ci: container improvements

[kwvg]

Additional Information

• This pull request pulls container-specific changes from dash#6387, dash#6400 and dash#6421

• The HOST check before running setup_sdk.sh isn't a part of the script itself as the script is written to be independent of external variables set. The caller is expected to know the conditions needed to run setup_sdk.sh as the script is relatively agnostic to its environment.

• The version attribute in the develop and guix container's docker-compose.yml has been dropped as the attribute has been deprecated in the compose spec (source).

• Using LD_LIBRARY_PATH to point to LLVM's libraries are acceptable and will not interfere with executing binaries built using the distro's packaged compiler as it will eventually search default paths and find the libraries shipped with the distro (source).

• Currently, running LLDB will result in a "personality set failed: Operation not permitted" error (source). This is caused by its attempt at disabling ASLR for debugging.

  To work around this error, the container will now operate under relaxed restrictions (seccomp=unconfined). As disabling ASLR is valuable when debugging and the container is meant for developers (i.e. it isn't used for CI), we have opted to relax restrictions instead of skipping ASLR disablement.

• As of develop (a8e2316), packages built by the container are stored in /tmp, which is inadvisable as it is the same directory used to store functional test runs and it's not too difficult to delete /tmp's contents to save space in a long running develop container and then realize that both shellcheck and cppcheck are stored there and now you have to ditch the container you're working in and restart it.

  • To remedy this, packages are now built and stored in /opt in accordance with the FHS (source). /usr/local was a contender but it's pre-populated, meanwhile ls /opt would give you a very quick picture of what's built for the container.

  • /tmp will not be entirely empty because pypa/pip#10753 results in residual .pem files leaking into /tmp and pyenv stores its build log there and keeping it around has some debug value.

Breaking Changes

None expected.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests (note: N/A)
• I have made corresponding changes to the documentation (note: N/A)
• I have assigned this pull request to a milestone (for repository code-owners and collaborators only)

[UdjinM6]

Tested local macos build via docker-compose, Guix build on ubuntu via direct guix-start call and GH Guix CI. All looks good 👍

ACK 04ce1fe

[PastaPastaPasta]

utACK 04ce1fe