build: set up reproducible builds via Docker

[rvanasa]

This PR enables reproducible builds via a Docker container. Based on the approach used for the Internet Identity canister.

Supersedes #193.

[rvanasa]

This refactoring was necessary for the two-stage Rust build (--only-dependencies and --evm-rpc) to work as expected in the Docker environment.

[rvanasa]

This comes from the Internet Identity Dockerfile. Does this remain reproducible if one of these packages is updated on the apt registry?

[gregorydemay]

That's a good question, maybe @frederikrothenberger can enlighten us here 😁

[frederikrothenberger]

We never ran into issues so far, but good point. It seems broken?
@nmattia: did we just get lucky (or didn't notice)?

[nmattia]

We got lucky! And in general Ubuntu doesn't do big updates without an actual Ubuntu update; stable enough for the needs of II

[nmattia]

just to clarify the context for II (I have no context here): II pins cargo & npm which are the two important tools; and npm statically links most libraries that may cause differences in the build output (zlib, etc)

[gregorydemay]

Thanks a lot guys for the quick answer! If it's good enough for II, it should be good enough for the EVM RPC canister.

[nmattia]

ok, looks like all the bash files were taken from II. If reproducibility is important you might also want to copy the repro tests that run on CI:

• https://github.com/dfinity/internet-identity/blob/c31e8e1c2cd0ba2e9b9fa2a5b93f2e26d1d0a433/.github/workflows/canister-tests.yml#L901-L960
• https://github.com/dfinity/internet-identity/blob/main/.github/workflows/release-build-check.yml

and if the apt issue actually becomes an issue you're probably better off switching to bazel or nix, but you should be fine

[MarioDfinity]

This is a problem shared by II, cycles-ledger and now the EVM RPC canister. Eventually we need to address it.

[gregorydemay]

Thanks a lot @rvanasa for this effort. I think the pieces are mostly there; however, I failed to reproduce the build between Mac and devenv, which is unexpected. I think the CI checks suggested by Nicolas would make a lot of sense.

[gregorydemay]

Thanks a lot guys for the quick answer! If it's good enough for II, it should be good enough for the EVM RPC canister.

[gregorydemay]

Are you sure about this? AFAIK, II put the built dependencies in

ENV CARGO_TARGET_DIR=/cargo_target

and never deletes it. Otherwise I currently don't see the point of pre-building the cargo dependencies.

[rvanasa]

Removed rm -rf target; the other lines are necessary for the COPY line below to work as expected.

[gregorydemay]

unless I'm missing something, I don't think you need an explicit working directory, the default (I think /) should be fine

[rvanasa]

This is a workaround for a nebulous error message (along the lines of ERROR: cannot copy to non-directory: /var/lib/docker/overlay2/fso8ezwpr886l9bjnx3jni37e/merged/lib). I'll address this in a follow-up PR (trying to get this merged by the end of the day if possible).

[gregorydemay]

Since we only care about building the canister evm_rpc.wasm.gz, why do we need to care about stuff in e2e?

[rvanasa]

This was required to allow the Cargo workspace to pre-build as expected (since it also refers to the E2E Cargo.toml file).

[gregorydemay]

LGTM, thanks for pushing this effort @rvanasa!