verily-src · tuckduck · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026
@@ -5,7 +5,7 @@
   "shutdownAction": "none",
   "workspaceFolder": "/workspace",
   "postCreateCommand":
-    "./startupscript/post-startup.sh abc /config \"${templateOption:cloud}\" \"${templateOption:login}\"",
+    "./startupscript/post-startup.sh abc /config \"${templateOption:cloud}\" \"${templateOption:login}\"; bash ./create-cortex-config.sh /config; bash ./install-cortex-cli.sh",
   // re-mount bucket files on container start up
   "postStartCommand": [
     "./startupscript/remount-on-restart.sh",

@@ -56,21 +56,20 @@ RUN wget https://go.dev/dl/go1.23.5.linux-amd64.tar.gz && \
     rm go1.23.5.linux-amd64.tar.gz
 
 # Install gh (GitHub CLI version 2.86.0)
-RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
-    chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg && \
-    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \
-    apt-get update && \
-    apt-get install -y gh=2.86.0 && \
-    rm -rf /var/lib/apt/lists/*
+ARG GH_CLI_VERSION=2.86.0
+RUN curl -L "https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.tar.gz" -o gh.tar.gz && \
+    tar -xzf gh.tar.gz && \
+    mv gh_${GH_CLI_VERSION}_linux_amd64/bin/gh /usr/local/bin/ && \
+    rm -rf gh.tar.gz gh_${GH_CLI_VERSION}_linux_amd64
 
 # Install uv (Python package manager version 0.9.27)
 RUN curl -LsSf https://astral.sh/uv/0.9.27/install.sh | sh && \
     mv $HOME/.local/bin/uv /usr/local/bin/ && \
     mv $HOME/.local/bin/uvx /usr/local/bin/
 
 # Set up environment variables
-ENV PATH="/usr/local/go/bin:${PATH}"
 ENV GOPATH="/config/go"
+ENV PATH="/usr/local/go/bin:${GOPATH}/bin:${PATH}"
 ENV GOPRIVATE="github.com/verily-src/*"
 ENV SUDO_PASSWORD="pwd"
 

