Add rootless container builds via Docker/Podman #419
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- update builder image Dockerfile
- copy project/repo content into container at build time
- explicitly changing owner:group to `builduser`
- explicitly create new `builduser` user and group
- this is explicitly used for Docker-based builds
- set `/builds` as the working directory
- add new `.dockerignore` file to exclude the same items as the
`.gitignore` file
- set Git `safe.directory` logic at system level
- update Makefile recipes
- add separate docker/podman variants of container-based project
build recipes
- each uses slightly different logic to achieve rootless
container execution
- explicitly emit the tool used to perform specific tasks
- this can be useful to help explain why a generated builder image
does not appear in the `docker image ls` output as a sysadmin
might expect (if it was instead built with the `docker` command)
- rename/remove the helper build recipe from the `help` recipe
output (not useful to call directly)
- to explicitly run the build container as the `builduser` user that
is created during build image generation when using Docker to
build/run containers (Podman uses different settings)
- to send `xz` compressed output to stdout, then redirect to a
target file
- this works around failures to `chmod` and `chgrp` the compressed
copy of input files when run within a non-root container
- to explicitly bind mount the `release_assets` path into
`/builds/release_assets` (using the same Makefile variable)
read/write (instead of relying on implied read/write access)
- to explicitly use `/builds` as the working directory
This collection of changes allows reliably building this project using
either Docker or Podman via a "rootless" container.
atc0005
added a commit
that referenced
this pull request
Mar 31, 2023
This was intended to be included along with the recent rootless container builds work. refs GH-419
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
builduserbuilduseruser and group/buildsas the working directory.dockerignorefile to exclude the same items as the.gitignorefilesafe.directorylogic at system leveldocker image lsoutput as a sysadmin might expect (if it was instead built with thedockercommand)helprecipe output (not useful to call directly)builduseruser that is created during build image generation when using Docker to build/run containers (Podman uses different settings)xzcompressed output to stdout, then redirect to a target filechmodandchgrpthe compressed copy of input files when run within a non-root containerrelease_assetspath into/builds/release_assets(using the same Makefile variable) read/write (instead of relying on implied read/write access)/buildsas the working directoryThis collection of changes allows reliably building this project using either Docker or Podman via a "rootless" container.