statusd

.bazelrc

@@ -21,6 +21,10 @@ build --java_runtime_version=remotejdk_11
 # https://github.com/GoogleContainerTools/rules_distroless/actions/runs/7118944984/job/19382981899?pr=9#step:8:51
 common:linux --sandbox_tmpfs_path=/tmp
 
+
+# Allow external dependencies to be retried. debian snapshot is unreliable and needs retries.
+common --experimental_repository_downloader_retries=200
+
 # Load any settings specific to the current user.
 # .bazelrc.user should appear in .gitignore so that settings are not shared with team members
 # This needs to be last statement in this

MODULE.bazel

@@ -8,6 +8,8 @@ module(
 
 bazel_dep(name = "bazel_skylib", version = "1.5.0")
 bazel_dep(name = "aspect_bazel_lib", version = "2.5.3")
+bazel_dep(name = "container_structure_test", version = "1.16.0")
+bazel_dep(name = "rules_oci", version = "1.7.4")
 
 bazel_lib_toolchains = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
 use_repo(bazel_lib_toolchains, "bsd_tar_toolchains")

WORKSPACE.bazel

@@ -4,7 +4,7 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
 http_archive(
     name = "example-bullseye-ca-certificates",
-    build_file_content = 'exports_files(["data.tar.xz"])',
+    build_file_content = 'exports_files(["data.tar.xz", "control.tar.xz"])',
     sha256 = "b2d488ad4d8d8adb3ba319fc9cb2cf9909fc42cb82ad239a26c570a2e749c389",
     urls = ["https://snapshot.debian.org/archive/debian/20231106T210201Z/pool/main/c/ca-certificates/ca-certificates_20210119_all.deb"],
 )
@@ -25,34 +25,11 @@ http_archive(
 
 load("//apt:index.bzl", "deb_package_index")
 
-# bazel build @trixie//:packages.bzl
-deb_package_index(
-    name = "trixie",
-    lock = "@@//examples/apt:trixie.lock.json",
-    manifest = "//examples/apt:trixie.yaml",
-)
-
-load("@trixie//:packages.bzl", "trixie_packages")
-
-trixie_packages()
-
-# bazel build @bookworm//:packages.bzl
-deb_package_index(
-    name = "bookworm",
-    lock = "@@//examples/apt:bookworm.lock.json",
-    manifest = "//examples/apt:bookworm.yaml",
-)
-
-load("@bookworm//:packages.bzl", "bookworm_packages")
-
-bookworm_packages()
-
-# bazel build @bullseye//:packages.bzl
+# bazel run @bullseye//:lock
 deb_package_index(
     name = "bullseye",
     lock = "@@//examples/apt:bullseye.lock.json",
     manifest = "//examples/apt:bullseye.yaml",
-    resolve_transitive = False,
 )
 
 load("@bullseye//:packages.bzl", "bullseye_packages")

apt/defs.bzl

@@ -0,0 +1,7 @@
+"EXPERIMENTAL! Public API"
+
+load("//apt/private:dpkg_status.bzl", _dpkg_status = "dpkg_status")
+load("//apt/private:dpkg_statusd.bzl", _dpkg_statusd = "dpkg_statusd")
+
+dpkg_status = _dpkg_status
+dpkg_statusd = _dpkg_statusd

apt/index.bzl

@@ -1,5 +1,26 @@
 "apt-get"
 
 load("//apt/private:index.bzl", _deb_package_index = "deb_package_index")
+load("//apt/private:resolve.bzl", _deb_resolve = "deb_resolve")
 
-deb_package_index = _deb_package_index
+def deb_package_index(
+        name,
+        manifest,
+        lock = None,
+        package_template = None,
+        resolve_transitive = True):
+    _deb_resolve(
+        name = name + "_resolution",
+        manifest = manifest,
+        resolve_transitive = resolve_transitive,
+    )
+
+    if not lock:
+        # buildifier: disable=print
+        print("\nNo lockfile was given, please run `bazel run @%s//:lock` to create the lockfile." % name)
+
+    _deb_package_index(
+        name = name,
+        lock = lock if lock else "@" + name + "_resolution//:lock.json",
+        package_template = package_template,
+    )

apt/private/BUILD.bazel

@@ -0,0 +1,4 @@
+exports_files([
+    "dpkg_statusd.sh",
+    "dpkg_status.sh",
+])