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+# create-cortex-config.sh
+#
+# Creates cortex.yaml configuration file in the container user's home directory
+# This script runs inside the container and attempts to retrieve GCP metadata
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Wait for metadata server to be ready
+echo "Waiting 5 seconds for metadata server to be ready..."
+sleep 5
+
+if [[ $# -ne 1 ]]; then
+  echo "Usage: $0 <home-directory>"
+  exit 1
+fi
+
+readonly HOME_DIR="${1}"
+readonly CORTEX_CONFIG_PATH="${HOME_DIR}/cortex.yaml"
+
+echo "Creating cortex.yaml configuration..."
+
+# Try to get GCP project ID from metadata server
+# Note: This may not work from inside the container depending on network configuration
+GCP_PROJECT_ID=""
+GCP_REGION=""
+
+if GCP_PROJECT_ID=$(curl --retry 3 --max-time 5 -s -f \
+  -H "Metadata-Flavor: Google" \
+  "http://metadata.google.internal/computeMetadata/v1/project/project-id" 2>/dev/null); then
+  echo "Successfully retrieved GCP project ID: ${GCP_PROJECT_ID}"
+
+  # Also try to get the region
+  if ZONE=$(curl --retry 3 --max-time 5 -s -f \
+    -H "Metadata-Flavor: Google" \
+    "http://metadata.google.internal/computeMetadata/v1/instance/zone" 2>/dev/null); then
+    GCP_REGION=$(echo "${ZONE}" | awk -F'/' '{print $4}' | sed 's/-[^-]*$//')
+    echo "Successfully retrieved GCP region: ${GCP_REGION}"
+  fi
+else
+  echo "Warning: Could not retrieve GCP project ID from metadata server"
+  echo "The metadata server may not be accessible from inside the container"
+
+  # Check if gcloud is available and authenticated as a fallback
+  if command -v gcloud &> /dev/null; then
+    if GCP_PROJECT_ID=$(gcloud config get-value project 2>/dev/null) && [[ -n "${GCP_PROJECT_ID}" ]]; then
+      echo "Retrieved project ID from gcloud config: ${GCP_PROJECT_ID}"
+      GCP_REGION=$(gcloud config get-value compute/region 2>/dev/null || echo "")
+    fi
+  fi
+fi
+
+# Create the cortex.yaml file
+if [[ -n "${GCP_PROJECT_ID}" ]]; then
+  cat > "${CORTEX_CONFIG_PATH}" << EOF
+# Cortex configuration
+# Generated on $(date -u +"%Y-%m-%d %H:%M:%S UTC")
+gcp_project_id: ${GCP_PROJECT_ID}
+gcp_region: ${GCP_REGION:-UNKNOWN}
+profiles_repo: shared-artifacts-a2hhlz
+EOF
+
+  echo "cortex.yaml created successfully at ${CORTEX_CONFIG_PATH}"
+  cat "${CORTEX_CONFIG_PATH}"
+else
+  echo "Warning: Could not determine GCP project ID"
+  echo "Creating cortex.yaml with placeholder values"
+  cat > "${CORTEX_CONFIG_PATH}" << EOF
+# Cortex configuration
+# Generated on $(date -u +"%Y-%m-%d %H:%M:%S UTC")
+# WARNING: Could not automatically determine GCP project ID
+gcp_project_id: "UNKNOWN"
+gcp_region: "UNKNOWN"
+profiles_repo: shared-artifacts-a2hhlz
+# Please update this file with the correct values
+EOF
+  echo "cortex.yaml created with placeholder at ${CORTEX_CONFIG_PATH}"
+fi
+
+# Ensure proper ownership
+if [[ -f "${CORTEX_CONFIG_PATH}" ]]; then
+  chmod 644 "${CORTEX_CONFIG_PATH}"
+fi
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# install-cortex-cli.sh
+#
+# Installs cortex-cli from the verily1 monorepo if it exists
+# This script runs inside the container after the postCreateCommand
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+echo "Checking for verily1 monorepo..."
+
+# Check multiple possible locations for verily1 repo
+VERILY1_PATH=""
+for path in "/workspace/repos/verily1" "/config/repos/verily1" "$HOME/repos/verily1"; do
+  if [[ -d "${path}" ]]; then
+    VERILY1_PATH="${path}"
+    break
+  fi
+done
+
+if [[ -z "${VERILY1_PATH}" ]]; then
+  echo "verily1 repository not found in any of the expected locations:"
+  echo "  - /workspace/repos/verily1"
+  echo "  - /config/repos/verily1"
+  echo "  - \$HOME/repos/verily1"
+  echo "Skipping cortex-cli installation"
+  exit 0
+fi
+
+readonly VERILY1_PATH
+
+echo "Found verily1 repository at ${VERILY1_PATH}"
+
+# Verify Go is installed
+if ! command -v go &> /dev/null; then
+  echo "Error: Go is not installed or not in PATH"
+  exit 1
+fi
+
+echo "Go version: $(go version)"
+
+# Set up Go environment if not already set
+export GOPATH="${GOPATH:-/config/go}"
+export PATH="${PATH}:${GOPATH}/bin"
+
+echo "GOPATH: ${GOPATH}"
+echo "Installing cortex-cli..."
+
+# Navigate to verily1 and install cortex-cli
+cd "${VERILY1_PATH}"
+
+if [[ ! -d "cortex/tools/cortex-cli" ]]; then
+  echo "Error: cortex-cli source not found at cortex/tools/cortex-cli"
+  exit 1
+fi
+
+# Install cortex-cli as user abc (where SSH keys are configured)
+# Use the same pattern as post-startup.sh: sudo -u USER bash -l -c
+echo "Installing cortex-cli as user abc (root doesn't have SSH keys)..."
+echo "GOPATH is set to: ${GOPATH}"
+echo "Running go install with verbose output..."
+
+# Use sudo instead of su - matches the RUN_AS_LOGIN_USER pattern from post-startup.sh
+if sudo -u abc bash -l -c "cd ${VERILY1_PATH} && export GOPATH=${GOPATH} && export PATH=/usr/local/go/bin:${GOPATH}/bin:\$PATH && go install -v ./cortex/tools/cortex-cli"; then
+  echo "cortex-cli installed successfully to ${GOPATH}/bin/cortex-cli"
+
+  # Verify installation
+  if [[ -f "${GOPATH}/bin/cortex-cli" ]]; then
+    echo "Verifying cortex-cli installation..."
+    "${GOPATH}/bin/cortex-cli" --help || echo "cortex-cli binary exists but --help failed"
+  else
+    echo "Warning: cortex-cli binary not found at expected location ${GOPATH}/bin/cortex-cli"
+    echo "Checking if it installed elsewhere..."
+    find /config -name "cortex-cli" 2>/dev/null || echo "cortex-cli not found in /config"
+  fi
+else
+  EXIT_CODE=$?
+  echo "Error: Failed to install cortex-cli (exit code: ${EXIT_CODE})"
+  echo "Error output should be visible above"
+  exit 1
+fi
+
+echo "cortex-cli installation complete"