feat(builds): add VM resource configuration and build options

hiroTamada · hiroTamada · commit 0a57beac937b · 2026-02-26T13:42:34.000-05:00
Add configurable VM resources for builder VMs:
- memory_mb: Memory limit in MB (default 4096)
- cpus: Number of vCPUs (default 4)
- disk_size_gb: Overlay disk size in GB (default 20)
- disk_io_bps: Disk I/O rate limit (0 = auto)
- network_bandwidth_download/upload: Network rate limits (0 = auto)

Add build options:
- build_args: JSON object of ARG values for Dockerfile
- target: Target build stage for multi-stage Dockerfiles
- platform: Target platform for cross-platform builds
- no_cache: Skip cache import for fresh builds

These options were defined in BuildPolicy but not exposed via the API.
Now users can customize builder VM resources and control build behavior.

Made-with: Cursor
diff --git a/cmd/api/api/builds.go b/cmd/api/api/builds.go
@@ -43,9 +43,12 @@ func (s *ApiService) CreateBuild(ctx context.Context, request oapi.CreateBuildRe
 	// Parse multipart form fields
 	var sourceData []byte
 	var baseImageDigest, cacheScope, dockerfile, globalCacheKey, imageName string
-	var timeoutSeconds int
-	var isAdminBuild bool
+	var target, platform string
+	var timeoutSeconds, memoryMB, cpus, diskSizeGB int
+	var diskIOBps, networkBandwidthDownload, networkBandwidthUpload int64
+	var isAdminBuild, noCache bool
 	var secrets []builds.SecretRef
+	var buildArgs map[string]string
 
 	for {
 		part, err := request.Body.NextPart()
@@ -106,6 +109,72 @@ func (s *ApiService) CreateBuild(ctx context.Context, request oapi.CreateBuildRe
 			if v, err := strconv.Atoi(string(data)); err == nil {
 				timeoutSeconds = v
 			}
+		case "memory_mb":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read memory_mb field",
+				}, nil
+			}
+			if v, err := strconv.Atoi(string(data)); err == nil {
+				memoryMB = v
+			}
+		case "cpus":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read cpus field",
+				}, nil
+			}
+			if v, err := strconv.Atoi(string(data)); err == nil {
+				cpus = v
+			}
+		case "disk_size_gb":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read disk_size_gb field",
+				}, nil
+			}
+			if v, err := strconv.Atoi(string(data)); err == nil {
+				diskSizeGB = v
+			}
+		case "disk_io_bps":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read disk_io_bps field",
+				}, nil
+			}
+			if v, err := strconv.ParseInt(string(data), 10, 64); err == nil {
+				diskIOBps = v
+			}
+		case "network_bandwidth_download":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read network_bandwidth_download field",
+				}, nil
+			}
+			if v, err := strconv.ParseInt(string(data), 10, 64); err == nil {
+				networkBandwidthDownload = v
+			}
+		case "network_bandwidth_upload":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read network_bandwidth_upload field",
+				}, nil
+			}
+			if v, err := strconv.ParseInt(string(data), 10, 64); err == nil {
+				networkBandwidthUpload = v
+			}
 		case "secrets":
 			data, err := io.ReadAll(part)
 			if err != nil {
@@ -120,6 +189,20 @@ func (s *ApiService) CreateBuild(ctx context.Context, request oapi.CreateBuildRe
 					Message: "secrets must be a JSON array of {\"id\": \"...\", \"env_var\": \"...\"} objects",
 				}, nil
 			}
+		case "build_args":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read build_args field",
+				}, nil
+			}
+			if err := json.Unmarshal(data, &buildArgs); err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "build_args must be a JSON object of key-value pairs",
+				}, nil
+			}
 		case "is_admin_build":
 			data, err := io.ReadAll(part)
 			if err != nil {
@@ -147,6 +230,33 @@ func (s *ApiService) CreateBuild(ctx context.Context, request oapi.CreateBuildRe
 				}, nil
 			}
 			imageName = string(data)
+		case "target":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read target field",
+				}, nil
+			}
+			target = string(data)
+		case "platform":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read platform field",
+				}, nil
+			}
+			platform = string(data)
+		case "no_cache":
+			data, err := io.ReadAll(part)
+			if err != nil {
+				return oapi.CreateBuild400JSONResponse{
+					Code:    "invalid_request",
+					Message: "failed to read no_cache field",
+				}, nil
+			}
+			noCache = string(data) == "true" || string(data) == "1"
 		}
 		part.Close()
 	}
@@ -177,17 +287,31 @@ func (s *ApiService) CreateBuild(ctx context.Context, request oapi.CreateBuildRe
 		BaseImageDigest: baseImageDigest,
 		CacheScope:      cacheScope,
 		Dockerfile:      dockerfile,
+		BuildArgs:       buildArgs,
 		Secrets:         secrets,
 		IsAdminBuild:    isAdminBuild,
 		GlobalCacheKey:  globalCacheKey,
 		ImageName:       imageName,
+		Target:          target,
+		Platform:        platform,
+		NoCache:         noCache,
 	}
 
