diff --git a/.bazelrc b/.bazelrc index 086472de..3dd14587 100644 --- a/.bazelrc +++ b/.bazelrc @@ -4,7 +4,7 @@ build --incompatible_strict_action_env build --nolegacy_external_runfiles -test --test_env=DOCKER_HOST +common --test_env=DOCKER_HOST --action_env=DOCKER_HOST --repo_env=DOCKER_HOST # Disable bzlmod lockfile common --lockfile_mode=off diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index de6b6fcc..fcbdcaa5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -131,30 +131,10 @@ jobs: if: ${{ matrix.os == 'macos-13' }} run: echo "DOCKER_HOST=$(grep 'tc.host' ~/.testcontainers.properties | cut -d '=' -f2 | xargs)" >> $GITHUB_ENV - - name: Free space - if: ${{ matrix.os == 'ubuntu-latest' }} - run: | - sudo apt-get remove -y '^dotnet-.*' - sudo apt-get remove -y '^llvm-.*' - sudo apt-get remove -y 'php.*' - sudo apt-get remove -y 'google*' - sudo apt-get autoremove -y - sudo apt-get clean - rm -rf /usr/share/dotnet/ - - - name: Override CST - if: ${{ matrix.bzlmodEnabled && matrix.folder == '.'}} - run: | - cat >> MODULE.bazel < $(location :{name}_output) +echo -n $$? > $(location :{name}_exit_code) +""".format(name = name, docker_args = docker_args), + outs = [ + name + "_output", + name + "_exit_code", + ], + target_compatible_with = TARGET_COMPATIBLE_WITH, + tools = ["//examples:docker_cli"], + ) + + if output_eq: + write_file( + name = name + "_output_eq_expected", + out = name + "_output_eq_expected.txt", + content = [output_eq], + tags = tags + ["manual"], + ) + diff_test( + name = name + "_assert_output_eq", + file1 = name + "_output", + file2 = name + "_output_eq_expected", + tags = tags, + ) + + if exit_code_eq != None: + write_file( + name = name + "_exit_code_expected", + out = name + "_exit_code_expected.txt", + content = [str(exit_code_eq)], + tags = tags + ["manual"], + ) + diff_test( + name = name + "_assert_exit_code_eq", + file1 = name + "_exit_code", + file2 = name + "_exit_code_expected", + tags = tags, + ) diff --git a/examples/assertion/BUILD.bazel b/examples/assertion/BUILD.bazel index 31eb0498..393f641e 100644 --- a/examples/assertion/BUILD.bazel +++ b/examples/assertion/BUILD.bazel @@ -1,8 +1,10 @@ load("@aspect_bazel_lib//lib:tar.bzl", "tar") +load("@aspect_bazel_lib//lib:testing.bzl", "assert_json_matches") load("@aspect_bazel_lib//lib:transitions.bzl", "platform_transition_filegroup") load("@bazel_skylib//rules:build_test.bzl", "build_test") -load("//oci:defs.bzl", "oci_image", "oci_tarball") -load(":assert.bzl", "assert_oci_config") +load("@bazel_skylib//rules:write_file.bzl", "write_file") +load("@rules_oci//oci:defs.bzl", "oci_image", "oci_tarball") +load("//examples:assert.bzl", "assert_oci_config") # Case 1: image name containing a capital case. oci_image( @@ -126,6 +128,168 @@ assert_oci_config( image = ":case6", ) +# Case 7: oci_image inheriting env from the base and appending to it. +oci_image( + name = "case7_base", + architecture = "arm64", + env = { + "PATH": "/usr/local/bin", + }, + os = "linux", +) + +oci_image( + name = "case7", + base = ":case7_base", + env = { + "PATH": "${PATH}:/usr/bin", + "PATH1": "$PATH:/test", + "PATH2": "/prepend:${PATH}:/test2", + "PATH3": "key1=value1 key2=value2", + }, +) + +assert_oci_config( + name = "test_case7", + env_eq = { + "PATH": "/usr/local/bin:/usr/bin", + "PATH1": "/usr/local/bin:/usr/bin:/test", + "PATH2": "/prepend:/usr/local/bin:/usr/bin:/test2", + "PATH3": "key1=value1 key2=value2", + }, + image = ":case7", +) + +# Case 8: Test all attributes of oci_image + +# buildifier: leave-alone +oci_image( + name = "case8_base", + # platform attributes + os = "linux", + architecture = "amd64", + variant = "v8", + # entrypoint and args + entrypoint = ["/custom_bin"], + cmd = [ + "--arg1", + "--arg2", + ], + # env + env = { + "ENV": "/test", # ENV=/test + "ENV2": "/test:$ENV", # ENV=/test:/test + "PATH": "/usr/local/bin:$PATH", # PATH=/usr/local/bin: + }, + # exposed_ports + exposed_ports = [ + "1234/tcp", + "5678/udp", + "5000", + ], + # user & workdir + user = "root", + workdir = "/root", + # labels & annotations + labels = { + "org.opencontainers.image.version": "0.0.0", + "org.opencontainers.image.source": "https://github.com/bazel-contrib/rules_oci=", + }, + annotations = { + "org.opencontainers.image.version": "0.0.0", + "org.opencontainers.image.source": "https://github.com/bazel-contrib/rules_oci=", + }, +) + +oci_image( + name = "case8", + base = ":case8_base", + # adding a new env should preserve the previously set envs! + env = { + "LOCAL": "true", # LOCAL=/test + }, +) + +assert_oci_config( + name = "test_case8", + cmd_eq = [ + "--arg1", + "--arg2", + ], + entrypoint_eq = [ + "/custom_bin", + ], + env_eq = { + "ENV": "/test", + "ENV2": "/test:/test", + "PATH": "/usr/local/bin:", + "LOCAL": "true", + }, + exposed_ports_eq = [ + "1234/tcp", + "5678/udp", + "5000", + ], + image = ":case8", + labels_eq = { + "org.opencontainers.image.version": "0.0.0", + "org.opencontainers.image.source": "https://github.com/bazel-contrib/rules_oci=", + }, + user_eq = "root", + workdir_eq = "/root", +) + +# Case 9: Test oci_tarball repotags + +repo_tags = [ + "gcr.io/empty_base:latest", + "two:is_a_company", + "three:is_a_crowd", # Used to test support for more than two repo_tags. +] + +oci_image( + name = "case9_image", + architecture = "amd64", + os = "linux", +) + +# Intended to be `bazel run` to load the tarball into a container runtime. +# Produces only an mtree specification as the default output. +oci_tarball( + name = "case9_tarball", + image = ":case9_image", + repo_tags = repo_tags, +) + +# Not typically recommended: ask the tarball rule to write the .tar file +# that would have been created when `bazel run`. +filegroup( + name = "case9_tarball.tar", + srcs = [":case9_tarball"], + output_group = "tarball", +) + +genrule( + name = "case9_manifest", + srcs = [":case9_tarball.tar"], + outs = ["case9_manifest.json"], + cmd = "$(BSDTAR_BIN) -xOf ./$(location :case9_tarball.tar) manifest.json > $@", + toolchains = ["@bsd_tar_toolchains//:resolved_toolchain"], +) + +write_file( + name = "case9_expected_repo_tags", + out = "case9_expected_repo_tags.json", + content = [str(repo_tags)], +) + +assert_json_matches( + name = "test_case9", + file1 = ":case9_manifest", + file2 = ":case9_expected_repo_tags", + filter1 = ".[0].RepoTags", +) + # build them as test. build_test( name = "test", diff --git a/examples/attest_external/BUILD.bazel b/examples/assertion/attest_external/BUILD.bazel similarity index 100% rename from examples/attest_external/BUILD.bazel rename to examples/assertion/attest_external/BUILD.bazel diff --git a/examples/attest_external/BUILD.template b/examples/assertion/attest_external/BUILD.template similarity index 100% rename from examples/attest_external/BUILD.template rename to examples/assertion/attest_external/BUILD.template diff --git a/examples/attest_external/test.bash b/examples/assertion/attest_external/test.bash similarity index 100% rename from examples/attest_external/test.bash rename to examples/assertion/attest_external/test.bash diff --git a/examples/attest_external/workspace/sbom.spdx b/examples/assertion/attest_external/workspace/sbom.spdx similarity index 100% rename from examples/attest_external/workspace/sbom.spdx rename to examples/assertion/attest_external/workspace/sbom.spdx diff --git a/examples/big_image/BUILD.bazel b/examples/assertion/big_image/BUILD.bazel similarity index 100% rename from examples/big_image/BUILD.bazel rename to examples/assertion/big_image/BUILD.bazel diff --git a/examples/big_image/README.md b/examples/assertion/big_image/README.md similarity index 100% rename from examples/big_image/README.md rename to examples/assertion/big_image/README.md diff --git a/examples/sign_external/BUILD.bazel b/examples/assertion/sign_external/BUILD.bazel similarity index 100% rename from examples/sign_external/BUILD.bazel rename to examples/assertion/sign_external/BUILD.bazel diff --git a/examples/sign_external/BUILD.template b/examples/assertion/sign_external/BUILD.template similarity index 100% rename from examples/sign_external/BUILD.template rename to examples/assertion/sign_external/BUILD.template diff --git a/examples/sign_external/test.bash b/examples/assertion/sign_external/test.bash similarity index 100% rename from examples/sign_external/test.bash rename to examples/assertion/sign_external/test.bash diff --git a/examples/sign_external/workspace/.gitkeep b/examples/assertion/sign_external/workspace/.gitkeep similarity index 100% rename from examples/sign_external/workspace/.gitkeep rename to examples/assertion/sign_external/workspace/.gitkeep diff --git a/examples/cmd_location_expansion/BUILD.bazel b/examples/cmd_location_expansion/BUILD.bazel new file mode 100644 index 00000000..7c2408cb --- /dev/null +++ b/examples/cmd_location_expansion/BUILD.bazel @@ -0,0 +1,67 @@ +load("@aspect_bazel_lib//lib:tar.bzl", "tar") +load("@rules_oci//oci:defs.bzl", "oci_image") +load("//examples:assert.bzl", "assert_oci_config", "assert_oci_image_command") + +tar( + name = "app", + srcs = [":app.bash"], +) + +genrule( + name = "app_cmd", + outs = ["app_cmd.txt"], + cmd = """ + echo $(rootpaths :app.bash) > "$@" + echo "a1" >> "$@" + echo "a2 b2" >> "$@" + echo " a3\tb3 " >> "$@" + """, + tools = [ + ":app.bash", + ], +) + +oci_image( + name = "image", + base = "@ubuntu", + cmd = ":app_cmd", + entrypoint = [ + "env", + "bash", + ], + tars = [":app"], +) + +assert_oci_image_command( + name = "assert_cmd_is_escaped", + args = [ + "examples/cmd_location_expansion/app.bash", + "x", + "y", + "l1\nl2", + ], + image = ":image", + exit_code_eq = 0, + output_eq = """\ +hello world! +arg 0:x +arg 1:y +arg 2:l1 +l2 +""", +) + +assert_oci_config( + name = "assert_image_metadata", + cmd_eq = [ + "examples/cmd_location_expansion/app.bash", + "a1", + "a2 b2", + " a3\tb3 ", + ], + entrypoint_eq = [ + "env", + "bash", + ], + image = ":image", +) diff --git a/examples/location_expansion/test.bash b/examples/cmd_location_expansion/app.bash similarity index 90% rename from examples/location_expansion/test.bash rename to examples/cmd_location_expansion/app.bash index 201c6a2e..5bc27a44 100755 --- a/examples/location_expansion/test.bash +++ b/examples/cmd_location_expansion/app.bash @@ -1,7 +1,7 @@ #/bin/bash echo "hello world!" -args=("$@") +args=( "$@" ) ELEMENTS=${#args[@]} for (( i=0;i<$ELEMENTS;i++)); do val="${args[${i}]}" diff --git a/examples/dockerfile/BUILD.bazel b/examples/dockerfile/BUILD.bazel index 623f92e0..1dc00b1f 100644 --- a/examples/dockerfile/BUILD.bazel +++ b/examples/dockerfile/BUILD.bazel @@ -1,7 +1,8 @@ load("@aspect_bazel_lib//lib:run_binary.bzl", "run_binary") load("@bazel_skylib//rules:native_binary.bzl", "native_binary") -load("@container_structure_test//:defs.bzl", "container_structure_test") -load("@rules_oci//oci:defs.bzl", "oci_image", "oci_tarball") +load("@configure_buildx//:defs.bzl", "BUILDER_NAME", "TARGET_COMPATIBLE_WITH") +load("@rules_oci//oci:defs.bzl", "oci_image") +load("//examples:assert.bzl", "assert_oci_config", "assert_oci_image_command") native_binary( name = "buildx", @@ -21,34 +22,68 @@ run_binary( "build", "./examples/dockerfile", "--builder", - "container", + BUILDER_NAME, "--output=type=oci,tar=false,dest=$@", ], execution_requirements = {"local": "1"}, + mnemonic = "BuildDocker", out_dirs = ["base"], - tags = ["manual"], - target_compatible_with = [ - "@platforms//os:linux", - ], + target_compatible_with = TARGET_COMPATIBLE_WITH, tool = ":buildx", ) oci_image( name = "image", base = ":base", - tags = ["manual"], ) -oci_tarball( - name = "tar", +assert_oci_config( + name = "assert_metadata", + cmd_eq = ["/app/say.py"], + entrypoint_eq = [], image = ":image", - repo_tags = [], - tags = ["manual"], ) -container_structure_test( - name = "test", - configs = ["test.yaml"], +assert_oci_image_command( + name = "assert_jq_works", + args = [ + "jq", + "--version", + ], + image = ":image", + exit_code_eq = 0, + output_eq = "jq-1.6\n", +) + +assert_oci_image_command( + name = "assert_apt_lists_still_exist", + args = [ + "file", + "/var/lib/apt/lists", + ], + image = ":image", + exit_code_eq = 0, + output_eq = "/var/lib/apt/lists: directory\n", +) + +assert_oci_image_command( + name = "assert_cow_says_moo", + args = [ + "python", + "/app/say.py", + ], image = ":image", - tags = ["manual"], + exit_code_eq = 0, + output_eq = """\ + ____ +| moo! | + ==== + \\ + \\ + ^__^ + (oo)\\_______ + (__)\\ )\\/\\ + ||----w | + || || +""", ) diff --git a/examples/dockerfile/buildx.bzl b/examples/dockerfile/buildx.bzl index 12ae7f43..98faf13d 100644 --- a/examples/dockerfile/buildx.bzl +++ b/examples/dockerfile/buildx.bzl @@ -1,7 +1,45 @@ "repos for buildx" +load("@aspect_bazel_lib//lib:repo_utils.bzl", "repo_utils") load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file") +def _impl_configure_buildx(rctx): + has_docker = False + # See if standard docker sock exists + if not has_docker: + r = rctx.execute(["stat", "/var/run/docker.sock"]) + if r.return_code == 0: + has_docker = True + + compatible_with = "[]" + builder_name = "builder-docker" + if has_docker: + buildx = rctx.path(Label("@buildx_%s//file:downloaded" % repo_utils.platform(rctx))) + + r = rctx.execute([buildx, "ls"]) + if not builder_name in r.stdout: + r = rctx.execute([buildx, "create", "--name", builder_name, "--driver", "docker-container"]) + if r.return_code != 0: + fail("Failed to create buildx driver %s: \nSTDERR:\n%s\nsSTDOUT:\n%s" % (builder_name, r.stderr, r.stdout)) + else: + # buildifier: disable=print + print("WARNING: BuildX driver `%s` already exists." % builder_name) + + else: + compatible_with = '["@platforms//:incompatible"]' + + rctx.file("defs.bzl", """ +# Generated by configure_buildx.bzl +TARGET_COMPATIBLE_WITH = %s +BUILDER_NAME = "%s" +""" % (compatible_with, builder_name)) + rctx.file("BUILD.bazel", 'exports_files(["defs.bzl"])') + pass + +configure_buildx = repository_rule( + implementation = _impl_configure_buildx, +) + def fetch_buildx(): http_file( name = "buildx_linux_amd64", @@ -29,3 +67,5 @@ def fetch_buildx(): integrity = "sha256-J6rZfENSvCzFBHDgnA8Oqq2FDXR+M9CTejhhg9DruPU=", executable = True, ) + + configure_buildx(name = "configure_buildx") diff --git a/examples/dockerfile/test.yaml b/examples/dockerfile/test.yaml deleted file mode 100644 index 79fd9d95..00000000 --- a/examples/dockerfile/test.yaml +++ /dev/null @@ -1,30 +0,0 @@ -schemaVersion: "2.0.0" - -metadataTest: - envVars: - - key: "LC_ALL" - value: "C.UTF-8" - - key: "LANG" - value: "C.UTF-8" - - key: "LANGUAGE" - value: "C.UTF-8" - entrypoint: [] - cmd: ["/app/say.py"] - -commandTests: - - name: "jq should be installed" - command: "jq" - args: ["--version"] - expectedOutput: ["jq\\-1\\.6"] - exitCode: 0 - - - name: "should say moo" - command: "python" - args: ["/app/say.py"] - expectedOutput: ["moo!"] - exitCode: 0 - -fileExistenceTests: - - name: "should not remove /var/lib/apt/lists" - path: /var/lib/apt/lists - shouldExist: true diff --git a/examples/env/BUILD.bazel b/examples/env/BUILD.bazel index ec0e2727..0c8b6fd7 100644 --- a/examples/env/BUILD.bazel +++ b/examples/env/BUILD.bazel @@ -1,9 +1,9 @@ load("@aspect_bazel_lib//lib:expand_template.bzl", "expand_template") -load("@container_structure_test//:defs.bzl", "container_structure_test") -load("@rules_pkg//pkg:tar.bzl", "pkg_tar") -load("//oci:defs.bzl", "oci_image") +load("@aspect_bazel_lib//lib:tar.bzl", "tar") +load("@rules_oci//oci:defs.bzl", "oci_image") +load("//examples:assert.bzl", "assert_oci_image_command") -pkg_tar( +tar( name = "app", srcs = ["test.bash"], ) @@ -20,13 +20,14 @@ expand_template( oci_image( name = "image", base = "@debian", - cmd = ["test.sh"], + cmd = ["/examples/env/test.bash"], env = ":env", - tars = ["app.tar"], + tars = [":app"], ) -container_structure_test( - name = "test", - configs = ["test.yaml"], +assert_oci_image_command( + name = "assert_version_is_correct", image = ":image", + output_eq = "version: 1.2.3", + exit_code_eq = 0 ) diff --git a/examples/env/test.bash b/examples/env/test.bash index 6699466e..7c5433d2 100755 --- a/examples/env/test.bash +++ b/examples/env/test.bash @@ -1 +1,3 @@ +#!