Ensure support for building base images via Dockerfile #4688
Comments
|
Note that rpm-ostree constructs the full OCI structure including layers on its own, that's the reason we want it to stay in control here. |
|
Can you be more specific about which part breaks or is a hypothetical? Is it a privilege limitation, or that the second stage is attempting to use, as its base, an archive file from an earlier stage, or something else I'm not spotting? |
This. |
|
I don't think that's something the Dockerfile syntax really provides a way to express, but we treat the FROM argument loosely enough that, using RUN --mount to force the first stage to be built before the second when when it would otherwise be skipped or not necessarily be built in the desired order, you could get most of the way there: ARG BUILDCONTEXT=.
FROM quay.io/centos-boot/builder as builder
RUN --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rpm-ostree compose image --format=ociarchive --initialize manifest.yaml /buildcontext/test.ociarchive
FROM oci-archive:${BUILDCONTEXT}/test.ociarchive
RUN --mount=type=bind,from=builder,src=.,target=/var/tmp :You'd have to build with |
|
This is super interesting and has ramifications beyond wrapping rpm-ostree base image building. It means we could provide alternative ways to build container images while still being compatible with the builders out there that support this by using a Dockerfile stub behind-the-scenes. So then we could have the concept of "builder images" similar in some ways to Buildpack (or OpenShift's S2I). Would it make sense to formalize it a bit so you don't have to play tricks to force ordering or require a For direct CLI usage, we could have a UX like where it would pass the place to output the OCI archive to the builder image via a build arg. |
|
I think I need to stress the "off the beaten path" nature of this. Adding affordances for it would imply a certain level of encouragement, and I'm not sure we want to sign up for that when the standard advice for jobs that can't be done with a Dockerfile is to use buildah's other commands. |
|
@nalind Yes. However one problem this solves is basically that saying "use buildah" opens up the big question of "which buildah from where" - Obviously one can encode tooling using buildah in things like Github Actions, Tekton pipelines etc. etc. But I can't |
|
So @nalind I was playing around with this again, trying to minimize your example to e.g.: Trying to build that I hit: And yeah, it works with So there must be some magic missing. |
This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. At a high level, the build process outputs a "nested container" - a container image with a `/nested.ociarchive` at the top level. Higher level build processes need not be aware of exactly how that `.ociarchive` is constructed (as it will definitely change in the future). In an ideal world of course we wouldn't need this "wrapped image" as it runs the ergonomics. See discussion in e.g. coreos/rpm-ostree#4688 for that. Signed-off-by: Colin Walters <[email protected]>
This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. At a high level, the build process outputs a "nested container" - a container image with a `/nested.ociarchive` at the top level. Higher level build processes need not be aware of exactly how that `.ociarchive` is constructed (as it will definitely change in the future). In an ideal world of course we wouldn't need this "wrapped image" as it runs the ergonomics. See discussion in e.g. coreos/rpm-ostree#4688 for that. Signed-off-by: Colin Walters <[email protected]>
This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. At a high level, the build process outputs a "nested container" - a container image with a `/nested.ociarchive` at the top level. Higher level build processes need not be aware of exactly how that `.ociarchive` is constructed (as it will definitely change in the future). In an ideal world of course we wouldn't need this "wrapped image" as it runs the ergonomics. See discussion in e.g. coreos/rpm-ostree#4688 for that. Signed-off-by: Colin Walters <[email protected]>
This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. At a high level, the build process outputs a "nested container" - a container image with a `/nested.ociarchive` at the top level. Higher level build processes need not be aware of exactly how that `.ociarchive` is constructed (as it will definitely change in the future). In an ideal world of course we wouldn't need this "wrapped image" as it runs the ergonomics. See discussion in e.g. coreos/rpm-ostree#4688 for that. Signed-off-by: Colin Walters <[email protected]>
This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. At a high level, the build process outputs a "nested container" - a container image with a `/nested.ociarchive` at the top level. Higher level build processes need not be aware of exactly how that `.ociarchive` is constructed (as it will definitely change in the future). In an ideal world of course we wouldn't need this "wrapped image" as it runs the ergonomics. See discussion in e.g. coreos/rpm-ostree#4688 for that. Signed-off-by: Colin Walters <[email protected]>
This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. We use a special trick specific to podman/buildah to do `FROM oci-archive` on an oci-archive that was built in a previous image stage. This lets us do things not possible in a Containerfile that is basically about total control over the image layers: - Output content-addressed reproducible "chunked" layers - Choose whether or not to use zstd for layers See discussion in e.g. coreos/rpm-ostree#4688 Signed-off-by: Colin Walters <[email protected]>
A |
|
Hmm, actually the problem seems to be that this flow doesn't work with podman-remote (which isn't surprising I guess given the subtleties). I was trying those original commands on MacOS. OK so...as you say, it seems like this support is not really documented really other than implicitly/indirectly via this statement in the buildah changelog:
I'm not finding many tests for it either. So...I guess we're looping back to
But the problem is there's just so much code that expects, processes, and operates on Containerfile. Would you be OK with patches adding some docs and tests for this and hence committing to supporting it? |
That'd ensure that breaking those use cases would be intentional rather than accidental, which I'm on board with. Keep in mind that I don't expect other tools that accept Dockerfiles to support this sort of thing -- we get it for relatively little work by having containers/image do most of the heavy lifting. |
It'd be nice if something like this worked:
There's hints it is supposed to per https://github.com/openshift/os/blob/master/docs/rhcos-oci-braindump.md but I'm not seeing anything show up in the build context, the build fails very quickly on a nonexistent dir.
Now obviously we can break this into multiple containers per that doc, but that means the build is no longer just
podman build.The text was updated successfully, but these errors were encountered: