Skip to content

Commit dafb799

Browse files
johntmyersjohntmyers
authored
fix(docker): add openshell-prover to Dockerfile skeleton stages and provide z3 (#800)
1 parent d8cf795 commit dafb799

File tree

8 files changed

+123
-35
lines changed

8 files changed

+123
-35
lines changed

.github/workflows/release-dev.yml

Lines changed: 37 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -149,6 +149,9 @@ jobs:
149149

150150
# ---------------------------------------------------------------------------
151151
# Build CLI binaries (Linux musl — static, native on each arch)
152+
#
153+
# Builds run directly on the CI host (glibc Ubuntu). Zig provides musl
154+
# C/C++ toolchains for bundled-z3 and ring, and is also used as the linker.
152155
# ---------------------------------------------------------------------------
153156
build-cli-linux:
154157
name: Build CLI (Linux ${{ matrix.arch }})
@@ -159,9 +162,11 @@ jobs:
159162
- arch: amd64
160163
runner: build-amd64
161164
target: x86_64-unknown-linux-musl
165+
zig_target: x86_64-linux-musl
162166
- arch: arm64
163167
runner: build-arm64
164168
target: aarch64-unknown-linux-musl
169+
zig_target: aarch64-linux-musl
165170
runs-on: ${{ matrix.runner }}
166171
timeout-minutes: 60
167172
container:
@@ -195,23 +200,44 @@ jobs:
195200
cache-directories: .cache/sccache
196201
cache-targets: "true"
197202

198-
- name: Install musl toolchain
203+
- name: Add Rust musl target
204+
run: mise x -- rustup target add ${{ matrix.target }}
205+
206+
- name: Set up zig musl wrappers
199207
run: |
200208
set -euo pipefail
201-
apt-get update
202-
apt-get install -y --no-install-recommends musl-tools
203-
rm -rf /var/lib/apt/lists/*
209+
ZIG="$(mise which zig)"
210+
ZIG_TARGET="${{ matrix.zig_target }}"
211+
mkdir -p /tmp/zig-musl
212+
213+
# cc-rs injects --target=<rust-triple> (for example
214+
# aarch64-unknown-linux-musl), which zig does not parse. Strip any
215+
# caller-provided --target and use the wrapper's zig-native target.
216+
for tool in cc c++; do
217+
printf '#!/bin/bash\nargs=()\nfor arg in "$@"; do\n case "$arg" in\n --target=*) ;;\n *) args+=("$arg") ;;\n esac\ndone\nexec "%s" %s --target=%s "${args[@]}"\n' \
218+
"$ZIG" "$tool" "$ZIG_TARGET" > "/tmp/zig-musl/${tool}"
219+
chmod +x "/tmp/zig-musl/${tool}"
220+
done
204221
205-
- name: Add Rust musl target
206-
run: mise x -- rustup target add ${{ matrix.target }}
222+
TARGET_ENV=$(echo "${{ matrix.target }}" | tr '-' '_')
223+
TARGET_ENV_UPPER=${TARGET_ENV^^}
224+
225+
# Use zig for C/C++ compilation and final linking.
226+
echo "CC_${TARGET_ENV}=/tmp/zig-musl/cc" >> "$GITHUB_ENV"
227+
echo "CXX_${TARGET_ENV}=/tmp/zig-musl/c++" >> "$GITHUB_ENV"
228+
echo "CARGO_TARGET_${TARGET_ENV_UPPER}_LINKER=/tmp/zig-musl/cc" >> "$GITHUB_ENV"
229+
230+
# Let zig own CRT/startfiles to avoid duplicate _start symbols.
231+
echo "CARGO_TARGET_${TARGET_ENV_UPPER}_RUSTFLAGS=-Clink-self-contained=no" >> "$GITHUB_ENV"
232+
233+
# z3 built with zig c++ uses libc++ symbols (std::__1::*).
234+
# Override z3-sys default (stdc++) so Rust links the matching runtime.
235+
echo "CXXSTDLIB=c++" >> "$GITHUB_ENV"
207236
208237
- name: Scope workspace to CLI crates
209238
run: |
210239
set -euo pipefail
211-
# Remove workspace members that are not needed for openshell-cli.
212-
# This avoids Cargo feature-unification pulling in aws-lc-sys (via
213-
# russh in openshell-sandbox / openshell-server).
214-
sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-cli", "crates/openshell-core", "crates/openshell-bootstrap", "crates/openshell-policy", "crates/openshell-providers", "crates/openshell-tui"]|' Cargo.toml
240+
sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-cli", "crates/openshell-core", "crates/openshell-bootstrap", "crates/openshell-policy", "crates/openshell-prover", "crates/openshell-providers", "crates/openshell-tui"]|' Cargo.toml
215241
216242
- name: Patch workspace version
217243
if: needs.compute-versions.outputs.cargo_version != ''
@@ -220,7 +246,7 @@ jobs:
220246
sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${{ needs.compute-versions.outputs.cargo_version }}"'"/}' Cargo.toml
221247
222248
- name: Build ${{ matrix.target }}
223-
run: mise x -- cargo build --release --target ${{ matrix.target }} -p openshell-cli
249+
run: mise x -- cargo build --release --target ${{ matrix.target }} -p openshell-cli --features bundled-z3
224250