-	// Apply timeout if provided
-	if timeoutSeconds > 0 {
-		domainReq.BuildPolicy = &builds.BuildPolicy{
-			TimeoutSeconds: timeoutSeconds,
-		}
+	// Build policy with VM resource config
+	policy := builds.BuildPolicy{
+		TimeoutSeconds:           timeoutSeconds,
+		MemoryMB:                 memoryMB,
+		CPUs:                     cpus,
+		DiskSizeGB:               diskSizeGB,
+		DiskIOBps:                diskIOBps,
+		NetworkBandwidthDownload: networkBandwidthDownload,
+		NetworkBandwidthUpload:   networkBandwidthUpload,
+	}
+
+	// Only set BuildPolicy if any field was specified (let manager apply defaults)
+	if timeoutSeconds > 0 || memoryMB > 0 || cpus > 0 || diskSizeGB > 0 ||
+		diskIOBps > 0 || networkBandwidthDownload > 0 || networkBandwidthUpload > 0 {
+		domainReq.BuildPolicy = &policy
 	}
 
 	build, err := s.BuildManager.CreateBuild(ctx, domainReq, sourceData)
diff --git a/lib/builds/builder_agent/main.go b/lib/builds/builder_agent/main.go
@@ -50,8 +50,12 @@ type BuildConfig struct {
 	Secrets          []SecretRef       `json:"secrets,omitempty"`
 	TimeoutSeconds   int               `json:"timeout_seconds"`
 	NetworkMode      string            `json:"network_mode"`
-	IsAdminBuild   bool   `json:"is_admin_build,omitempty"`
-	GlobalCacheKey string `json:"global_cache_key,omitempty"`
+	IsAdminBuild     bool              `json:"is_admin_build,omitempty"`
+	GlobalCacheKey   string            `json:"global_cache_key,omitempty"`
+	ImageName        string            `json:"image_name,omitempty"`
+	Target           string            `json:"target,omitempty"`
+	Platform         string            `json:"platform,omitempty"`
+	NoCache          bool              `json:"no_cache,omitempty"`
 }
 
 // SecretRef references a secret to inject during build
@@ -786,34 +790,50 @@ func runBuild(ctx context.Context, config *BuildConfig, logWriter io.Writer) (st
 		"--metadata-file", "/tmp/build-metadata.json",
 	}
 
-	// Two-tier cache implementation:
+	// Add target build stage if specified (for multi-stage Dockerfiles)
+	if config.Target != "" {
+		args = append(args, "--opt", fmt.Sprintf("target=%s", config.Target))
+		log.Printf("Building target stage: %s", config.Target)
+	}
+
+	// Add platform for cross-platform builds
+	if config.Platform != "" {
+		args = append(args, "--opt", fmt.Sprintf("platform=%s", config.Platform))
+		log.Printf("Building for platform: %s", config.Platform)
+	}
+
+	// Two-tier cache implementation (skip if NoCache is true):
 	// 1. Import from global cache (if runtime specified) - always read-only for regular builds
 	// 2. Import from tenant cache (if cache scope specified)
 	// 3. Export to appropriate target based on build type
 
