containers: prepare environmentd and clusterd for distroless migration

misc/images/distroless-prod-base/Dockerfile

@@ -10,7 +10,19 @@
 # This is a separate mzimage so that we don't have to re-install the apt things
 # every time we get a CI builder with a cold cache.
 
+# Extract libeatmydata from a Debian image for CI use. eatmydata disables
+# fsync for faster test execution. Activated via LD_PRELOAD=libeatmydata.so
+# set as a container environment variable (must be set before process start).
+FROM debian:13-slim AS eatmydata
+RUN apt-get update && apt-get install -y --no-install-recommends eatmydata \
+    && rm -rf /var/lib/apt/lists/*
+
 FROM gcr.io/distroless/cc-debian13:nonroot-28078d2e5e77671d2046dcc9e2c75334e31efa4d
+
+# Copy libeatmydata for CI performance optimization (no-op unless
+# LD_PRELOAD=libeatmydata.so is set as a container env var).
+COPY --from=eatmydata /usr/lib/*/libeatmydata.so /usr/lib/
+
 USER nonroot
 ENV HOME=/home/nonroot
 ENTRYPOINT []

misc/images/openssh-static/Dockerfile

@@ -0,0 +1,95 @@
+# Copyright Materialize, Inc. and contributors. All rights reserved.
+#
+# Use of this software is governed by the Business Source License
+# included in the LICENSE file at the root of this repository.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0.
+
+# Build a statically-linked OpenSSH `ssh` client binary using AWS-LC
+# as the crypto backend. AWS-LC is a faster, smaller alternative to
+# OpenSSL that also supports FIPS 140-3 validation when needed.
+#
+# OpenSSH natively supports AWS-LC as a crypto backend (no patches needed).
+# See: https://github.com/openssh/openssh-portable/blob/master/INSTALL
+#
+# To enable FIPS mode, build with: --build-arg AWS_LC_FIPS=1
+# (requires Go for the FIPS delocator)
+#
+# Usage:
+#   docker build -t openssh-static .
+#   docker create --name extract openssh-static
+#   docker cp extract:/output/ssh ./ssh
+#   docker rm extract
+
+FROM ubuntu:noble-20260210.1 AS builder
+
+ARG AWS_LC_VERSION=v1.54.0
+ARG AWS_LC_FIPS=0
+ARG OPENSSH_VERSION=V_9_9_P2
+ARG ZLIB_VERSION=1.3.1
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    autoconf \
+    automake \
+    build-essential \
+    ca-certificates \
+    cmake \
+    git \
+    golang \
+    ninja-build \
+    perl \
+    pkg-config \
+    wget \
+    && rm -rf /var/lib/apt/lists/*
+
+# Build AWS-LC as a static library.
+# When AWS_LC_FIPS=1, enables FIPS mode (requires Go for the delocator).
+WORKDIR /build/aws-lc
+RUN git clone --depth 1 --branch ${AWS_LC_VERSION} https://github.com/aws/aws-lc.git . \
+    && cmake -GNinja -B build \
+        $([ "$AWS_LC_FIPS" = "1" ] && echo "-DFIPS=1") \
+        -DBUILD_SHARED_LIBS=0 \
+        -DBUILD_TESTING=OFF \
+        -DBUILD_TOOL=OFF \
+        -DCMAKE_BUILD_TYPE=Release \
+        -DCMAKE_INSTALL_PREFIX=/opt/aws-lc \
+        -DCMAKE_C_FLAGS="-fPIC" \
+    && ninja -C build \
+    && ninja -C build install
+
+# Build zlib as a static library.
+WORKDIR /build/zlib
+RUN wget -qO- https://github.com/madler/zlib/releases/download/v${ZLIB_VERSION}/zlib-${ZLIB_VERSION}.tar.gz | tar xz --strip-components=1 \
+    && ./configure --static --prefix=/opt/zlib \
+    && make -j"$(nproc)" \
+    && make install
+
+# Build OpenSSH ssh client against AWS-LC.
+WORKDIR /build/openssh
+RUN git clone --depth 1 --branch ${OPENSSH_VERSION} https://github.com/openssh/openssh-portable.git . \
+    && autoreconf \
+    && ./configure \
+        --with-ssl-dir=/opt/aws-lc \
+        --with-zlib=/opt/zlib \
+        --with-ldflags=-static \
+        --without-pam \
+        --without-libedit \
+        --disable-pkcs11 \
+    # AWS-LC does not define the legacy OpenSSL BN_FLG_CONSTTIME flag.
+    # Setting it to 0 satisfies #ifdef checks in OpenSSH source code.
+    # This is safe: AWS-LC handles constant-time bignum operations
+    # internally and does not rely on this flag.
+    # --disable-pkcs11 avoids link errors from ssh-pkcs11.c calling
+    # RSA_meth_dup/EC_KEY_METHOD_get_sign which AWS-LC does not provide.
+    && make -j"$(nproc)" ssh CFLAGS="-DBN_FLG_CONSTTIME=0" \
+    && strip ssh
+
+# Verify the binary is not dynamically linked and is functional.
+RUN ! ldd ssh 2>/dev/null \
+    && ./ssh -V
+
+# Output stage: just the binary.
+FROM scratch
+COPY --from=builder /build/openssh/ssh /output/ssh

