feat: Support OS-specific immutable image builds (#5041)

hunsche · web-flow · commit 1ee247370e45 · 2025-11-19T13:33:17.000-03:00
This PR enhances the immutable image build process to support generating
Docker images for specific Ubuntu versions (20.04 and 24.04), alongside
the existing legacy image.

## Key Changes

### 1. New Dockerfiles for Ubuntu Versions
Created new Dockerfiles for `external`, `dev`, and `internal` immutable
images:

*   `docker/base/immutable/external/`:
    *   `ubuntu-20-04.Dockerfile`
    *   `ubuntu-24-04.Dockerfile`
*   `docker/chromium/base/immutable/dev/`:
    *   `ubuntu-20-04.Dockerfile`
    *   `ubuntu-24-04.Dockerfile`
*   `docker/chromium/base/immutable/internal/`:
    *   `ubuntu-20-04.Dockerfile`
    *   `ubuntu-24-04.Dockerfile`

These Dockerfiles ensure that immutable instances can be built upon
newer, specific OS base images (extending `base` or `chromium/base` as
appropriate).

### 2. Updated `docker/build-immutable.sh`
The build script was refactored to accept an optional 4th argument,
`OS_VERSION`:
* **Default Behavior:** If no argument (or `legacy`) is provided, it
behaves as before, using the standard `Dockerfile` and tagging the image
with the revision hash.
* **OS-Specific Build:** If `ubuntu-20-04` or `ubuntu-24-04` is passed,
the script selects the corresponding `${OS_VERSION}.Dockerfile` and tags
the output image as `${OS_VERSION}-${REVISION}`.

### 3. Parallelized Cloud Build Configuration
Updated `docker/immutable-cloudbuild.yaml` to leverage the new script
capabilities:
* Added parallel build steps for `legacy`, `ubuntu-20-04`, and
`ubuntu-24-04`.
* This ensures that all variants of the immutable images are built and
pushed simultaneously during the CI/CD process.

## Impact
This change allows ClusterFuzz to maintain and deploy immutable
environments for multiple operating system versions, facilitating
testing, migration, and support for newer dependencies.
diff --git a/docker/base/immutable/external/ubuntu-20-04.Dockerfile b/docker/base/immutable/external/ubuntu-20-04.Dockerfile
@@ -0,0 +1,26 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM gcr.io/clusterfuzz-images/base:ubuntu-20-04
+
+ENV IMMUTABLE_IMAGE=true
+
+ARG CLUSTERFUZZ_SOURCE_DIR
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR} /data/clusterfuzz
+
+RUN cd /data/clusterfuzz && bash local/install_deps.bash
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR}/clusterfuzz-config/configs/external /data/clusterfuzz/src/appengine/config
+
+RUN rm -rf /data/clusterfuzz/clusterfuzz-config
diff --git a/docker/base/immutable/external/ubuntu-24-04.Dockerfile b/docker/base/immutable/external/ubuntu-24-04.Dockerfile
@@ -0,0 +1,26 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM gcr.io/clusterfuzz-images/base:ubuntu-24-04
+
+ENV IMMUTABLE_IMAGE=true
+
+ARG CLUSTERFUZZ_SOURCE_DIR
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR} /data/clusterfuzz
+
+RUN cd /data/clusterfuzz && bash local/install_deps.bash
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR}/clusterfuzz-config/configs/external /data/clusterfuzz/src/appengine/config
+
+RUN rm -rf /data/clusterfuzz/clusterfuzz-config
diff --git a/docker/build-immutable.sh b/docker/build-immutable.sh
@@ -44,6 +44,12 @@ if [ -n "$1" ]; then
   cd /workspace/clusterfuzz
 fi
 
+# Default OS version
+OS_VERSION="legacy"
+if [ -n "$4" ]; then
+  OS_VERSION="$4"
+fi
+
 # Deleting the current config that is used for testing purposes.
 # It will be replaced by the project config during the image build.
 rm -rf src/appengine/config
@@ -67,19 +73,32 @@ for image_name in "${IMAGES[@]}"; do
     # image reference.
     full_image_name="$image_name/$(basename "$image_dir")"
 
+    if [ "$OS_VERSION" == "legacy" ]; then
+      dockerfile="$image_dir/Dockerfile"
+      tag="${CURRENT_CLUSTERFUZZ_REVISION}"
+    else
+      dockerfile="$image_dir/${OS_VERSION}.Dockerfile"
+      tag="${OS_VERSION}-${CURRENT_CLUSTERFUZZ_REVISION}"
+    fi
+
+    if [ ! -f "$dockerfile" ]; then
+      echo "Skipping $dockerfile as it does not exist."
+      continue
+    fi
+
     # Build the Docker image.
     # --build-arg CLUSTERFUZZ_SOURCE_DIR=.: Passes the location of the
     #   ClusterFuzz source directory as a build argument.
-    # -t "$full_image_name":${CURRENT_CLUSTERFUZZ_REVISION}: Tags the image with
-    #   its name and the current ClusterFuzz revision.
-    # -f "$image_dir/Dockerfile": Specifies the path to the Dockerfile.
+    # -t "$full_image_name":${tag}: Tags the image with
+    #   its name and the current ClusterFuzz revision (prefixed with OS version if applicable).
+    # -f "$dockerfile": Specifies the path to the Dockerfile.
     # .: Sets the build context to the current directory.
-    docker build --build-arg CLUSTERFUZZ_SOURCE_DIR=. -t "$full_image_name":${CURRENT_CLUSTERFUZZ_REVISION} -f "$image_dir/Dockerfile" .
+    docker build --build-arg CLUSTERFUZZ_SOURCE_DIR=. -t "$full_image_name":${tag} -f "$dockerfile" .
 