-	// Import from global cache (read-only for regular builds, read-write for admin builds)
-	if config.GlobalCacheKey != "" {
-		globalCacheRef := fmt.Sprintf("%s/cache/global/%s", registryHost, config.GlobalCacheKey)
-		cacheOpts := "type=registry,ref=" + globalCacheRef
-		if useInsecureFlag {
-			cacheOpts += ",registry.insecure=true"
+	if config.NoCache {
+		log.Printf("Cache disabled (no_cache=true), skipping cache import")
+	} else {
+		// Import from global cache (read-only for regular builds, read-write for admin builds)
+		if config.GlobalCacheKey != "" {
+			globalCacheRef := fmt.Sprintf("%s/cache/global/%s", registryHost, config.GlobalCacheKey)
+			cacheOpts := "type=registry,ref=" + globalCacheRef
+			if useInsecureFlag {
+				cacheOpts += ",registry.insecure=true"
+			}
+			args = append(args, "--import-cache", cacheOpts)
+			log.Printf("Importing from global cache: %s", globalCacheRef)
 		}
-		args = append(args, "--import-cache", cacheOpts)
-		log.Printf("Importing from global cache: %s", globalCacheRef)
-	}
 
-	// For regular builds, also import from tenant cache if scope is set
-	if !config.IsAdminBuild && config.CacheScope != "" {
-		tenantCacheRef := fmt.Sprintf("%s/cache/%s", registryHost, config.CacheScope)
-		cacheOpts := "type=registry,ref=" + tenantCacheRef
-		if useInsecureFlag {
-			cacheOpts += ",registry.insecure=true"
+		// For regular builds, also import from tenant cache if scope is set
+		if !config.IsAdminBuild && config.CacheScope != "" {
+			tenantCacheRef := fmt.Sprintf("%s/cache/%s", registryHost, config.CacheScope)
+			cacheOpts := "type=registry,ref=" + tenantCacheRef
+			if useInsecureFlag {
+				cacheOpts += ",registry.insecure=true"
+			}
+			args = append(args, "--import-cache", cacheOpts)
+			log.Printf("Importing from tenant cache: %s", tenantCacheRef)
 		}
-		args = append(args, "--import-cache", cacheOpts)
-		log.Printf("Importing from tenant cache: %s", tenantCacheRef)
 	}
 
-	// Export cache based on build type
+	// Export cache based on build type (always export, even if NoCache was set for import)
 	// Note: image-manifest=true ensures layer blobs are stored in the registry cache image
 	// rather than as references to external registries (e.g., docker.io). This is critical
 	// for cache hits in ephemeral BuildKit instances that don't have local layer storage.
diff --git a/lib/builds/manager.go b/lib/builds/manager.go
@@ -504,6 +504,9 @@ func (m *manager) CreateBuild(ctx context.Context, req CreateBuildRequest, sourc
 		IsAdminBuild:     req.IsAdminBuild,
 		GlobalCacheKey:   req.GlobalCacheKey,
 		ImageName:        req.ImageName,
+		Target:           req.Target,
+		Platform:         req.Platform,
+		NoCache:          req.NoCache,
 	}
 	if err := writeBuildConfig(m.paths, id, buildConfig); err != nil {
 		deleteBuild(m.paths, id)
@@ -718,11 +721,15 @@ func (m *manager) executeBuild(ctx context.Context, id string, req CreateBuildRe
 	networkEnabled := policy.NetworkMode == "egress"
 
