ci: Add a Containerfile-based workflow

This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. At a high level, the build process outputs a "nested container" - a container image with a `/nested.ociarchive` at the top level. Higher level build processes need not be aware of exactly how that `.ociarchive` is constructed (as it will definitely change in the future). In an ideal world of course we wouldn't need this "wrapped image" as it runs the ergonomics. See discussion in e.g. coreos/rpm-ostree#4688 for that. Signed-off-by: Colin Walters <[email protected]>
cgwalters · Mar 23, 2024 · 06e1b52 · 06e1b52
1 parent 8238f08
commit 06e1b52
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 6 deletions.
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -13,10 +13,6 @@ jobs:
   build-image:
     runs-on: ubuntu-latest
 
-    container:
-      image: quay.io/centos-bootc/bootc-image-builder:latest
-      options: --privileged
-
     # Yes, this is a one-element matrix, but we may add c10s in the future soon
     strategy:
       matrix:
@@ -26,10 +22,35 @@ jobs:
             version: stream9
 
     steps:
+      - name: Update podman
+        run: |
+          # from https://askubuntu.com/questions/1414446/whats-the-recommended-way-of-installing-podman-4-in-ubuntu-22-04
+          ubuntu_version='22.04'
+          key_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}/Release.key"
+          sources_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}"
+          echo "deb $sources_url/ /" | sudo tee /etc/apt/sources.list.d/devel-kubic-libcontainers-unstable.list
+          curl -fsSL $key_url | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null
+          sudo apt update
+          sudo apt install -y podman
+
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Build
         run: |
-          rpm-ostree compose image --format=ociarchive \
-          --initialize ${{ matrix.os }}-bootc.yaml dest.oci-archive
+          podman build --security-opt=label=disable --cap-add=all --device /dev/fuse \
+            -t localhost/${{ matrix.os }}-${{ matrix.version }}-bootc-wrapped -f Containerfile.${{ matrix.os }}-${{ matrix.version }}
+          #cat > Containerfile << EOF
+          #FROM quay.io/centos-bootc/centos-bootc:stream9
+          #RUN skopeo copy docker://quay.io/fedora/fedora:39 oci-archive:/nested.ociarchive
+          #EOF
+         # podman build -t localhost/${{ matrix.os }}-${{ matrix.version }}-bootc-wrapped .
+
+      - name: Extract wrapped archive
+        run: |
+          id=$(podman create --log-level=debug --entrypoint=/none localhost/${{ matrix.os }}-${{ matrix.version }}-bootc-wrapped:latest)
+          podman cp ${id}:nested.ociarchive .
+          skopeo copy oci-archive:nested.ociarchive containers-storage:localhost/${{ matrix.os }}-${{ matrix.version }}-bootc
+
+      - name: Run image
+        run: podman run --rm -ti localhost/${{ matrix.os }}-${{ matrix.version }}-bootc cat /etc/os-release
diff --git a/Containerfile.centos-stream9 b/Containerfile.centos-stream9
@@ -0,0 +1,52 @@
+# This container build will end up generating a *scratch* image
+# whose content is an .ociarchive of the real container.
+#
+# This container build uses nested containerization, so you must build with e.g.
+# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
+#
+# Once you have the desired image (e.g. localhost/c9s-bootc) you can then
+# extract the "wrapped" image however you like, among them:
+#
+# id=$(podman create localhost/c9s-bootc)
+# podman cp ${id} /nested.ociarchive .
+# podman rm ${id}
+#
+# Then you can e.g. `skopeo copy oci-archive:nested.ociarchive` to another place
+# such as containers-storage: (to run locally) or docker:// (to push to a remote registry).
+#
+# # Why are we doing this?
+#
+# Today this base image build process uses rpm-ostree.  There is a lot of things that
+# rpm-ostree does when generating a container image...but important parts include:
+#
+# - auto-updating labels in the container metadata
+# - Generating "chunked" content-addressed reproducible image layers (notice
+#   how there are ~60 layers in the generated image)
+#
+# The latter bit in particular is currently impossible to do from Containerfile.
+# A future goal is adding some support for this in a way that can be honored by
+# buildah (xref https://github.com/containers/podman/discussions/12605)
+#
+# # Why does this build process require additional privileges?
+#
+# Because it's generating a base image and uses containerization features itself.
+# In the future some of this can be lifted.
+
+FROM quay.io/centos/centos:stream9 as repos
+
+FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
+ARG VARIANT=centos
+COPY . /src
+WORKDIR /src
+COPY --from=repos /etc/dnf/vars /etc/dnf/vars
+COPY --from=repos /etc/yum.repos.d/centos.repo c9s.repo
+COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg
+# rpm-ostree doesn't honor /etc/dnf/vars right now
+RUN for n in $(ls /etc/dnf/vars); do v=$(cat /etc/dnf/vars/$n); sed -ie s,\$${n},$v, c9s.repo; done
+RUN --mount=type=cache,target=/workdir rpm-ostree compose image --cachedir=/workdir --format=ociarchive --initialize ${VARIANT}-bootc.yaml ${VARIANT}-bootc.ociarchive
+
+FROM quay.io/centos/centos:stream9
+# Standardize on this name so it's easy to find/extract
+COPY --from=builder /src/*-bootc.ociarchive /nested.ociarchive
+# For convenience - if executed, we copy the oci-archive to stdout
+CMD cat /nested.ociarchive