ci: Add a Containerfile-based workflow #446
Conversation
|
Also to make this really work we need to modify the Konfux pipelines, which I think will best be done with a new "buildah-nested" variant of https://github.com/redhat-appstudio/build-definitions/blob/main/task/buildah/0.1/buildah.yaml that knows how to extract the |
cgwalters
force-pushed
the
weird-dockerfile
branch
from
083c80e
to
06e1b52
Compare
|
This is pretty cool. FWIW, I got this to work without any nesting: FROM quay.io/centos/centos:stream9 as repos
FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
ARG MANIFEST=centos-stream-9.yaml
# XXX: we should just make sure our in-tree c9s repo points to the c9s paths and doesn't require vars to avoid these steps entirely
COPY --from=repos /etc/dnf/vars /etc/dnf/vars
COPY --from=repos /etc/yum.repos.d/centos.repo c9s.repo
COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg
# rpm-ostree doesn't honor /etc/dnf/vars right now
RUN for n in $(ls /etc/dnf/vars); do v=$(cat /etc/dnf/vars/$n); sed -ie s,\$${n},$v, c9s.repo; done
RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rpm-ostree compose image --cachedir=/workdir --format=ociarchive --initialize /buildcontext/${MANIFEST} /buildcontext/out.ociarchive
FROM oci-archive:./out.ociarchive
# Need to reference builder here to force ordering. But since we have to run
# something anyway, we might as well cleanup after ourselves.
RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchiveI think if we went this route as the way to build things, we should probably just fix up the c9s repos to simplify this even further. |
cgwalters
force-pushed
the
weird-dockerfile
branch
from
06e1b52
to
21269db
Compare
|
Thanks so much for looking at this...it'd be really really useful if we can avoid the nested output! But that doesn't work for me, I get: Though that's with podman on MacOS: and maybe there's something special to podman-machine/podman-remote here....ah indeed, it works for me directly on Neat! But...ugh this clashes badly with our need for having the container in a podman-machine VM to do privileged code execution to make disk images. Hmm...maybe we need to take this to a podman issue. But, supporting this outside of a podman-machine would be extremely useful to use for our production builds. OK...I've updated the PR with your changes, let's see if the GHA can successfully build. |
cgwalters
force-pushed
the
weird-dockerfile
branch
from
21269db
to
ecf25f7
Compare
This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. We use a special trick specific to podman/buildah to do `FROM oci-archive` on an oci-archive that was built in a previous image stage. This lets us do things not possible in a Containerfile that is basically about total control over the image layers: - Output content-addressed reproducible "chunked" layers - Choose whether or not to use zstd for layers See discussion in e.g. coreos/rpm-ostree#4688 Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters
force-pushed
the
weird-dockerfile
branch
from
ecf25f7
to
257c791
Compare
Fixed, thanks! |
|
@lmilbaum please check this out when you get a second |
This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. At a high level, the build process outputs a "nested container" - a container image with a
/nested.ociarchiveat the top level.Higher level build processes need not be aware of exactly how that
.ociarchiveis constructed (as it will definitely change in the future).In an ideal world of course we wouldn't need this "wrapped image" as it runs the ergonomics. See discussion in e.g. coreos/rpm-ostree#4688
for that.