 	inst, err := m.instanceManager.CreateInstance(ctx, instances.CreateInstanceRequest{
-		Name:           builderName,
-		Image:          m.config.BuilderImage,
-		Size:           int64(policy.MemoryMB) * 1024 * 1024,
-		Vcpus:          policy.CPUs,
-		NetworkEnabled: networkEnabled,
+		Name:                     builderName,
+		Image:                    m.config.BuilderImage,
+		Size:                     int64(policy.MemoryMB) * 1024 * 1024,
+		Vcpus:                    policy.CPUs,
+		OverlaySize:              int64(policy.DiskSizeGB) * 1024 * 1024 * 1024,
+		DiskIOBps:                policy.DiskIOBps,
+		NetworkBandwidthDownload: policy.NetworkBandwidthDownload,
+		NetworkBandwidthUpload:   policy.NetworkBandwidthUpload,
+		NetworkEnabled:           networkEnabled,
 		Volumes: []instances.VolumeAttachment{
 			{
 				VolumeID:  sourceVolID,
diff --git a/lib/builds/types.go b/lib/builds/types.go
@@ -66,19 +66,40 @@ type CreateBuildRequest struct {
 	// ImageName optionally sets a custom image name for the build output.
 	// When set, the image is pushed to {registry}/{image_name} instead of {registry}/builds/{id}.
 	ImageName string `json:"image_name,omitempty"`
+
+	// Target specifies a target build stage for multi-stage Dockerfiles
+	Target string `json:"target,omitempty"`
+
+	// Platform specifies the target platform for cross-platform builds (e.g., "linux/amd64", "linux/arm64")
+	Platform string `json:"platform,omitempty"`
+
+	// NoCache disables build cache import (forces a fresh build)
+	NoCache bool `json:"no_cache,omitempty"`
 }
 
 // BuildPolicy defines resource limits and network policy for a build
 type BuildPolicy struct {
 	// TimeoutSeconds is the maximum build duration (default: 600)
 	TimeoutSeconds int `json:"timeout_seconds,omitempty"`
 
-	// MemoryMB is the memory limit for the builder VM (default: 2048)
+	// MemoryMB is the memory limit for the builder VM (default: 4096)
 	MemoryMB int `json:"memory_mb,omitempty"`
 
-	// CPUs is the number of vCPUs for the builder VM (default: 2)
+	// CPUs is the number of vCPUs for the builder VM (default: 4)
 	CPUs int `json:"cpus,omitempty"`
 
+	// DiskSizeGB is the overlay disk size for the builder VM (default: 20)
+	DiskSizeGB int `json:"disk_size_gb,omitempty"`
+
+	// DiskIOBps is the disk I/O rate limit in bytes/sec (default: 0 = auto)
+	DiskIOBps int64 `json:"disk_io_bps,omitempty"`
+
+	// NetworkBandwidthDownload is the download rate limit in bytes/sec (default: 0 = auto)
+	NetworkBandwidthDownload int64 `json:"network_bandwidth_download,omitempty"`
+
+	// NetworkBandwidthUpload is the upload rate limit in bytes/sec (default: 0 = auto)
+	NetworkBandwidthUpload int64 `json:"network_bandwidth_upload,omitempty"`
+
 	// NetworkMode controls network access during build
 	// "isolated" = no network, "egress" = outbound allowed
 	NetworkMode string `json:"network_mode,omitempty"`
@@ -166,6 +187,15 @@ type BuildConfig struct {
 
 	// ImageName optionally sets a custom image name for the build output.
 	ImageName string `json:"image_name,omitempty"`
+
+	// Target specifies a target build stage for multi-stage Dockerfiles
+	Target string `json:"target,omitempty"`
+
+	// Platform specifies the target platform for cross-platform builds (e.g., "linux/amd64", "linux/arm64")
+	Platform string `json:"platform,omitempty"`
+
+	// NoCache disables build cache import (forces a fresh build)
+	NoCache bool `json:"no_cache,omitempty"`
 }
 
 // BuildEvent represents a typed SSE event for build streaming
@@ -217,6 +247,7 @@ func DefaultBuildPolicy() BuildPolicy {
 		TimeoutSeconds: 600,  // 10 minutes
 		MemoryMB:       4096, // 4GB
 		CPUs:           4,
+		DiskSizeGB:     20, // 20GB overlay disk
 		NetworkMode:    "egress", // Allow outbound for dependency downloads
 	}
 }
@@ -233,6 +264,9 @@ func (p *BuildPolicy) ApplyDefaults() {
 	if p.CPUs == 0 {
 		p.CPUs = defaults.CPUs
 	}
+	if p.DiskSizeGB == 0 {
+		p.DiskSizeGB = defaults.DiskSizeGB
+	}
 	if p.NetworkMode == "" {
 		p.NetworkMode = defaults.NetworkMode
 	}
diff --git a/openapi.yaml b/openapi.yaml