225251
- name: sccache stats
226252
if: always()

.github/workflows/release-tag.yml

Lines changed: 37 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,9 @@ jobs:
170170

171171
# ---------------------------------------------------------------------------
172172
# Build CLI binaries (Linux musl — static, native on each arch)
173+
#
174+
# Builds run directly on the CI host (glibc Ubuntu). Zig provides musl
175+
# C/C++ toolchains for bundled-z3 and ring, and is also used as the linker.
173176
# ---------------------------------------------------------------------------
174177
build-cli-linux:
175178
name: Build CLI (Linux ${{ matrix.arch }})
@@ -180,9 +183,11 @@ jobs:
180183
- arch: amd64
181184
runner: build-amd64
182185
target: x86_64-unknown-linux-musl
186+
zig_target: x86_64-linux-musl
183187
- arch: arm64
184188
runner: build-arm64
185189
target: aarch64-unknown-linux-musl
190+
zig_target: aarch64-linux-musl
186191
runs-on: ${{ matrix.runner }}
187192
timeout-minutes: 60
188193
container:
@@ -217,23 +222,44 @@ jobs:
217222
cache-directories: .cache/sccache
218223
cache-targets: "true"
219224

220-
- name: Install musl toolchain
225+
- name: Add Rust musl target
226+
run: mise x -- rustup target add ${{ matrix.target }}
227+
228+
- name: Set up zig musl wrappers
221229
run: |
222230
set -euo pipefail
223-
apt-get update
224-
apt-get install -y --no-install-recommends musl-tools
225-
rm -rf /var/lib/apt/lists/*
231+
ZIG="$(mise which zig)"
232+
ZIG_TARGET="${{ matrix.zig_target }}"
233+
mkdir -p /tmp/zig-musl
234+
235+
# cc-rs injects --target=<rust-triple> (for example
236+
# aarch64-unknown-linux-musl), which zig does not parse. Strip any
237+
# caller-provided --target and use the wrapper's zig-native target.
238+
for tool in cc c++; do
239+
printf '#!/bin/bash\nargs=()\nfor arg in "$@"; do\n case "$arg" in\n --target=*) ;;\n *) args+=("$arg") ;;\n esac\ndone\nexec "%s" %s --target=%s "${args[@]}"\n' \
240+
"$ZIG" "$tool" "$ZIG_TARGET" > "/tmp/zig-musl/${tool}"
241+
chmod +x "/tmp/zig-musl/${tool}"
242+
done
226243
227-
- name: Add Rust musl target
228-
run: mise x -- rustup target add ${{ matrix.target }}
244+
TARGET_ENV=$(echo "${{ matrix.target }}" | tr '-' '_')
245+
TARGET_ENV_UPPER=${TARGET_ENV^^}
246+
247+
# Use zig for C/C++ compilation and final linking.
248+
echo "CC_${TARGET_ENV}=/tmp/zig-musl/cc" >> "$GITHUB_ENV"
249+
echo "CXX_${TARGET_ENV}=/tmp/zig-musl/c++" >> "$GITHUB_ENV"
250+
echo "CARGO_TARGET_${TARGET_ENV_UPPER}_LINKER=/tmp/zig-musl/cc" >> "$GITHUB_ENV"
251+
252+
# Let zig own CRT/startfiles to avoid duplicate _start symbols.
253+
echo "CARGO_TARGET_${TARGET_ENV_UPPER}_RUSTFLAGS=-Clink-self-contained=no" >> "$GITHUB_ENV"
254+
255+
# z3 built with zig c++ uses libc++ symbols (std::__1::*).
256+
# Override z3-sys default (stdc++) so Rust links the matching runtime.
257+