apt/private/dpkg_status.bzl

@@ -0,0 +1,46 @@
+"dpkg_status"
+
+# buildifier: disable=bzl-visibility
+load("//distroless/private:tar.bzl", "tar_lib")
+
+_DOC = """TODO: docs"""
+
+def _dpkg_status_impl(ctx):
+    bsdtar = ctx.toolchains[tar_lib.TOOLCHAIN_TYPE]
+
+    output = ctx.actions.declare_file(ctx.attr.name + ".tar")
+
+    args = ctx.actions.args()
+    args.add(bsdtar.tarinfo.binary)
+    args.add(output)
+    args.add_all(ctx.files.controls)
+
+    ctx.actions.run(
+        executable = ctx.executable._dpkg_status_sh,
+        inputs = ctx.files.controls,
+        outputs = [output],
+        tools = bsdtar.default.files,
+        arguments = [args],
+    )
+
+    return [
+        DefaultInfo(files = depset([output])),
+    ]
+
+dpkg_status = rule(
+    doc = _DOC,
+    attrs = {
+        "_dpkg_status_sh": attr.label(
+            allow_single_file = True,
+            executable = True,
+            cfg = "exec",
+            default = ":dpkg_status.sh",
+        ),
+        "controls": attr.label_list(
+            allow_files = [".tar.xz", ".tar.gz", ".tar"],
+            mandatory = True,
+        ),
+    },
+    implementation = _dpkg_status_impl,
+    toolchains = [tar_lib.TOOLCHAIN_TYPE],
+)

apt/private/dpkg_status.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -o pipefail -o errexit -o nounset
+
+readonly bsdtar="$1"
+readonly out="$2"
+shift 2
+
+tmp_out=$(mktemp)
+
+while  (( $# > 0 )); do
+    control="$($bsdtar -xf "$1"  --to-stdout ./control)"
+    echo "$control" | head -n 1 >> $tmp_out
+    echo "Status: install ok installed" >> $tmp_out
+    echo "$control" | tail -n +2 >> $tmp_out
+    echo "" >> $tmp_out
+    shift
+done
+
+echo "#mtree
+./var/lib/dpkg/status type=file uid=0 gid=0 mode=0644 contents=$tmp_out
+" | "$bsdtar" $@ -cf "$out" @-
+

apt/private/dpkg_statusd.bzl

@@ -0,0 +1,54 @@
+"dpkg_statusd"
+
+# buildifier: disable=bzl-visibility
+load("//distroless/private:tar.bzl", "tar_lib")
+
+_DOC = """TODO: docs"""
+
+def _dpkg_statusd_impl(ctx):
+    bsdtar = ctx.toolchains[tar_lib.TOOLCHAIN_TYPE]
+
+    ext = tar_lib.common.compression_to_extension[ctx.attr.compression] if ctx.attr.compression else ".tar"
+    output = ctx.actions.declare_file(ctx.attr.name + ext)
+
+    args = ctx.actions.args()
+    args.add(bsdtar.tarinfo.binary)
+    args.add(output)
+    args.add(ctx.file.control)
+    args.add(ctx.attr.package_name)
+    tar_lib.common.add_compression_args(ctx.attr.compression, args)
+
+    ctx.actions.run(
+        executable = ctx.executable._dpkg_statusd_sh,
+        inputs = [ctx.file.control],
+        outputs = [output],
+        tools = bsdtar.default.files,
+        arguments = [args],
+    )
+
+    return [
+        DefaultInfo(files = depset([output])),
+    ]
+
+dpkg_statusd = rule(
+    doc = _DOC,
+    attrs = {
+        "_dpkg_statusd_sh": attr.label(
+            allow_single_file = True,
+            executable = True,
+            cfg = "exec",
+            default = ":dpkg_statusd.sh",
+        ),
+        "package_name": attr.string(mandatory = True),
+        "control": attr.label(
+            allow_single_file = [".tar.xz", ".tar.gz", ".tar"],
+            mandatory = True,
+        ),
+        "compression": attr.string(
+            doc = "Compress the archive file with a supported algorithm.",
+            values = tar_lib.common.accepted_compression_types,
+        ),
+    },
+    implementation = _dpkg_statusd_impl,
+    toolchains = [tar_lib.TOOLCHAIN_TYPE],
+)

apt/private/dpkg_statusd.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -o pipefail -o errexit -o nounset
+
+readonly bsdtar="$1"
+readonly out="$2"
+readonly control_path="$3"
+readonly package_name="$4"
+shift 4
+
+include=(--include "^./control$" --include "^./md5sums$")
+
+tmp=$(mktemp -d)
+"$bsdtar" -xf "$control_path" "${include[@]}" -C "$tmp"
+
+"$bsdtar" -cf - $@ --format=mtree "${include[@]}" --options '!gname,!uname,!sha1,!nlink,!time' "@$control_path" | \
+awk -v pkg="$package_name" '{ 
+    if ($1=="#mtree") {
+        print $1; next
+    };  
+    sub(/^\.?\//, "", $1);
+    $1 = "./var/lib/dpkg/status.d/" pkg "/" $1 " contents=./" $1; 
+    print $0
+}'  | "$bsdtar" $@ -cf "$out" -C "$tmp/" @-