/usr/bin/env bash + echo -n "version: ${BUILD_VERSION?}" diff --git a/examples/env/test.yaml b/examples/env/test.yaml deleted file mode 100644 index 6234fc78..00000000 --- a/examples/env/test.yaml +++ /dev/null @@ -1,7 +0,0 @@ -schemaVersion: "2.0.0" - -commandTests: - - name: "echo BUILD_VERSION env" - command: "bash" - args: ["test.bash"] - expectedOutput: ["version: 1.2.3"] diff --git a/examples/env_inheritance/BUILD.bazel b/examples/env_inheritance/BUILD.bazel deleted file mode 100644 index 596659e4..00000000 --- a/examples/env_inheritance/BUILD.bazel +++ /dev/null @@ -1,49 +0,0 @@ -load("@aspect_bazel_lib//lib:tar.bzl", "tar") -load("@aspect_bazel_lib//lib:testing.bzl", "assert_contains") -load("@container_structure_test//:defs.bzl", "container_structure_test") -load("//oci:defs.bzl", "oci_image") - -tar( - name = "app", - srcs = ["test.bash"], -) - -oci_image( - name = "middle_image", - base = "@ubuntu_linux_amd64", - cmd = ["test.sh"], - env = { - "ENV1": "$PATH:/test", - "ENV2": "/prepend:${PATH}:/test2", - "ENV3": "key1=value1 key2=value2", - }, - tars = [":app"], -) - -oci_image( - name = "image", - base = ":middle_image", - env = { - "ENV4": "${ENV3} key3=value3", - }, -) - -container_structure_test( - name = "test", - configs = ["test.yaml"], - image = ":image", -) - -genrule( - name = "hash", - srcs = [":image"], - outs = ["sha256.sum"], - cmd = "$(JQ_BIN) -r '.manifests[0].digest' $(location :image)/index.json > $@", - toolchains = ["@jq_toolchains//:resolved_toolchain"], -) - -assert_contains( - name = "check_digest", - actual = ":hash", - expected = "sha256:71b67123d22c29a52e69c46e77bf63eced4c0d21c46e7d1c346c6afe7c79ca01", -) diff --git a/examples/env_inheritance/test.bash b/examples/env_inheritance/test.bash deleted file mode 100755 index d49fcc4a..00000000 --- a/examples/env_inheritance/test.bash +++ /dev/null @@ -1 +0,0 @@ -echo "hello world!" \ No newline at end of file diff --git a/examples/env_inheritance/test.yaml b/examples/env_inheritance/test.yaml deleted file mode 100644 index 3db58de3..00000000 --- a/examples/env_inheritance/test.yaml +++ /dev/null @@ -1,20 +0,0 @@ -schemaVersion: "2.0.0" - -commandTests: - - name: "echo hello" - command: "bash" - args: ["examples/env_inheritance/test.bash"] - expectedOutput: ["hello world!"] - -metadataTest: - envVars: - - key: "PATH" - value: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - - key: "ENV1" - value: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/test" - - key: "ENV2" - value: "/prepend:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/test2" - - key: "ENV3" - value: "key1=value1 key2=value2" - - key: "ENV4" - value: "key1=value1 key2=value2 key3=value3" diff --git a/examples/labels/BUILD.bazel b/examples/labels/BUILD.bazel index e0a965e4..4bd8e3d1 100644 --- a/examples/labels/BUILD.bazel +++ b/examples/labels/BUILD.bazel @@ -1,9 +1,9 @@ load("@aspect_bazel_lib//lib:expand_template.bzl", "expand_template") -load("@container_structure_test//:defs.bzl", "container_structure_test") -load("@rules_pkg//pkg:tar.bzl", "pkg_tar") -load("//oci:defs.bzl", "oci_image") +load("@aspect_bazel_lib//lib:tar.bzl", "tar") +load("@rules_oci//oci:defs.bzl", "oci_image") +load("//examples:assert.bzl", "assert_oci_config") -pkg_tar( +tar( name = "app", srcs = ["test.bash"], ) @@ -25,13 +25,17 @@ oci_image( base = "@ubuntu", cmd = ["test.sh"], labels = ":labels", - tars = ["app.tar"], + tars = [":app"], ) -container_structure_test( - name = "test", - configs = ["test.yaml"], +assert_oci_config( + name = "assert_labels_from_file", image = ":image", + labels_eq = { + "org.opencontainers.image.ref.name": "ubuntu", + "org.opencontainers.image.version": "0.0.0", + "org.opencontainers.image.source": "https://github.com/bazel-contrib/rules_oci=", + }, ) # Test again, using the macro-provided syntax sugar where labels is a dict. @@ -43,11 +47,15 @@ oci_image( "org.opencontainers.image.version": "0.0.0", "org.opencontainers.image.source": "https://github.com/bazel-contrib/rules_oci=", }, - tars = ["app.tar"], + tars = [":app"], ) -container_structure_test( - name = "test2", - configs = ["test.yaml"], +assert_oci_config( + name = "assert_labels_dict", image = ":image_labels_dict", + labels_eq = { + "org.opencontainers.image.ref.name": "ubuntu", + "org.opencontainers.image.version": "0.0.0", + "org.opencontainers.image.source": "https://github.com/bazel-contrib/rules_oci=", + }, ) diff --git a/examples/labels/test.yaml b/examples/labels/test.yaml deleted file mode 100644 index 12dc924e..00000000 --- a/examples/labels/test.yaml +++ /dev/null @@ -1,14 +0,0 @@ -schemaVersion: "2.0.0" - -commandTests: - - name: "echo hello" - command: "bash" - args: ["test.bash"] - expectedOutput: ["hello world!"] - -metadataTest: - labels: - - key: "org.opencontainers.image.version" - value: "0.0.0" - - key: "org.opencontainers.image.source" - value: "https://github.com/bazel-contrib/rules_oci=" diff --git a/examples/location_expansion/BUILD.bazel b/examples/location_expansion/BUILD.bazel deleted file mode 100644 index d19bcad2..00000000 --- a/examples/location_expansion/BUILD.bazel +++ /dev/null @@ -1,46 +0,0 @@ -load("@container_structure_test//:defs.bzl", "container_structure_test") -load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("//oci:defs.bzl", "oci_image") - -sh_binary( - name = "test_sh", - srcs = ["test.bash"], -) - -pkg_tar( - name = "app", - srcs = [":test_sh"], - strip_prefix = "/", # We force the files to have paths embedded inside the tarball. -) - -genrule( - name = "app_cmd", - srcs = [], - outs = ["app_cmd.txt"], - cmd = """ - echo $(rootpaths :test.bash) > "$@" - echo "a1" >> "$@" - echo "a2 b2" >> "$@" - echo " a3\tb3 " >> "$@" - """, - tools = [ - ":test.bash", - ], -) - -oci_image( - name = "image", - base = "@ubuntu", - cmd = ":app_cmd", - entrypoint = [ - "env", - "-", - ], - tars = [":app"], -) - -container_structure_test( - name = "test", - configs = ["test.yaml"], - image = ":image", -) diff --git a/examples/location_expansion/test.yaml b/examples/location_expansion/test.yaml deleted file mode 100644 index b2ddd9da..00000000 --- a/examples/location_expansion/test.yaml +++ /dev/null @@ -1,11 +0,0 @@ -schemaVersion: "2.0.0" - -commandTests: - - name: "echo hello" - command: "bash" - args: ["examples/location_expansion/test.bash", "x", "y", "l1\nl2"] - expectedOutput: ["hello world!", "arg 0:x", "arg 1:y", "arg 2:l1", "l2"] - -metadataTest: - cmd: ["examples/location_expansion/test.bash", "a1", "a2 b2", " a3\tb3 "] - entrypoint: ["env", "-"] diff --git a/examples/multi_arch_go/BUILD b/examples/multi_arch_go/BUILD deleted file mode 100644 index 928c83e9..00000000 --- a/examples/multi_arch_go/BUILD +++ /dev/null @@ -1,126 +0,0 @@ -load("@aspect_bazel_lib//lib:transitions.bzl", "platform_transition_binary") -load("@aspect_bazel_lib//lib:testing.bzl", "assert_json_matches") -load("@bazel_skylib//rules:write_file.bzl", "write_file") -load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") -load("@rules_pkg//:pkg.bzl", "pkg_tar") -load("@rules_oci//oci:defs.bzl", "oci_image", "oci_image_index", "oci_push", "oci_tarball") - -go_library( - name = "lib", - srcs = ["main.go"], - importpath = "main", -) - -go_binary( - name = "bin-x86_64", - embed = [":lib"], - goarch = "amd64", - goos = "linux", -) - -pkg_tar( - name = "bin-x86_64_tar", - srcs = [":bin-x86_64"], - package_dir = "usr/local/bin", -) - -go_binary( - name = "bin-arm64", - embed = [":lib"], - goarch = "arm64", - goos = "linux", -) - -pkg_tar( - name = "bin-arm64_tar", - srcs = [":bin-arm64"], - package_dir = "usr/local/bin", -) - -oci_image( - name = "image-x86_64", - base = "@ubuntu_linux_amd64", - entrypoint = ["/usr/local/bin/bin-x86_64"], - tars = [":bin-x86_64_tar"], -) - -repo_tags = [ - "gcr.io/empty_base:latest", - "two:is_a_company", - "three:is_a_crowd", -] - -oci_tarball( - name = "image-x86_64-tar", - image = ":image-x86_64", - repo_tags = repo_tags, -) - -oci_image( - name = "image-arm64", - base = "@ubuntu_linux_arm64_v8", - entrypoint = ["/usr/local/bin/bin-arm64"], - tars = [":bin-arm64_tar"], -) - -oci_image_index( - name = "image-multiarch", - images = [ - ":image-arm64", - ":image-x86_64", - ], -) - -oci_tarball( - name = "image-multiarch-tar", - format = "oci", - image = ":image-multiarch", - repo_tags = repo_tags, -) - -write_file( - name = "expected_RepoTags", - out = "expected_RepoTags.json", - content = [str(repo_tags)], -) - -filegroup( - name = "image-multiarch.tar", - srcs = [":image-multiarch-tar"], - output_group = "tarball", -) - -genrule( - name = "tar_multiarch_index", - srcs = [":image-multiarch.tar"], - outs = ["multiarch_index.json"], - cmd = "tar -xOf ./$(location :image-multiarch.tar) index.json > $@", -) - -assert_json_matches( - name = "check_multiarch_tags", - file1 = ":tar_multiarch_index", - file2 = ":expected_RepoTags", - filter1 = """.manifests[].annotations["org.opencontainers.image.ref.name"]""", - filter2 = ".[]", -) - -filegroup( - name = "image-x86_64.tar", - srcs = [":image-x86_64-tar"], - output_group = "tarball", -) - -genrule( - name = "tar_x86_64_index", - srcs = [":image-x86_64.tar"], - outs = ["x86_64_index.json"], - cmd = "tar -xOf ./$(location :image-x86_64.tar) manifest.json > $@", -) - -assert_json_matches( - name = "check_x86_64_tags", - file1 = ":tar_x86_64_index", - file2 = ":expected_RepoTags", - filter1 = ".[0].RepoTags", -) diff --git a/examples/multi_arch_go/main.go b/examples/multi_arch_go/main.go deleted file mode 100644 index 84dcf5cb..00000000 --- a/examples/multi_arch_go/main.go +++ /dev/null @@ -1,7 +0,0 @@ -package main - -import "fmt" - -func main() { - fmt.Println("yo") -} diff --git a/examples/multi_arch/BUILD.bazel b/examples/multi_architecture_image/BUILD.bazel similarity index 78% rename from examples/multi_arch/BUILD.bazel rename to examples/multi_architecture_image/BUILD.bazel index 41f7d72b..5a961c9d 100644 --- a/examples/multi_arch/BUILD.bazel +++ b/examples/multi_architecture_image/BUILD.bazel @@ -1,9 +1,9 @@ +load("@aspect_bazel_lib//lib:tar.bzl", "tar") load("@aspect_bazel_lib//lib:testing.bzl", "assert_contains") -load("@rules_pkg//pkg:tar.bzl", "pkg_tar") load("//oci:defs.bzl", "oci_image", "oci_image_index") load(":transition.bzl", "multi_arch") -pkg_tar( +tar( name = "app", srcs = ["test.bash"], ) @@ -11,9 +11,9 @@ pkg_tar( oci_image( name = "image", base = "@ubuntu", - cmd = ["test.bash"], + cmd = ["examples/multi_architecture_image/test.bash"], entrypoint = ["bash"], - tars = ["app.tar"], + tars = [":app"], ) multi_arch( @@ -43,5 +43,5 @@ genrule( assert_contains( name = "check_digest", actual = ":hash", - expected = "sha256:57e3811e25d18fe08b36359a690c100e231ad0af4d18ad76e26016b11e25450c", + expected = "sha256:9163db354e086c5ef0170ce0ec318312dde887f660552c4a438926863d473d3c", ) diff --git a/examples/multi_arch/test.bash b/examples/multi_architecture_image/test.bash similarity index 100% rename from examples/multi_arch/test.bash rename to examples/multi_architecture_image/test.bash diff --git a/examples/multi_arch/transition.bzl b/examples/multi_architecture_image/transition.bzl similarity index 100% rename from examples/multi_arch/transition.bzl rename to examples/multi_architecture_image/transition.bzl diff --git a/examples/repo_tags/BUILD.bazel b/examples/repo_tags/BUILD.bazel deleted file mode 100644 index 3b035ab6..00000000 --- a/examples/repo_tags/BUILD.bazel +++ /dev/null @@ -1,50 +0,0 @@ -load("@aspect_bazel_lib//lib:testing.bzl", "assert_json_matches") -load("@bazel_skylib//rules:write_file.bzl", "write_file") -load("//oci:defs.bzl", "oci_image", "oci_tarball") - -oci_image( - name = "image", - architecture = select({ - "@platforms//cpu:arm64": "arm64", - "@platforms//cpu:x86_64": "amd64", - }), - os = "linux", -) - -repo_tags = [ - "gcr.io/empty_base:latest", - "two:is_a_company", - "three:is_a_crowd", # Used to test support for more than two repo_tags. -] - -oci_tarball( - name = "tarball", - image = ":image", - repo_tags = ":tags_file.txt", # In particular we check whether empty (last line) of the file gets ignored. -) - -filegroup( - name = "tarball.tar", - srcs = [":tarball"], - output_group = "tarball", -) - -genrule( - name = "tar_manifest", - srcs = [":tarball.tar"], - outs = ["manifest.json"], - cmd = "tar -xOf ./$(location :tarball.tar) manifest.json > $@", -) - -write_file( - name = "expected_RepoTags", - out = "expected_RepoTags.json", - content = [str(repo_tags)], -) - -assert_json_matches( - name = "check_tags", - file1 = ":tar_manifest", - file2 = ":expected_RepoTags", - filter1 = ".[0].RepoTags", -) diff --git a/examples/repo_tags/tags_file.txt b/examples/repo_tags/tags_file.txt deleted file mode 100644 index 228763a7..00000000 --- a/examples/repo_tags/tags_file.txt +++ /dev/null @@ -1,6 +0,0 @@ -gcr.io/empty_base:latest - - -two:is_a_company - -three:is_a_crowd diff --git a/examples/repo_tags/test.yaml b/examples/repo_tags/test.yaml deleted file mode 100644 index 6e1013ad..00000000 --- a/examples/repo_tags/test.yaml +++ /dev/null @@ -1,8 +0,0 @@ -schemaVersion: "2.0.0" - -metadataTest: - envVars: - - key: "ENV" - value: "/test" - entrypoint: ["/custom_bin"] - cmd: ["--arg1", "--arg2"] diff --git a/examples/setup_assertion_repos.bzl b/examples/setup_assertion_repos.bzl new file mode 100644 index 00000000..a4fd89e5 --- /dev/null +++ b/examples/setup_assertion_repos.bzl @@ -0,0 +1,87 @@ +"Setup for docker testing" + +load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive", "http_file") + +def _impl_configure_docker(rctx): + # See if docker_host is set + has_docker = "DOCKER_HOST" in rctx.os.environ + # See if standard docker sock exists + if not has_docker: + r = rctx.execute(["stat", "/var/run/docker.sock"]) + if r.return_code == 0: + has_docker = True + + compatible_with = "[]" if has_docker else '["@platforms//:incompatible"]' + + + rctx.file("defs.bzl", """ +# Generated by configure_docker.bzl +TARGET_COMPATIBLE_WITH = %s +""" % compatible_with) + rctx.file("BUILD.bazel", 'exports_files(["defs.bzl"])') + pass + +configure_docker = repository_rule( + implementation = _impl_configure_docker, +) + +def setup_assertion_repos(): + "creates repos necessary for testing agaisnt docker" + http_file( + name = "jd_darwin_arm64", + urls = [ + "https://github.com/josephburnett/jd/releases/download/v1.8.1/jd-arm64-darwin", + ], + sha256 = "8b0e51b902650287b7dedc2beee476b96c5d589309d3a7f556334c1baedbec61", + executable = True, + ) + + http_file( + name = "jd_darwin_amd64", + urls = [ + "https://github.com/josephburnett/jd/releases/download/v1.8.1/jd-amd64-darwin", + ], + sha256 = "c5fb5503d2804b1bf631bf12616d56b89711fd451ab233b688ca922402ff3444", + executable = True, + ) + + http_file( + name = "jd_linux_amd64", + urls = [ + "https://github.com/josephburnett/jd/releases/download/v1.8.1/jd-amd64-linux", + ], + sha256 = "ab918f52130561abd4f88d9c2d3ae95d4d56f1a2dff9762665890349d61c763e", + executable = True, + ) + + http_archive( + name = "docker_cli_darwin_arm64", + urls = [ + "https://download.docker.com/mac/static/stable/aarch64/docker-23.0.0.tgz", + ], + integrity = "sha256-naXFF3G/D3a8XieHkd2cm29/SHdheslS3VyI77ep/xA=", + strip_prefix = "docker", + build_file_content = 'exports_files(["docker"])', + ) + + http_archive( + name = "docker_cli_darwin_amd64", + urls = [ + "https://download.docker.com/mac/static/stable/x86_64/docker-23.0.0.tgz", + ], + integrity = "sha256-55P6RTHVIWEHuEuH8ZHFgu6TeCVPF7WqvPD6MBApOuc=", + strip_prefix = "docker", + build_file_content = 'exports_files(["docker"])', + ) + + http_archive( + name = "docker_cli_linux_amd64", + urls = [ + "https://download.docker.com/linux/static/stable/x86_64/docker-23.0.0.tgz", + ], + integrity = "sha256-agO72paEW3RRvi9qumnDgWxgqX3jGOg/0bOdG+Ji2K8=", + strip_prefix = "docker", + build_file_content = 'exports_files(["docker"])', + ) + + configure_docker(name = "docker_configure") diff --git a/examples/sign/BUILD.bazel b/examples/sign/BUILD.bazel index 7b2d2df9..f9bae1d6 100644 --- a/examples/sign/BUILD.bazel +++ b/examples/sign/BUILD.bazel @@ -1,8 +1,8 @@ -load("@rules_pkg//pkg:tar.bzl", "pkg_tar") +load("@aspect_bazel_lib//lib:tar.bzl", "tar") load("//cosign:defs.bzl", "cosign_sign") load("//oci:defs.bzl", "oci_image") -pkg_tar( +tar( name = "app", srcs = ["app.bash"], ) @@ -10,8 +10,8 @@ pkg_tar( oci_image( name = "image", base = "@ubuntu", - cmd = ["app.bash"], - tars = [":app.tar"], + cmd = ["examples/sign/app.bash"], + tars = [":app"], ) cosign_sign( diff --git a/examples/simple/BUILD.bazel b/examples/simple/BUILD.bazel deleted file mode 100644 index 481813b4..00000000 --- a/examples/simple/BUILD.bazel +++ /dev/null @@ -1,100 +0,0 @@ -load("@aspect_bazel_lib//lib:testing.bzl", "assert_json_matches") -load("@bazel_skylib//rules:write_file.bzl", "write_file") -load("@container_structure_test//:defs.bzl", "container_structure_test") -load("//oci:defs.bzl", "oci_image", "oci_tarball") - -# buildifier: leave-alone -oci_image( - name = "image", - # platform attributes - os = "linux", - architecture = "amd64", - variant = "v8", - # entrypoint and args - entrypoint = ["/custom_bin"], - cmd = [ - "--arg1", - "--arg2", - ], - # env - env = { - "ENV": "/test", # ENV=/test - "ENV2": "/test:$ENV", # ENV=/test:/test - "PATH": "/usr/local/bin:$PATH", # PATH=/usr/local/bin: - }, - # exposed_ports - exposed_ports = [ - "1234/tcp", - "5678/udp", - "5000", - ], - # user & workdir - user = "root", - workdir = "/root", - # labels & annotations - labels = { - "org.opencontainers.image.version": "0.0.0", - "org.opencontainers.image.source": "https://github.com/bazel-contrib/rules_oci=", - }, - annotations = { - "org.opencontainers.image.version": "0.0.0", - "org.opencontainers.image.source": "https://github.com/bazel-contrib/rules_oci=", - }, -) - -oci_image( - name = "image_based", - base = ":image", - # adding a new env should preserve the previously set envs! - env = { - "LOCAL": "true", # LOCAL=/test - }, -) - -container_structure_test( - name = "test", - configs = ["test.yaml"], - image = ":image_based", -) - -repo_tags = [ - "gcr.io/empty_base:latest", - "two:is_a_company", - "three:is_a_crowd", # Used to test support for more than two repo_tags. -] - -# Intended to be `bazel run` to load the tarball into a container runtime. -# Produces only an mtree specification as the default output. -oci_tarball( - name = "tarball", - image = ":image", - repo_tags = repo_tags, -) - -# Not typically recommended: ask the tarball rule to write the .tar file -# that would have been created when `bazel run`. -filegroup( - name = "tarball.tar", - srcs = [":tarball"], - output_group = "tarball", -) - -genrule( - name = "tar_manifest", - srcs = [":tarball.tar"], - outs = ["manifest.json"], - cmd = "tar -xOf ./$(location :tarball.tar) manifest.json > $@", -) - -write_file( - name = "expected_RepoTags", - out = "expected_RepoTags.json", - content = [str(repo_tags)], -) - -assert_json_matches( - name = "check_tags", - file1 = ":tar_manifest", - file2 = ":expected_RepoTags", - filter1 = ".[0].RepoTags", -) diff --git a/examples/simple/README.md b/examples/simple/README.md deleted file mode 100644 index 4f542056..00000000 --- a/examples/simple/README.md +++ /dev/null @@ -1 +0,0 @@ -This directory is not useful as an example, merely exists for test coverage. diff --git a/examples/simple/test.yaml b/examples/simple/test.yaml deleted file mode 100644 index 0e4489cb..00000000 --- a/examples/simple/test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -schemaVersion: "2.0.0" - -metadataTest: - envVars: - - key: "ENV" - value: "/test" - - key: "ENV2" - value: "/test:/test" - - key: PATH - value: "/usr/local/bin:" - - key: LOCAL - value: "true" - labels: - - key: org.opencontainers.image.version - value: 0.0.0 - - key: org.opencontainers.image.source - value: https://github.com/bazel-contrib/rules_oci= - exposedPorts: - - "1234" - - "5678" - - "5000" - entrypoint: ["/custom_bin"] - cmd: ["--arg1", "--arg2"] - user: root - workdir: "/root" diff --git a/examples/incremental_load/BUILD.bazel b/examples/tarball_incremental_loader/BUILD.bazel similarity index 67% rename from examples/incremental_load/BUILD.bazel rename to examples/tarball_incremental_loader/BUILD.bazel index 7684fe48..880ebf7b 100644 --- a/examples/incremental_load/BUILD.bazel +++ b/examples/tarball_incremental_loader/BUILD.bazel @@ -1,7 +1,7 @@ -load("@rules_pkg//pkg:tar.bzl", "pkg_tar") +load("@aspect_bazel_lib//lib:tar.bzl", "tar") load("//oci:defs.bzl", "oci_image", "oci_tarball") -pkg_tar( +tar( name = "app", srcs = ["test.bash"], ) @@ -9,8 +9,8 @@ pkg_tar( oci_image( name = "image", base = "@ubuntu", - cmd = ["test.sh"], - tars = ["app.tar"], + cmd = ["examples/tarball_incremental_loader/test.sh"], + tars = [":app"], ) oci_tarball( diff --git a/examples/incremental_load/README.md b/examples/tarball_incremental_loader/README.md similarity index 95% rename from examples/incremental_load/README.md rename to examples/tarball_incremental_loader/README.md index 423b5609..442abaa2 100644 --- a/examples/incremental_load/README.md +++ b/examples/tarball_incremental_loader/README.md @@ -8,7 +8,8 @@ This an example demonstrating a hack different than the rules_docker and https:/ - Uses crane to push the tarball efficiently to the local registry. (loses the repo_tags) - Pulls the image from the local registry to Docker daemon. -Demo: +Demo: + ``` INFO: Analyzed target //examples/incremental_load:tarball (0 packages loaded, 0 targets configured). INFO: Found 1 target... @@ -27,5 +28,4 @@ localhost:6000/image@sha256:065294fa481b167724c861a328a60dc198bbd7b7ceba3a4cd7e2 bazel run examples/incremental_load:tarball 0.17s user 0.12s system 34% cpu 0.821 total ``` - -> Disclaimer: This hasn't been tested with Remote Execution. \ No newline at end of file +> Disclaimer: This hasn't been tested with Remote Execution. diff --git a/examples/incremental_load/loader.sh b/examples/tarball_incremental_loader/loader.sh similarity index 100% rename from examples/incremental_load/loader.sh rename to examples/tarball_incremental_loader/loader.sh diff --git a/examples/incremental_load/test.bash b/examples/tarball_incremental_loader/test.bash similarity index 100% rename from examples/incremental_load/test.bash rename to examples/tarball_incremental_loader/test.bash diff --git a/fetch.bzl b/fetch.bzl index 7c0a6161..7022969e 100644 --- a/fetch.bzl +++ b/fetch.bzl @@ -4,11 +4,13 @@ This file is similar to how bazel_gazelle can manage go_repository calls by writing them to a generated macro in a .bzl file. """ -load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive", "http_file") +load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") load("@rules_oci//oci:pull.bzl", "oci_pull") +load("//examples:setup_assertion_repos.bzl", "setup_assertion_repos") +load("//examples/dockerfile:buildx.bzl", "fetch_buildx") def fetch_images(): - "Fetch external images" + "fetch external images" # A single-arch base image oci_pull( @@ -223,29 +225,27 @@ genrule( sha256 = "d7c7af5d86f43a885069408a89788f67f248e8124c682bb73936f33874e0611b", ) - http_file( - name = "jd_darwin_arm64", - urls = [ - "https://github.com/josephburnett/jd/releases/download/v1.8.1/jd-arm64-darwin", - ], - sha256 = "8b0e51b902650287b7dedc2beee476b96c5d589309d3a7f556334c1baedbec61", - executable = True, - ) +def fetch_test_repos(): + "fetch repos needed for testing" - http_file( - name = "jd_darwin_amd64", - urls = [ - "https://github.com/josephburnett/jd/releases/download/v1.8.1/jd-amd64-darwin", - ], - sha256 = "c5fb5503d2804b1bf631bf12616d56b89711fd451ab233b688ca922402ff3444", - executable = True, + # For sign_external test + native.new_local_repository( + name = "empty_image", + build_file = "//examples/assertion/sign_external:BUILD.template", + path = "examples/assertion/sign_external/workspace", ) - http_file( - name = "jd_linux_amd64", - urls = [ - "https://github.com/josephburnett/jd/releases/download/v1.8.1/jd-amd64-linux", - ], - sha256 = "ab918f52130561abd4f88d9c2d3ae95d4d56f1a2dff9762665890349d61c763e", - executable = True, + # For attest_external test + native.new_local_repository( + name = "example_sbom", + build_file = "//examples/assertion/attest_external:BUILD.template", + path = "examples/assertion/attest_external/workspace", ) + + + # Fetch buildx + fetch_buildx() + + # Fetch necessary repos for docker testing + setup_assertion_repos() + diff --git a/internal_deps.bzl b/internal_deps.bzl index 29e19e12..759ed424 100644 --- a/internal_deps.bzl +++ b/internal_deps.bzl @@ -58,23 +58,3 @@ def rules_oci_internal_deps(): "https://github.com/bazelbuild/stardoc/releases/download/0.5.6/stardoc-0.5.6.tar.gz", ], ) - - http_archive( - name = "container_structure_test", - sha256 = "2da13da4c4fec9d4627d4084b122be0f4d118bd02dfa52857ff118fde88e4faa", - strip_prefix = "container-structure-test-1.16.0", - urls = ["https://github.com/GoogleContainerTools/container-structure-test/archive/v1.16.0.zip"], - patches = [ - "//oci/tests:cst_exclusive.patch", - ], - patch_args = ["-p1"], - ) - - http_archive( - name = "rules_pkg", - urls = [ - "https://github.com/bazelbuild/rules_pkg/releases/download/0.7.0/rules_pkg-0.7.0.tar.gz", - "https://mirror.bazel.build/github.com/bazelbuild/rules_pkg/releases/download/0.7.0/rules_pkg-0.7.0.tar.gz", - ], - sha256 = "8a298e832762eda1830597d64fe7db58178aa84cd5926d76d5b744d6558941c2", - ) diff --git a/oci/tests/cst_exclusive.patch b/oci/tests/cst_exclusive.patch deleted file mode 100644 index ad0a357f..00000000 --- a/oci/tests/cst_exclusive.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/defs.bzl b/defs.bzl -index 2cecbc8..59e5902 100644 ---- a/defs.bzl -+++ b/defs.bzl -@@ -2,7 +2,11 @@ - - load("//bazel:container_structure_test.bzl", "lib") - --container_structure_test = rule( -+def container_structure_test(tags = [], **kwargs): -+ tags = tags + ["exclusive"] -+ _container_structure_test(tags = tags, **kwargs) -+ -+_container_structure_test = rule( - implementation = lib.implementation, - attrs = lib.attrs, - doc = """\