echo "CXXSTDLIB=c++" >> "$GITHUB_ENV"
229258
230259
- name: Scope workspace to CLI crates
231260
run: |
232261
set -euo pipefail
233-
# Remove workspace members that are not needed for openshell-cli.
234-
# This avoids Cargo feature-unification pulling in aws-lc-sys (via
235-
# russh in openshell-sandbox / openshell-server).
236-
sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-cli", "crates/openshell-core", "crates/openshell-bootstrap", "crates/openshell-policy", "crates/openshell-providers", "crates/openshell-tui"]|' Cargo.toml
262+
sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-cli", "crates/openshell-core", "crates/openshell-bootstrap", "crates/openshell-policy", "crates/openshell-prover", "crates/openshell-providers", "crates/openshell-tui"]|' Cargo.toml
237263
238264
- name: Patch workspace version
239265
if: needs.compute-versions.outputs.cargo_version != ''
@@ -242,7 +268,7 @@ jobs:
242268
sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${{ needs.compute-versions.outputs.cargo_version }}"'"/}' Cargo.toml
243269
244270
- name: Build ${{ matrix.target }}
245-
run: mise x -- cargo build --release --target ${{ matrix.target }} -p openshell-cli
271+
run: mise x -- cargo build --release --target ${{ matrix.target }} -p openshell-cli --features bundled-z3
246272

247273
- name: sccache stats
248274
if: always()

crates/openshell-cli/Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@ tracing-subscriber = { workspace = true }
7676
workspace = true
7777

7878
[features]
79+
bundled-z3 = ["openshell-prover/bundled-z3"]
7980
dev-settings = ["openshell-core/dev-settings"]
8081

8182
[dev-dependencies]

deploy/docker/Dockerfile.cli-macos

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,12 +25,15 @@ ENV LD_LIBRARY_PATH="/osxcross/lib"
2525

2626
COPY --from=osxcross /osxcross /osxcross
2727

28+
RUN SDKROOT="$(echo /osxcross/SDK/MacOSX*.sdk)" && ln -sfn "${SDKROOT}" /osxcross/SDK/MacOSX.sdk
29+
2830
RUN apt-get update && apt-get install -y --no-install-recommends \
2931
build-essential \
3032
ca-certificates \
3133
clang \
3234
cmake \
3335
curl \
36+
libclang-dev \
3437
pkg-config \
3538
&& rm -rf /var/lib/apt/lists/*
3639

@@ -49,6 +52,11 @@ ENV CXX_aarch64_apple_darwin=oa64-clang++
4952
ENV AR_aarch64_apple_darwin=aarch64-apple-darwin25.1-ar
5053
ENV CARGO_TARGET_AARCH64_APPLE_DARWIN_LINKER=oa64-clang
5154
ENV CARGO_TARGET_AARCH64_APPLE_DARWIN_AR=aarch64-apple-darwin25.1-ar
55+
ENV SDKROOT=/osxcross/SDK/MacOSX.sdk
56+
ENV MACOSX_DEPLOYMENT_TARGET=13.3
57+
ENV CFLAGS_aarch64_apple_darwin=--target=arm64-apple-macosx\ -mmacosx-version-min=13.3
58+
ENV CXXFLAGS_aarch64_apple_darwin=--target=arm64-apple-macosx\ -mmacosx-version-min=13.3
59+
ENV BINDGEN_EXTRA_CLANG_ARGS_aarch64_apple_darwin=--target=arm64-apple-macosx\ -isysroot\ ${SDKROOT}
5260

