ci: Add a Containerfile-based workflow

This is a small but notable step towards making the build process more container native. The rpm-ostree bits are hidden much more. At a high level, the build process outputs a "nested container" - a container image with a `/nested.ociarchive` at the top level. Higher level build processes need not be aware of exactly how that `.ociarchive` is constructed (as it will definitely change in the future). In an ideal world of course we wouldn't need this "wrapped image" as it runs the ergonomics. See discussion in e.g. coreos/rpm-ostree#4688 for that. Signed-off-by: Colin Walters <[email protected]>
cgwalters · Mar 23, 2024 · 81aa4e4 · 81aa4e4
1 parent 8238f08
commit 81aa4e4
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 6 deletions.
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -13,10 +13,6 @@ jobs:
   build-image:
     runs-on: ubuntu-latest
 
-    container:
-      image: quay.io/centos-bootc/bootc-image-builder:latest
-      options: --privileged
-
     # Yes, this is a one-element matrix, but we may add c10s in the future soon
     strategy:
       matrix:
@@ -26,10 +22,30 @@ jobs:
             version: stream9
 
     steps:
+      - name: Update podman
+        run: |
+          # from https://askubuntu.com/questions/1414446/whats-the-recommended-way-of-installing-podman-4-in-ubuntu-22-04
+          ubuntu_version='22.04'
+          key_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}/Release.key"
+          sources_url="https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_${ubuntu_version}"
+          echo "deb $sources_url/ /" | sudo tee /etc/apt/sources.list.d/devel-kubic-libcontainers-unstable.list
+          curl -fsSL $key_url | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_unstable.gpg > /dev/null
+          sudo apt update
+          sudo apt install -y podman
+
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Build
         run: |
-          rpm-ostree compose image --format=ociarchive \
-          --initialize ${{ matrix.os }}-bootc.yaml dest.oci-archive
+          podman build --security-opt=label=disable --cap-add=all --device /dev/fuse \
+            -t localhost/${{ matrix.os }}-${{ matrix.version }}-bootc-wrapped -f Containerfile.${{ matrix.os }}-${{ matrix.version }}
+
+      - name: Extract wrapped archive
+        run: |
+          id=$(podman create --entrypoint=/none localhost/${{ matrix.os }}-${{ matrix.version }}-bootc-wrapped)
+          podman cp ${id}/nested.ociarchive .
+          skopeo copy oci-archive:nested.ociarchive containers-storage:localhost/${{ matrix.os }}-${{ matrix.version }}-bootc
+
+      - name: Run image
+        run: podman run --rm -ti localhost/${{ matrix.os }}-${{ matrix.version }}-bootc cat /etc/os-release
diff --git a/Containerfile.centos-stream9 b/Containerfile.centos-stream9
@@ -0,0 +1,34 @@
+# This container build will end up generating a *scratch* image
+# whose content is an .ociarchive of the real container.
+# 
+# This container build uses nested containerization, so you must build with e.g.
+# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
+#
+# Once you have the desired image (e.g. localhost/c9s-bootc) you can then
+# extract the "wrapped" image however you like, among them:
+# 
+# id=$(podman create localhost/c9s-bootc)
+# podman cp ${id} /nested.ociarchive .
+# podman rm ${id}
+# 
+# Then you can e.g. `skopeo copy oci-archive:nested.ociarchive` to another place
+# such as containers-storage: (to run locally) or docker:// (to push to a remote registry).
+
+FROM quay.io/centos/centos:stream9 as repos
+
+FROM quay.io/centos-bootc/bootc-image-builder:latest as builder
+ARG VARIANT=centos
+COPY . /src
+WORKDIR /src
+COPY --from=repos /etc/dnf/vars /etc/dnf/vars
+COPY --from=repos /etc/yum.repos.d/centos.repo c9s.repo
+COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial /etc/pki/rpm-gpg
+# rpm-ostree doesn't honor /etc/dnf/vars right now
+RUN for n in $(ls /etc/dnf/vars); do v=$(cat /etc/dnf/vars/$n); sed -ie s,\$${n},$v, c9s.repo; done
+RUN --mount=type=cache,target=/workdir rpm-ostree compose image --cachedir=/workdir --format=ociarchive --initialize ${VARIANT}-bootc.yaml ${VARIANT}-bootc.ociarchive
+
+FROM quay.io/centos/centos:stream9
+# Standardize on this name so it's easy to find/extract
+COPY --from=builder /src/*-bootc.ociarchive /nested.ociarchive
+# For convenience - if executed, we copy the oci-archive to stdout
+CMD cat /nested.ociarchive