src/environmentd/ci/entrypoint.sh → misc/images/openssh-static/mzbuild.yml

@@ -1,5 +1,3 @@
-#!/usr/bin/env bash
-
 # Copyright Materialize, Inc. and contributors. All rights reserved.
 #
 # Use of this software is governed by the Business Source License
@@ -9,17 +7,5 @@
 # the Business Source License, use of this software will be governed
 # by the Apache License, Version 2.0.
 
-set -euo pipefail
-
-if [ -z "${MZ_EAT_MY_DATA:-}" ]; then
-    unset LD_PRELOAD
-else
-    export LD_PRELOAD=libeatmydata.so
-fi
-
-if environmentd "$@"; then
-    echo "environmentd exited gracefully; sleeping forever" >&2
-    sleep infinity
-else
-    exit $?
-fi
+name: openssh-static
+description: Statically-linked OpenSSH ssh client built against AWS-LC (FIPS optional).

misc/python/materialize/mzcompose/services/clusterd.py

@@ -41,13 +41,13 @@ def __init__(
             "CLUSTERD_USE_CTP=true",
             "MZ_SOFT_ASSERTIONS=1",
             "MZ_EAT_MY_DATA=1",
+            "LD_PRELOAD=libeatmydata.so",
             # Defaults that were previously set by the clusterd entrypoint.sh.
             "CLUSTERD_STORAGE_CONTROLLER_LISTEN_ADDR=0.0.0.0:2100",
             "CLUSTERD_COMPUTE_CONTROLLER_LISTEN_ADDR=0.0.0.0:2101",
             "CLUSTERD_INTERNAL_HTTP_LISTEN_ADDR=0.0.0.0:6878",
             "CLUSTERD_SECRETS_READER=local-file",
             "CLUSTERD_SECRETS_READER_LOCAL_FILE_DIR=/mzdata/secrets",
-            "LD_PRELOAD=libeatmydata.so",
             f"CLUSTERD_PERSIST_PUBSUB_URL=http://{mz_service}:6879",
             *environment_extra,
         ]
@@ -80,6 +80,9 @@ def __init__(
         # Override the materialized entrypoint so that `clusterd` is invoked
         # via the command rather than via the entrypoint. This keeps
         # `c.exec()` working (it prepends the entrypoint to exec commands).
+        # Note: mzcompose uses the Ubuntu-based `materialized` image (with
+        # tini/bash), while production uses the distroless `clusterd` image.
+        # Keep this in mind when debugging CI-vs-prod discrepancies.
         config["entrypoint"] = ["tini", "--"]
 
         # Depending on the Docker Compose version, this may either work or be

src/cloud-resources/src/crd/materialize.rs

@@ -655,7 +655,7 @@ pub mod v1alpha1 {
     }
 }
 
-fn parse_image_ref(image_ref: &str) -> Option<Version> {
+pub fn parse_image_ref(image_ref: &str) -> Option<Version> {
     image_ref
         .rsplit_once(':')
         .and_then(|(_repo, tag)| tag.strip_prefix('v'))

src/clusterd/Cargo.toml

@@ -17,6 +17,7 @@ fail.workspace = true
 futures.workspace = true
 hyper.workspace = true
 hyper-util.workspace = true
+libc.workspace = true
 mz-alloc = { path = "../alloc" }
 mz-alloc-default = { path = "../alloc-default", optional = true }
 mz-build-info = { path = "../build-info" }
@@ -38,7 +39,7 @@ mz-storage-client = { path = "../storage-client" }
 mz-storage-types = { path = "../storage-types" }
 mz-timely-util = { path = "../timely-util" }
 mz-txn-wal = { path = "../txn-wal" }
-nix.workspace = true
+nix = { workspace = true, features = ["hostname", "signal"] }
 num_cpus.workspace = true
 serde.workspace = true
 tokio.workspace = true

src/clusterd/ci/Dockerfile

@@ -7,10 +7,11 @@
 # the Business Source License, use of this software will be governed
 # by the Apache License, Version 2.0.
 
-MZFROM prod-base
+MZFROM openssh-static AS openssh
 
-COPY clusterd entrypoint.sh /usr/local/bin/
+MZFROM distroless-prod-base
 
-USER materialize
+COPY clusterd /usr/local/bin/
+COPY --from=openssh /output/ssh /usr/bin/ssh
 
-ENTRYPOINT ["tini", "--", "entrypoint.sh"]
+ENTRYPOINT ["/usr/local/bin/clusterd"]