5361
# ---------------------------------------------------------------------------
5462
# Stage 1: dependency caching — copy only manifests, create dummy sources,
@@ -61,31 +69,34 @@ COPY crates/openshell-core/Cargo.toml crates/openshell-core/Cargo.toml
6169
COPY crates/openshell-policy/Cargo.toml crates/openshell-policy/Cargo.toml
6270
COPY crates/openshell-providers/Cargo.toml crates/openshell-providers/Cargo.toml
6371
COPY crates/openshell-tui/Cargo.toml crates/openshell-tui/Cargo.toml
72+
COPY crates/openshell-prover/Cargo.toml crates/openshell-prover/Cargo.toml
6473
COPY crates/openshell-core/build.rs crates/openshell-core/build.rs
6574
COPY proto/ proto/
6675

6776
# Scope workspace to CLI crates only — avoids compiling aws-lc-sys (pulled
6877
# by russh in openshell-sandbox/openshell-server) which is difficult to
6978
# cross-compile and unnecessary for the CLI binary.
70-
RUN sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-cli", "crates/openshell-core", "crates/openshell-bootstrap", "crates/openshell-policy", "crates/openshell-providers", "crates/openshell-tui"]|' Cargo.toml
79+
RUN sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-cli", "crates/openshell-core", "crates/openshell-bootstrap", "crates/openshell-policy", "crates/openshell-prover", "crates/openshell-providers", "crates/openshell-tui"]|' Cargo.toml
7180

7281
RUN mkdir -p crates/openshell-cli/src \
7382
crates/openshell-core/src \
7483
crates/openshell-bootstrap/src \
7584
crates/openshell-policy/src \
7685
crates/openshell-providers/src \
86+
crates/openshell-prover/src \
7787
crates/openshell-tui/src && \
7888
echo "fn main() {}" > crates/openshell-cli/src/main.rs && \
7989
touch crates/openshell-core/src/lib.rs && \
8090
touch crates/openshell-bootstrap/src/lib.rs && \
8191
touch crates/openshell-policy/src/lib.rs && \
8292
touch crates/openshell-providers/src/lib.rs && \
93+
touch crates/openshell-prover/src/lib.rs && \
8394
touch crates/openshell-tui/src/lib.rs
8495

8596
RUN --mount=type=cache,id=cargo-registry-cli-macos,sharing=locked,target=/root/.cargo/registry \
8697
--mount=type=cache,id=cargo-git-cli-macos,sharing=locked,target=/root/.cargo/git \
8798
--mount=type=cache,id=cargo-target-cli-macos-${CARGO_TARGET_CACHE_SCOPE},sharing=locked,target=/build/target \
88-
cargo build --release --target aarch64-apple-darwin -p openshell-cli 2>/dev/null || true
99+
cargo build --release --target aarch64-apple-darwin -p openshell-cli --features bundled-z3 2>/dev/null || true
89100

90101
# ---------------------------------------------------------------------------
91102
# Stage 2: real build
@@ -113,7 +124,7 @@ RUN --mount=type=cache,id=cargo-registry-cli-macos,sharing=locked,target=/root/.
113124
if [ -n "${OPENSHELL_CARGO_VERSION:-}" ]; then \
114125
sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${OPENSHELL_CARGO_VERSION}"'"/}' Cargo.toml; \
115126
fi && \
116-
cargo build --release --target aarch64-apple-darwin -p openshell-cli && \
127+
cargo build --release --target aarch64-apple-darwin -p openshell-cli --features bundled-z3 && \
117128
cp target/aarch64-apple-darwin/release/openshell /openshell
118129

119130
FROM scratch AS binary

deploy/docker/Dockerfile.python-wheels

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,11 @@ ENV PATH="/root/.cargo/bin:${PATH}"
1212

