twoliter: move docker version check to buildsys

Twoliter does not require access to the docker daemon for publication
workflows (e.g. publishing AMIs or SSM parameters.) To accomodate
environments which do not provide access to the docker daemon for these
workflows, we only make assertions about the system's docker daemon
before using `docker build`.

tools/buildsys/Cargo.toml

@@ -21,6 +21,7 @@ pipesys.workspace = true
 rand = { workspace = true, features = ["std", "std_rng"] }
 regex.workspace = true
 reqwest = { workspace = true, features = ["blocking", "rustls-tls"] }
+semver.workspace = true
 serde = { workspace = true, features = ["derive"] }
 serde_plain.workspace = true
 serde_json.workspace = true

tools/buildsys/src/builder.rs

@@ -21,6 +21,7 @@ use nonzero_ext::nonzero;
 use pipesys::server::Server as PipesysServer;
 use rand::Rng;
 use regex::Regex;
+use semver::{Comparator, Op, Prerelease, Version, VersionReq};
 use sha2::{Digest, Sha512};
 use snafu::{ensure, OptionExt, ResultExt};
 use std::collections::HashSet;
@@ -89,6 +90,23 @@ lazy_static! {
     .unwrap();
 }
 
+/*
+Twoliter relies on minimum Dockerfile syntax 1.4.3, which is shipped in Docker 23.0.0 by default
+We do not use explicit `syntax=` directives to avoid network connections during the build.
+*/
+lazy_static! {
+    static ref MINIMUM_DOCKER_VERSION: VersionReq = VersionReq {
+        comparators: [Comparator {
+            op: Op::GreaterEq,
+            major: 23,
+            minor: None,
+            patch: None,
+            pre: Prerelease::default(),
+        }]
+        .into()
+    };
+}
+
 static DOCKER_BUILD_MAX_ATTEMPTS: NonZeroU16 = nonzero!(10u16);
 
 // Expected UID for privileged and unprivileged processes inside the build container.
@@ -558,6 +576,8 @@ impl DockerBuild {
     }
 
     pub(crate) fn build(&self) -> Result<()> {
+        check_docker_version()?;
+
         env::set_current_dir(&self.root_dir).context(error::DirectoryChangeSnafu {
             path: &self.root_dir,
         })?;
@@ -753,6 +773,66 @@ enum Retry<'a> {
 
 // =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
 
+pub fn docker_server_version() -> Result<Version> {
+    let docker_version_out = cmd("docker", ["version", "--format", "{{.Server.Version}}"])
+        .stderr_to_stdout()
+        .stdout_capture()
+        .unchecked()
+        .run()
+        .context(error::CommandStartSnafu)?;
+    let version_str = String::from_utf8_lossy(&docker_version_out.stdout)
+        .trim()
+        .to_string();
+
+    Version::parse(&version_str).context(error::VersionParseSnafu { version_str })
+}
+
+fn check_docker_version() -> Result<()> {
+    let docker_version = docker_server_version()?;
+
+    snafu::ensure!(
+        MINIMUM_DOCKER_VERSION.matches(&docker_version),
+        error::DockerVersionRequirementSnafu {
+            installed_version: docker_version,
+            required_version: MINIMUM_DOCKER_VERSION.clone()
+        }
+    );
+
+    Ok(())
+}
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    use semver::Version;
+
+    #[test]
+    fn test_docker_version_req_25_0_5_passes() {
+        let version = Version::parse("25.0.5").unwrap();
+        assert!(MINIMUM_DOCKER_VERSION.matches(&version))
+    }
+
+    #[test]
+    fn test_docker_version_req_27_1_4_passes() {
+        let version = Version::parse("27.1.4").unwrap();
+        assert!(MINIMUM_DOCKER_VERSION.matches(&version))
+    }
+
+    #[test]
+    fn test_docker_version_req_18_0_9_fails() {
+        let version = Version::parse("18.0.9").unwrap();
+        assert!(!MINIMUM_DOCKER_VERSION.matches(&version))
+    }
+
+    #[test]
+    fn test_docker_version_req_20_10_27_fails() {
+        let version = Version::parse("20.10.27").unwrap();
+        assert!(!MINIMUM_DOCKER_VERSION.matches(&version))
+    }
+}
+
+// =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
+
 /// Add secrets that might be needed for builds. Since most builds won't use
 /// them, they are not automatically tracked for changes. If necessary, builds
 /// can emit the relevant cargo directives for tracking in their build script.

