-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy pathDockerfile.worker
More file actions
106 lines (90 loc) · 5.47 KB
/
Dockerfile.worker
File metadata and controls
106 lines (90 loc) · 5.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Dockerfile.worker — builds cmd/duckgres-worker, the DuckDB-service-only
# binary. Pinned to a single DuckDB driver version per build via the
# DUCKDB_GO_VERSION / DUCKDB_BINDINGS_VERSION / DUCKDB_EXTENSION_VERSION /
# HTTPFS_EXTENSION_TAG build args. The matrix-build CD workflow produces
# one image per (DuckDB version × arch).
#
# The control plane spawns these images as worker pods; their PG wire
# surface is the all-in-one duckgres binary (or the CP-only binary in
# cmd/duckgres-controlplane), which routes queries to whichever worker
# image the per-tenant `image` config-store column points at.
FROM golang:1.25-bookworm AS builder
RUN apt-get update && apt-get install -y --no-install-recommends gcc g++ libc6-dev curl gzip && rm -rf /var/lib/apt/lists/*
WORKDIR /build
# Copy the full source first. The earlier layout (COPY go.mod go.sum;
# go get; COPY . .) silently broke per-DuckDB-version pinning: the second
# COPY overlaid the host's go.mod/go.sum on top of the downgraded ones,
# undoing the `go get`. Symptom: the duckgres-worker:<sha>-duckdb1.5.1
# image was actually statically linked against duckdb-go-bindings@v0.10502.0
# (DuckDB 1.5.2), with bundled 0.4 extensions sitting at /app/extensions/v1.5.1/
# where the 1.5.2 runtime never looks. Catalog attach failed at runtime
# with "extension requires version 1.0". COPY-then-pin avoids it.
COPY . .
ARG VERSION=dev
ARG COMMIT=unknown
ARG BUILD_TAGS=""
ARG TARGETARCH
# DuckDB driver pin. Default to whatever the repo's go.mod is currently
# tracking; override via --build-arg when the matrix produces an image
# for a specific DuckDB minor version. The corresponding
# duckdb-go-bindings version must move in lock-step (the duckdb-go-bindings
# release stream uses the same numeric encoding as duckdb-go/v2 just
# without the v2 prefix).
ARG DUCKDB_GO_VERSION=
ARG DUCKDB_BINDINGS_VERSION=
RUN if [ -n "$DUCKDB_GO_VERSION" ] && [ -n "$DUCKDB_BINDINGS_VERSION" ]; then \
go get "github.com/duckdb/duckdb-go/v2@${DUCKDB_GO_VERSION}" \
&& go get "github.com/duckdb/duckdb-go-bindings@${DUCKDB_BINDINGS_VERSION}" \
&& for arch in darwin-arm64 darwin-amd64 linux-arm64 linux-amd64 windows-amd64; do \
go get "github.com/duckdb/duckdb-go-bindings/lib/${arch}@${DUCKDB_BINDINGS_VERSION}" 2>/dev/null || true; \
done \
&& go mod tidy ; \
fi
RUN go mod download
ARG DUCKDB_EXTENSION_VERSION=1.5.2
ARG HTTPFS_EXTENSION_TAG=v1.5.2-stoi-fix
ARG DUCKLAKE_EXTENSION_TAG=v1.0-posthog.2
ARG DUCKDB_EXTENSION_REPOSITORY=https://extensions.duckdb.org
ARG DUCKDB_NIGHTLY_EXTENSION_REPOSITORY=http://nightly-extensions.duckdb.org
RUN CGO_ENABLED=1 go build -tags "${BUILD_TAGS}" \
-ldflags "-X main.version=${VERSION} -X main.commit=${COMMIT} -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
-o duckgres-worker \
./cmd/duckgres-worker
# Defense-in-depth: assert the binary actually links against the bindings
# version the build args asked for. If a future Dockerfile change re-breaks
# the pinning, this fails the build instead of shipping a silently-wrong
# image. The DUCKDB_BINDINGS_VERSION arg encodes DuckDB minor (e.g.
# v0.10501.0 -> DuckDB 1.5.1); the embedded module info in the binary must
# match exactly.
RUN if [ -n "$DUCKDB_BINDINGS_VERSION" ]; then \
embedded=$(go version -m ./duckgres-worker | awk '$2 == "github.com/duckdb/duckdb-go-bindings" { print $3 }') ; \
if [ "$embedded" != "$DUCKDB_BINDINGS_VERSION" ]; then \
echo "ERROR: bindings pin mismatch — wanted $DUCKDB_BINDINGS_VERSION, got $embedded" >&2 ; \
echo " (full embedded module info follows)" >&2 ; \
go version -m ./duckgres-worker | grep duckdb >&2 ; \
exit 1 ; \
fi ; \
echo "Verified: duckgres-worker linked against duckdb-go-bindings@$embedded" ; \
fi
RUN mkdir -p "/build/duckdb-extensions/v${DUCKDB_EXTENSION_VERSION}/linux_${TARGETARCH}" \
&& curl -fsSL "https://github.com/benben/duckdb-httpfs/releases/download/${HTTPFS_EXTENSION_TAG}/httpfs-linux-${TARGETARCH}.duckdb_extension" \
-o "/build/duckdb-extensions/v${DUCKDB_EXTENSION_VERSION}/linux_${TARGETARCH}/httpfs.duckdb_extension" \
&& curl -fsSL "https://github.com/PostHog/ducklake/releases/download/${DUCKLAKE_EXTENSION_TAG}/ducklake-linux-${TARGETARCH}.duckdb_extension" \
-o "/build/duckdb-extensions/v${DUCKDB_EXTENSION_VERSION}/linux_${TARGETARCH}/ducklake.duckdb_extension" \
&& curl -fsSL "${DUCKDB_EXTENSION_REPOSITORY}/v${DUCKDB_EXTENSION_VERSION}/linux_${TARGETARCH}/json.duckdb_extension.gz" \
| gunzip > "/build/duckdb-extensions/v${DUCKDB_EXTENSION_VERSION}/linux_${TARGETARCH}/json.duckdb_extension" \
&& curl -fsSL "${DUCKDB_NIGHTLY_EXTENSION_REPOSITORY}/v${DUCKDB_EXTENSION_VERSION}/linux_${TARGETARCH}/postgres_scanner.duckdb_extension.gz" \
| gunzip > "/build/duckdb-extensions/v${DUCKDB_EXTENSION_VERSION}/linux_${TARGETARCH}/postgres_scanner.duckdb_extension"
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*
RUN groupadd -r duckgres && useradd -r -g duckgres -d /app duckgres
WORKDIR /app
COPY --from=builder /build/duckgres-worker .
COPY --from=builder /build/duckdb-extensions ./extensions
RUN mkdir -p data certs && chown -R duckgres:duckgres /app
USER duckgres
# 8816 = Arrow Flight SQL listener (configurable via --duckdb-listen)
# 9090 = metrics. The CP-side PG wire port (5432) is intentionally absent;
# this binary does not serve PG wire.
EXPOSE 8816 9090
ENTRYPOINT ["/app/duckgres-worker"]