     # If the second argument to the script is "true", push the newly built
     # image to the container registry.
     if [ "$2" == "true" ]; then
-      docker push "$full_image_name":${CURRENT_CLUSTERFUZZ_REVISION}
+      docker push "$full_image_name":${tag}
     fi
   done
 done
diff --git a/docker/chromium/base/immutable/dev/ubuntu-20-04.Dockerfile b/docker/chromium/base/immutable/dev/ubuntu-20-04.Dockerfile
@@ -0,0 +1,26 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM gcr.io/clusterfuzz-images/chromium/base:ubuntu-20-04
+
+ENV IMMUTABLE_IMAGE=true
+
+ARG CLUSTERFUZZ_SOURCE_DIR
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR} /data/clusterfuzz
+
+RUN cd /data/clusterfuzz && bash local/install_deps.bash
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR}/clusterfuzz-config/configs/chrome-development /data/clusterfuzz/src/appengine/config
+
+RUN rm -rf /data/clusterfuzz/clusterfuzz-config
diff --git a/docker/chromium/base/immutable/dev/ubuntu-24-04.Dockerfile b/docker/chromium/base/immutable/dev/ubuntu-24-04.Dockerfile
@@ -0,0 +1,26 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM gcr.io/clusterfuzz-images/chromium/base:ubuntu-24-04
+
+ENV IMMUTABLE_IMAGE=true
+
+ARG CLUSTERFUZZ_SOURCE_DIR
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR} /data/clusterfuzz
+
+RUN cd /data/clusterfuzz && bash local/install_deps.bash
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR}/clusterfuzz-config/configs/chrome-development /data/clusterfuzz/src/appengine/config
+
+RUN rm -rf /data/clusterfuzz/clusterfuzz-config
diff --git a/docker/chromium/base/immutable/internal/ubuntu-20-04.Dockerfile b/docker/chromium/base/immutable/internal/ubuntu-20-04.Dockerfile
@@ -0,0 +1,26 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM gcr.io/clusterfuzz-images/chromium/base:ubuntu-20-04
+
+ENV IMMUTABLE_IMAGE=true
+
+ARG CLUSTERFUZZ_SOURCE_DIR
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR} /data/clusterfuzz
+
+RUN cd /data/clusterfuzz && bash local/install_deps.bash
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR}/clusterfuzz-config/configs/internal /data/clusterfuzz/src/appengine/config
+
+RUN rm -rf /data/clusterfuzz/clusterfuzz-config
diff --git a/docker/chromium/base/immutable/internal/ubuntu-24-04.Dockerfile b/docker/chromium/base/immutable/internal/ubuntu-24-04.Dockerfile
@@ -0,0 +1,26 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM gcr.io/clusterfuzz-images/chromium/base:ubuntu-24-04
+
+ENV IMMUTABLE_IMAGE=true
+
+ARG CLUSTERFUZZ_SOURCE_DIR
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR} /data/clusterfuzz
+
+RUN cd /data/clusterfuzz && bash local/install_deps.bash
+
+COPY ${CLUSTERFUZZ_SOURCE_DIR}/clusterfuzz-config/configs/internal /data/clusterfuzz/src/appengine/config
+
+RUN rm -rf /data/clusterfuzz/clusterfuzz-config
diff --git a/docker/immutable-cloudbuild.yaml b/docker/immutable-cloudbuild.yaml
@@ -80,15 +80,41 @@ steps:
     echo "Computed revision: $${REVISION}"
     echo "$${REVISION}" > /workspace/revision.txt
 
-- id: build immutable image
+- id: build immutable image legacy
   name: gcr.io/cloud-builders/docker
   entrypoint: bash
+  waitFor: ['compute revision']
   args:
   - -ex
   - docker/build-immutable.sh
   - ${_CLUSTERFUZZ_REVISION}
   - ${_PUSH_IMAGES}
   - ${PROJECT_ID}
+  - legacy
+
+- id: build immutable image ubuntu-20-04
+  name: gcr.io/cloud-builders/docker
+  entrypoint: bash
+  waitFor: ['compute revision']
+  args:
+  - -ex
+  - docker/build-immutable.sh
+  - ${_CLUSTERFUZZ_REVISION}
+  - ${_PUSH_IMAGES}
+  - ${PROJECT_ID}
+  - ubuntu-20-04
+
+- id: build immutable image ubuntu-24-04
+  name: gcr.io/cloud-builders/docker
+  entrypoint: bash
+  waitFor: ['compute revision']
+  args:
+  - -ex
+  - docker/build-immutable.sh
+  - ${_CLUSTERFUZZ_REVISION}
+  - ${_PUSH_IMAGES}
+  - ${PROJECT_ID}
+  - ubuntu-24-04
 
 timeout: 14400s
 options:
