
+		Stream:       true,
+	})
+	if err != nil {
+		return fmt.Errorf("Error attaching to container: %s", err)
+	}
+
+	//-----------------------------------------------------------------------------------
+	// Launch the actual build, realizing the Env/Cmd specified at container creation
+	//-----------------------------------------------------------------------------------
+	err = client.StartContainer(container.ID, nil)
+	if err != nil {
+		return fmt.Errorf("Error executing build: %s \"%s\"", err, stdout.String())
+	}
+
+	//-----------------------------------------------------------------------------------
+	// Wait for the build to complete and gather the return value
+	//-----------------------------------------------------------------------------------
+	retval, err := client.WaitContainer(container.ID)
+	if err != nil {
+		return fmt.Errorf("Error waiting for container to complete: %s", err)
+	}
+	if retval > 0 {
+		return fmt.Errorf("Error returned from build: %d \"%s\"", retval, stdout.String())
+	}
+
+	//-----------------------------------------------------------------------------------
+	// Finally, download the result
+	//-----------------------------------------------------------------------------------
+	err = client.DownloadFromContainer(container.ID, docker.DownloadFromContainerOptions{
+		Path:         "/chaincode/output/.",
+		OutputStream: opts.OutputStream,
+	})
+	if err != nil {
+		return fmt.Errorf("Error downloading output: %s", err)
+	}
+
+	return nil
+}
diff --git a/core/endorser/endorser_test.yaml b/core/endorser/endorser_test.yaml
@@ -363,20 +363,17 @@ chaincode:
         path:
         name:
 
-    golang:
+    # Generic builder environment, suitable for most chaincode types
+    builder: hyperledger/fabric-ccenv:$(ARCH)-$(PROJECT_VERSION)
 
-        # This is the basis for the Golang Dockerfile.  Additional commands will
-        # be appended depedendent upon the chaincode specification.
-        Dockerfile:  |
-          FROM hyperledger/fabric-ccenv:$(ARCH)-$(PROJECT_VERSION)
-          WORKDIR $GOPATH
+    golang:
+        # golang will never need more than baseos
+        runtime: hyperledger/fabric-baseos:$(ARCH)-$(BASE_VERSION)
 
     car:
-
-        # This is the basis for the CAR Dockerfile.  Additional commands will
-        # be appended depedendent upon the chaincode specification.
-        Dockerfile:  |
-            FROM hyperledger/fabric-ccenv:$(ARCH)-$(PROJECT_VERSION)
+        # car may need more facilities (JVM, etc) in the future as the catalog
+        # of platforms are expanded.  For now, we can just use baseos
+        runtime: hyperledger/fabric-baseos:$(ARCH)-$(BASE_VERSION)
 
     java:
         # This is an image based on java:openjdk-8 with addition compiler
diff --git a/images/ccenv/Dockerfile.in b/images/ccenv/Dockerfile.in
@@ -1,3 +1,4 @@
 FROM hyperledger/fabric-baseimage:_BASE_TAG_
 COPY payload/chaintool payload/protoc-gen-go /usr/local/bin/
 ADD payload/goshim.tar.bz2 $GOPATH/src/
+RUN mkdir -p /chaincode/input /chaincode/output
diff --git a/peer/core.yaml b/peer/core.yaml
@@ -276,20 +276,17 @@ chaincode:
         path:
         name:
 
-    golang:
+    # Generic builder environment, suitable for most chaincode types
+    builder: hyperledger/fabric-ccenv:$(ARCH)-$(PROJECT_VERSION)
 
-        # This is the basis for the Golang Dockerfile.  Additional commands will
-        # be appended depedendent upon the chaincode specification.
-        Dockerfile:  |
-          FROM hyperledger/fabric-ccenv:$(ARCH)-$(PROJECT_VERSION)
-          WORKDIR $GOPATH
+    golang:
+        # golang will never need more than baseos
+        runtime: hyperledger/fabric-baseos:$(ARCH)-$(BASE_VERSION)
 
     car:
-
-        # This is the basis for the CAR Dockerfile.  Additional commands will
-        # be appended depedendent upon the chaincode specification.
-        Dockerfile:  |
-            FROM hyperledger/fabric-ccenv:$(ARCH)-$(PROJECT_VERSION)
+        # car may need more facilities (JVM, etc) in the future as the catalog
+        # of platforms are expanded.  For now, we can just use baseos
+        runtime: hyperledger/fabric-baseos:$(ARCH)-$(BASE_VERSION)
 
     java:
         # This is an image based on java:openjdk-8 with addition compiler