1313
RUN apt-get update && apt-get install -y --no-install-recommends \
1414
build-essential \
15+
cmake \
1516
curl \
1617
gcc \
1718
libc6-dev \
19+
libclang-dev \
1820
pkg-config \
1921
libssl-dev \
2022
&& rm -rf /var/lib/apt/lists/*
@@ -46,19 +48,25 @@ COPY crates/openshell-router/Cargo.toml crates/openshell-router/Cargo.toml
4648
COPY crates/openshell-sandbox/Cargo.toml crates/openshell-sandbox/Cargo.toml
4749
COPY crates/openshell-server/Cargo.toml crates/openshell-server/Cargo.toml
4850
COPY crates/openshell-bootstrap/Cargo.toml crates/openshell-bootstrap/Cargo.toml
51+
COPY crates/openshell-policy/Cargo.toml crates/openshell-policy/Cargo.toml
52+
COPY crates/openshell-prover/Cargo.toml crates/openshell-prover/Cargo.toml
53+
COPY crates/openshell-tui/Cargo.toml crates/openshell-tui/Cargo.toml
4954
COPY crates/openshell-core/build.rs crates/openshell-core/build.rs
5055
COPY proto/ proto/
5156

5257
# Create dummy source files to build dependencies.
53-
RUN mkdir -p crates/openshell-cli/src crates/openshell-core/src crates/openshell-ocsf/src crates/openshell-providers/src crates/openshell-router/src crates/openshell-sandbox/src crates/openshell-server/src crates/openshell-bootstrap/src && \
58+
RUN mkdir -p crates/openshell-cli/src crates/openshell-core/src crates/openshell-ocsf/src crates/openshell-policy/src crates/openshell-providers/src crates/openshell-prover/src crates/openshell-router/src crates/openshell-sandbox/src crates/openshell-server/src crates/openshell-bootstrap/src crates/openshell-tui/src && \
5459
echo "fn main() {}" > crates/openshell-cli/src/main.rs && \
5560
echo "fn main() {}" > crates/openshell-sandbox/src/main.rs && \
5661
echo "fn main() {}" > crates/openshell-server/src/main.rs && \
5762
touch crates/openshell-core/src/lib.rs && \
5863
touch crates/openshell-ocsf/src/lib.rs && \
5964
touch crates/openshell-providers/src/lib.rs && \
6065
touch crates/openshell-router/src/lib.rs && \
61-
touch crates/openshell-bootstrap/src/lib.rs
66+
touch crates/openshell-bootstrap/src/lib.rs && \
67+
touch crates/openshell-policy/src/lib.rs && \
68+
touch crates/openshell-prover/src/lib.rs && \
69+
touch crates/openshell-tui/src/lib.rs
6270

6371
# Build dependencies only (cached unless Cargo.toml/lock changes).
6472
# sccache uses memcached in CI or the local disk cache mount for local dev.
@@ -67,7 +75,7 @@ RUN --mount=type=cache,id=cargo-registry-python-wheels-${TARGETARCH},sharing=loc
6775
--mount=type=cache,id=cargo-git-python-wheels-${TARGETARCH},sharing=locked,target=/root/.cargo/git \
6876
--mount=type=cache,id=cargo-target-python-wheels-${TARGETARCH}-${CARGO_TARGET_CACHE_SCOPE},sharing=locked,target=/build/target \
6977
--mount=type=cache,id=sccache-python-wheels-${TARGETARCH},sharing=locked,target=/tmp/sccache \
70-
. cross-build.sh && cargo_cross_build --release -p openshell-cli 2>/dev/null || true
78+
. cross-build.sh && cargo_cross_build --release -p openshell-cli --features bundled-z3 2>/dev/null || true
7179

7280
# Copy actual source code and Python packaging files.
7381
COPY crates/ crates/
@@ -101,7 +109,7 @@ RUN --mount=type=cache,id=cargo-registry-python-wheels-${TARGETARCH},sharing=loc
101109
if [ -n "${OPENSHELL_CARGO_VERSION:-}" ]; then \
102110
sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${OPENSHELL_CARGO_VERSION}"'"/}' Cargo.toml; \
103111
fi && \
104-
maturin build --release --target "${CARGO_BUILD_TARGET}" --out /wheels
112+
maturin build --release --target "${CARGO_BUILD_TARGET}" --features bundled-z3 --out /wheels
105113

106114
FROM scratch AS wheels
107115
COPY --from=builder /wheels/*.whl /

0 commit comments

Comments
 (0)