tools/buildsys/src/builder/error.rs

@@ -22,6 +22,16 @@ pub(crate) enum Error {
     #[snafu(display("Failed to execute command: 'docker {}'", args))]
     DockerExecution { args: String },
 
+    #[snafu(display(
+        "The installed docker ('{}') does not meet the minimum version requirement ('{}')",
+        installed_version,
+        required_version
+    ))]
+    DockerVersionRequirement {
+        installed_version: semver::Version,
+        required_version: semver::VersionReq,
+    },
+
     #[snafu(display("Failed to change directory to '{}': {}", path.display(), source))]
     DirectoryChange {
         path: PathBuf,
@@ -91,6 +101,12 @@ pub(crate) enum Error {
     VariantParse {
         source: bottlerocket_variant::error::Error,
     },
+
+    #[snafu(display("Failed to parse version string '{version_str}': {source}"))]
+    VersionParse {
+        source: semver::Error,
+        version_str: String,
+    },
 }
 
 pub(super) type Result<T> = std::result::Result<T, Error>;

twoliter/src/docker/mod.rs

@@ -1,5 +1,3 @@
-mod commands;
 mod image;
 
 pub(crate) use self::image::ImageUri;
-pub(crate) use commands::Docker;

twoliter/src/preflight.rs

@@ -1,34 +1,13 @@
 //! This module performs checks that the current environment is compatible with twoliter, as well
 //! as any other "global" setup that must occur before the build process begins.
 use anyhow::{ensure, Result};
-use lazy_static::lazy_static;
-use semver::{Comparator, Op, Prerelease, VersionReq};
 use which::which_global;
 
-use crate::docker::Docker;
-
 const REQUIRED_TOOLS: &[&str] = &["docker", "gzip", "lz4"];
 
-lazy_static! {
-    // Twoliter relies on minimum Dockerfile syntax 1.4.3, which is shipped in Docker 23.0.0 by default
-    // We do not use explicit `syntax=` directives to avoid network connections during the build.
-    static ref MINIMUM_DOCKER_VERSION: VersionReq = VersionReq {
-        comparators: [
-            Comparator {
-                op: Op::GreaterEq,
-                major: 23,
-                minor: None,
-                patch: None,
-                pre: Prerelease::default(),
-            }
-        ].into()
-    };
-}
-
 /// Runs all common setup required for twoliter.
 ///
 /// * Ensures that any required system tools are installed an accessible.
-/// * Sets up interrupt handler to cleanup on SIGINT
 pub(crate) async fn preflight() -> Result<()> {
     check_environment().await?;
 
@@ -37,7 +16,6 @@ pub(crate) async fn preflight() -> Result<()> {
 
 pub(crate) async fn check_environment() -> Result<()> {
     check_for_required_tools()?;
-    check_docker_version().await?;
 
     Ok(())
 }
@@ -51,30 +29,3 @@ fn check_for_required_tools() -> Result<()> {
     }
     Ok(())
 }
-
-async fn check_docker_version() -> Result<()> {
-    let docker_version = Docker::server_version().await?;
-
-    ensure!(
-        MINIMUM_DOCKER_VERSION.matches(&docker_version),
-        "docker found in PATH does not meet the minimum version requirements for twoliter: {}",
-        MINIMUM_DOCKER_VERSION.to_string(),
-    );
-
-    Ok(())
-}
-
-#[cfg(test)]
-mod test {
-    use super::*;
-    use semver::Version;
-    use test_case::test_case;
-
-    #[test_case(Version::parse("25.0.5").unwrap(), true; "25.0.5 passes")]
-    #[test_case(Version::parse("27.1.4").unwrap(), true; "27.1.4 passes")]
-    #[test_case(Version::parse("18.0.9").unwrap(), false; "18.0.9 fails")]
-    #[test_case(Version::parse("20.10.27").unwrap(), false)]
-    fn test_docker_version_req(version: Version, is_ok: bool) {
-        assert_eq!(MINIMUM_DOCKER_VERSION.matches(&version), is_ok)
-    }
-}