Podman-in-Podman image builds #2932
Replies: 3 comments 8 replies
-
I just figured that running the buildah container in the podman container is unnecessary. I'm going to update the inital post. |
Beta Was this translation helpful? Give feedback.
-
We can add this (and whatever else too of course, see e.g. #2019) to #316 once we added this initially. |
Beta Was this translation helpful? Give feedback.
-
Example: Podman image build with sigstore signature checking and signingThis example shows how to build a container image with podman while verifying the base image and signing the resulting image. The image being pulled uses a keyless signature while the image being built will be signed by a pre-generated private key. PrerequisitesGenerate signing keypairYou can use cosing or skopeo to generate the keypair. Using skopeo:
This command will generate a Store the Configure hosts pulling the resulting imageSee here on how to configure the hosts pulling the built and signed image. Repository structureConsider the
ContainerfileThe Containerfile refers to the base image that will be verified when pulled.
Woodpecker workflowsteps:
build:
image: docker.io/library/golang:1.21
pull: true
commands:
- make build
publish:
image: quay.io/podman/stable:latest
# Caution: This image is built daily. It might fill up your image store quickly.
pull: true
# Fill in the trusted checkbox in Woodpecker's settings as well
privileged: true
commands:
# Configure podman to use sigstore attachments for both, the registry you pull from and the registry you push to.
- |
printf "docker:
registry.gitlab.com:
use-sigstore-attachments: true
gcr.io:
use-sigstore-attachments: true" >> /etc/containers/registries.d/default.yaml
# At pull, check the keyless sigstore signature of the distroless image.
# This is a very strict container policy. It allows to pull from gcr.io/distroless only. Every other registry will be rejected.
# See https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md for more information.
# fulcio CA crt obtained from https://github.com/sigstore/sigstore/blob/main/pkg/tuf/repository/targets/fulcio_v1.crt.pem
# rekor public key obtained from https://github.com/sigstore/sigstore/blob/main/pkg/tuf/repository/targets/rekor.pub
# crt/key data is base64 encoded. --> echo "$CERT" | base64
- |
printf '{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"gcr.io/distroless": [
{
"type": "sigstoreSigned",
"fulcio": {
"caData": "LS0tLS1CRUdJTiBDR...QVRFLS0tLS0K",
"oidcIssuer": "https://accounts.google.com",
"subjectEmail": "keyless@distroless.iam.gserviceaccount.com"
},
"rekorPublicKeyData": "LS0tLS1CRUdJTiBQVUJ...lDIEtFWS0tLS0tCg==",
"signedIdentity": { "type": "matchRepository" }
}
]
},
"docker-daemon": {
"": [
{
"type": "reject"
}
]
}
}
}' > /etc/containers/policy.json
# Use this key to sign the built image at push.
- echo "$SIGSTORE_PRIVATE_KEY" > key.private
# Login at the registry
- echo $REGISTRY_LOGIN_TOKEN | podman login -u <username> --password-stdin registry.gitlab.com
# Build the container image
- podman build --tag registry.gitlab.com/<namespace>/<repository_name>/<image_name>:latest .
# Sign and push the image
- podman push --sign-by-sigstore-private-key ./key.private registry.gitlab.com/<namespace>/<repository_name>/<image_name>:latest
secrets: [sigstore_private_key, registry_login_token] |
Beta Was this translation helpful? Give feedback.
-
I run Woodpecker CI with podman backend instead of docker and just figured out how to build images with buildah. Since I couldn't find this anywhere documented I thought I might as well just share it here.
It's actually pretty straight forward. Here's what my repository structure looks like:
As you can see I'm building a roundcube mail image.
This is the
.woodpecker/.build_roundcube.yml
As you can see I'm using this workflow over at gitlab.com. It should work with GitHub as well with adjusting the registry login.
You may have to adjust the
when:
to your needs. Furthermore, you must check thetrusted
checkbox in project settings. Therefore be sure to run trusted code only in this setup.This seems to work fine so far. I wonder if anybody else made this work a different way.
EDIT: Removed the additional step that would run buildah in a podman container. I didn't know it could be that easy to be honest.
Beta Was this translation helpful? Give feedback.
All reactions