Skip to content

feat: Add Rust and Cargo support for the BOSH stemcell#680

Open
ZPascal wants to merge 4 commits into
cloudfoundry:ubuntu-jammyfrom
ZPascal:add-cargo-and-rust-support
Open

feat: Add Rust and Cargo support for the BOSH stemcell#680
ZPascal wants to merge 4 commits into
cloudfoundry:ubuntu-jammyfrom
ZPascal:add-cargo-and-rust-support

Conversation

@ZPascal

@ZPascal ZPascal commented Jul 1, 2026

Copy link
Copy Markdown

What

Adds a new bosh_rust OS image stage that installs the Rust toolchain (stable) and Cargo into the stemcell via rustup. After this change, every VM built from this stemcell has cargo and rustc available at /var/vcap/bosh/bin/.

Why

BOSH releases that need to compile Rust code — for example, building git 2.55 from source using its new Cargo-based credential helper — currently require operators to install the Rust toolchain themselves during pre-start or packaging. Making it available in the base image removes that burden and enables a class of packages that depend on cargo at build time.

Example: git 2.55 from source

git 2.55 introduced git-credential-oauth, a credential helper written in Rust, as part of its standard build. Without Cargo in the image, make install fails during the Rust compilation step:

$ make prefix=/var/vcap/packages/git install
    Compiling git-credential-oauth v0.1.0
error: linker `cc` not found
  = note: No such file or directory (os error 2)
error: could not compile `git-credential-oauth`
make: *** [Makefile:3049: credential/oauth/git-credential-oauth] Error 101

With this change, a BOSH release packaging git 2.55 from source works without any additional toolchain setup — cargo and cc (already present via build-essential) are both available in the stemcell environment.

How

A new stage bosh_rust is registered in ubuntu_os_stages immediately after base_ubuntu_packages (which installs ca-certificates, required for rustup's TLS connections to sh.rustup.rs and static.rust-lang.org). The stage:

  1. Downloads rustup-init.sh from https://sh.rustup.rs with 5-retry resilience via curl_five_times
  2. Runs it non-interactively inside the chroot with RUSTUP_HOME=/var/vcap/bosh/rustup and CARGO_HOME=/var/vcap/bosh/cargo
  3. Creates /var/vcap/bosh/bin/ and symlinks cargo and rustc into it so they're on the PATH BOSH jobs inherit

The toolchain stays under /var/vcap/bosh/ alongside other BOSH-managed binaries. --no-modify-path is passed so rustup does not touch shell profiles inside the chroot.

Note on symlink depth: rustup installs cargo in $CARGO_HOME/bin/ as a symlink to rustup itself (the multiplexer binary). /var/vcap/bosh/bin/cargo is therefore a two-hop symlink chain. The OS image specs use be_file + be_executable rather than be_linked_to because the ShelloutTypes linked_to? implementation uses readlink -m, which resolves the full chain and would never match an intermediate target.

Test plan

Verified locally via docker run --privileged bosh/os-image-stemcell-builder:jammy377 examples, 0 failures.

  • OS image build completes without error on the bosh_rust stage
  • /var/vcap/bosh/bin/cargo exists and is executable
  • /var/vcap/bosh/bin/rustc exists and is executable
  • /var/vcap/bosh/cargo directory present (rustup toolchain home)
  • /var/vcap/bosh/rustup directory present (rustup metadata home)
  • Full OS image spec suite passes (377/377)

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@ZPascal, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 18 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 007b8836-e928-4c9d-ae5a-6b6d34d5e256

📥 Commits

Reviewing files that changed from the base of the PR and between d2783e6 and 49572ca.

📒 Files selected for processing (3)
  • bosh-stemcell/spec/bosh/stemcell/stage_collection_spec.rb
  • bosh-stemcell/spec/os_image/ubuntu_spec.rb
  • stemcell_builder/stages/bosh_rust/apply.sh

Walkthrough

Changes

A new bosh_rust stage is added for Ubuntu stemcells. The stage scripts install Rust with rustup inside the chroot and create symlinks for cargo and rustc under /var/vcap/bosh/bin. The Ubuntu stage collection now includes :bosh_rust, and the Ubuntu spec now checks the installed toolchain files and directories.

