-
Notifications
You must be signed in to change notification settings - Fork 28
ci: Add a Containerfile-based workflow #446
Conversation
Also to make this really work we need to modify the Konfux pipelines, which I think will best be done with a new "buildah-nested" variant of https://github.com/redhat-appstudio/build-definitions/blob/main/task/buildah/0.1/buildah.yaml that knows how to extract the |
083c80e
to
06e1b52
Compare
This is pretty cool. FWIW, I got this to work without any nesting: FROM quay.io/centos/centos:stream9 as repos
FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
ARG MANIFEST=centos-stream-9.yaml
# XXX: we should just make sure our in-tree c9s repo points to the c9s paths and doesn't require vars to avoid these steps entirely
COPY --from=repos /etc/dnf/vars /etc/dnf/vars
COPY --from=repos /etc/yum.repos.d/centos.repo c9s.repo
COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg
# rpm-ostree doesn't honor /etc/dnf/vars right now
RUN for n in $(ls /etc/dnf/vars); do v=$(cat /etc/dnf/vars/$n); sed -ie s,\$${n},$v, c9s.repo; done
RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rpm-ostree compose image --cachedir=/workdir --format=ociarchive --initialize /buildcontext/${MANIFEST} /buildcontext/out.ociarchive
FROM oci-archive:./out.ociarchive
# Need to reference builder here to force ordering. But since we have to run
# something anyway, we might as well cleanup after ourselves.
RUN --mount=type=bind,from=builder,src=.,target=/var/tmp --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.ociarchive
I think if we went this route as the way to build things, we should probably just fix up the c9s repos to simplify this even further. |
06e1b52
to
21269db
Compare
Thanks so much for looking at this...it'd be really really useful if we can avoid the nested output! But that doesn't work for me, I get:
Though that's with podman on MacOS:
and maybe there's something special to podman-machine/podman-remote here....ah indeed, it works for me directly on
Neat! But...ugh this clashes badly with our need for having the container in a podman-machine VM to do privileged code execution to make disk images. Hmm...maybe we need to take this to a podman issue. But, supporting this outside of a podman-machine would be extremely useful to use for our production builds. OK...I've updated the PR with your changes, let's see if the GHA can successfully build. |
21269db
to
ecf25f7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, looks like GHA built it.
LGTM overall, though looks like the commit message still references the previous wrapping approach.
This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. We use a special trick specific to podman/buildah to do `FROM oci-archive` on an oci-archive that was built in a previous image stage. This lets us do things not possible in a Containerfile that is basically about total control over the image layers: - Output content-addressed reproducible "chunked" layers - Choose whether or not to use zstd for layers See discussion in e.g. coreos/rpm-ostree#4688 Signed-off-by: Colin Walters <walters@verbum.org>
ecf25f7
to
257c791
Compare
Fixed, thanks! |
@lmilbaum please check this out when you get a second |
This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. At a high level, the build process outputs a "nested container" - a container image with a
/nested.ociarchive
at the top level.Higher level build processes need not be aware of exactly how that
.ociarchive
is constructed (as it will definitely change in the future).In an ideal world of course we wouldn't need this "wrapped image" as it runs the ergonomics. See discussion in e.g. coreos/rpm-ostree#4688
for that.