Suggested reviewers: mkocher, selzoc, ystros

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: adding Rust/Cargo support to the BOSH stemcell.
Description check ✅ Passed The description includes What, Why, How, and Test plan sections with sufficient implementation and validation detail.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Signed-off-by: Pascal Zimmermann <pascal.zimmermann01@sap.com>
@ZPascal ZPascal force-pushed the add-cargo-and-rust-support branch from 7d4dfc4 to 02fa145 Compare July 1, 2026 07:12

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@stemcell_builder/stages/bosh_rust/apply.sh`:
- Around line 11-16: The rustup installation in apply.sh currently uses the
moving stable channel, which makes the stemcell non-reproducible. Update the
rustup-init invocation in the bosh_rust stage to pin an explicit Rust toolchain
version instead of --default-toolchain stable, using the existing apply.sh
script context around run_in_chroot and /tmp/rustup-init.sh. Ensure the chosen
version is fixed and consistent with the intended build environment.
- Around line 8-9: The download in apply.sh uses a predictable fixed path for
rustup-init.sh, which can be pre-created or raced via symlink/TOCTOU in the
chroot. Update the rustup bootstrap step to use a unique temporary file created
with mktemp (or equivalent) inside the chroot, then pass that generated path to
curl_five_times and any subsequent execution/cleanup logic. Keep the change
localized around the rustup-init download flow in apply.sh.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d4122c8d-67ad-43ce-85b7-94a22d1d3990

📥 Commits

Reviewing files that changed from the base of the PR and between f7f2175 and 7d4dfc4.

📒 Files selected for processing (4)
  • bosh-stemcell/lib/bosh/stemcell/stage_collection.rb
  • bosh-stemcell/spec/os_image/ubuntu_spec.rb
  • stemcell_builder/stages/bosh_rust/apply.sh
  • stemcell_builder/stages/bosh_rust/config.sh

Comment thread stemcell_builder/stages/bosh_rust/apply.sh Outdated
Comment thread stemcell_builder/stages/bosh_rust/apply.sh Outdated
…table tmp path

Signed-off-by: Pascal Zimmermann <pascal.zimmermann01@sap.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bosh-stemcell/spec/os_image/ubuntu_spec.rb`:
- Around line 551-569: The current rust toolchain spec in the ubuntu_spec.rb
checks only that /var/vcap/bosh/bin/cargo and /var/vcap/bosh/bin/rustc exist and
are executable, which can miss broken symlinks. Update the “bosh rust toolchain”
examples to include a functional smoke check on the rustc binary, using the
existing file/command spec style around the rustc assertion so it verifies that
invoking rustc succeeds (for example via a version check) rather than only
checking the symlink type.

In `@stemcell_builder/stages/bosh_rust/apply.sh`:
- Around line 14-19: The path handling in the `apply.sh` heredoc is redundant
and triggers the SC2295 warning because `basename` is applied after an
unnecessary `${rustup_installer#${chroot}}` prefix strip. Update the `installer`
assignment in the `run_in_chroot` script block to derive the filename directly
from `rustup_installer`, and keep the rest of the `chmod`/installer invocation
logic unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d56d2058-88a9-4f53-9faf-65da64d226b7

📥 Commits

Reviewing files that changed from the base of the PR and between 7d4dfc4 and d2783e6.

📒 Files selected for processing (4)
  • bosh-stemcell/lib/bosh/stemcell/stage_collection.rb
  • bosh-stemcell/spec/os_image/ubuntu_spec.rb
  • stemcell_builder/stages/bosh_rust/apply.sh
  • stemcell_builder/stages/bosh_rust/config.sh

Comment thread bosh-stemcell/spec/os_image/ubuntu_spec.rb
Comment thread stemcell_builder/stages/bosh_rust/apply.sh
ZPascal added 2 commits July 1, 2026 21:23
Signed-off-by: Pascal Zimmermann <pascal.zimmermann01@sap.com>
…spec

Signed-off-by: Pascal Zimmermann <pascal.zimmermann01@sap.com>
@github-project-automation github-project-automation Bot moved this from Waiting for Changes | Open for Contribution to Pending Merge | Prioritized in Foundational Infrastructure Working Group Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Pending Merge | Prioritized

Development

Successfully merging this pull request may close these issues.

1 participant