Produce x86_64 & ARM64 fedora container images

At the time of this commit, podman's Makefile has a target to allow validating code changes locally (`validatepr`). However, it's based on a bespoke image completely unassociated with the image used in CI. This can easily lead to a situation where validation passes in the local environment but fails in CI. Support the podman `validatepr` target use of `quay.io/libpod/fedora_podman:latest` images by performing a manifest-list build that includes `arm64` (a.k.a. `aarch64`). The trade-off here is image build-time, since emulation is extremely slow (over an hour). Therefore, the `container_images` CI task has also been removed as a dependency from `base_images` CI task, allowing them to run in parallel. Note: This will not impact pulling the image, since the client always only pulls the layers necessary for the indicated architecture. Signed-off-by: Chris Evich <[email protected]>
containers · Aug 20, 2024 · 0b53866 · 0b53866
1 parent fc75a1a
commit 0b53866
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 7 deletions.
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -65,19 +65,20 @@ image_builder_task:
         type: application/json
 
 
-container_images_task: &container_images
+container_images_task:
     alias: "container_images"
     only_if: *is_pr
     skip: *ci_docs_tooling
     depends_on:
         - image_builder
-    timeout_in: &cntr_timeout 40m
+    timeout_in: 120m  # emulation is very slow
     gce_instance: &ibi_vm
         image_project: "libpod-218412"
         # Trust whatever was built most recently is functional
         image_family: "image-builder"
         zone: "us-central1-a"
         disk: 200  # Must be 200, negatively affects performance otherwise.
+        type: "c2d-standard-4"  # Extra muscle needed for multi-arch emulation
     matrix:
         - name: &name "Build ${TARGET_NAME} container"
           env:
@@ -102,7 +103,9 @@ container_images_task: &container_images
         # For $REGPFX namespace, select FQINs only.
         REG_USERNAME: ENCRYPTED[df4efe530b9a6a731cfea19233e395a5206d24dfac25e84329de035393d191e94ead8c39b373a0391fa025cab15470f8]
         REG_PASSWORD: ENCRYPTED[255ec05057707c20237a6c7d15b213422779c534f74fe019b8ca565f635dba0e11035a034e533a6f39e146e7435d87b5]
-    script: ci/make_container_images.sh;
+    script: |
+        podman run --rm --privileged mirror.gcr.io/multiarch/qemu-user-static:latest --reset -p yes
+        ci/make_container_images.sh
     package_cache: &package_cache
         folder: "/var/tmp/automation_images_tmp/.cache/**"
         fingerprint_key: "${TARGET_NAME}-cache-version-1"
@@ -117,7 +120,7 @@ imgts_build_task:
     skip: &ci_docs $CIRRUS_CHANGE_TITLE =~ '.*CI:DOCS.*'
     depends_on:
         - image_builder
-    timeout_in: *cntr_timeout
+    timeout_in: &cntr_timeout 40m
     gce_instance: *ibi_vm
     env: *image_env
     script: |
@@ -159,7 +162,6 @@ base_images_task:
     only_if: *is_pr
     skip: *ci_docs_tooling
     depends_on:
-        - container_images
         - image_builder
     # Packer needs time to clean up partially created VM images
     auto_cancellation: $CI != "true"

diff --git a/IMG_SFX b/IMG_SFX
@@ -1 +1 @@
-20240819t164934z-f40f39d13
+20240820t174250z-f40f39d13
diff --git a/Makefile b/Makefile
@@ -117,6 +117,9 @@ GIT_HEAD = $(shell git rev-parse HEAD)
 # Save some typing
 _IMGTS_FQIN := quay.io/libpod/imgts:c$(_IMG_SFX)
 
+# Necessary for embedding a ',' in an $(if ...) conditional
+COMMA = ,
+
 ##### Targets #####
 
 # N/B: The double-# after targets is gawk'd out as the target description
@@ -308,9 +311,16 @@ fedora_podman:  ## Build Fedora podman development container
 prior-fedora_podman:  ## Build Prior-Fedora podman development container
 	$(call build_podman_container,$@,$(PRIOR_FEDORA_RELEASE))
 
+# Build multi-arch manifest list for the fedora_podman target only (not prior-fedora_podman).
+# N/B: This assumes that qemu_user_static is present and installed into the kernel or (as root)
+# podman run --rm --privileged mirror.gcr.io/multiarch/qemu-user-static:latest --reset -p yes
+# must been executed (e.g. on CentOS).
 $(_TEMPDIR)/%_podman.iid: podman/Containerfile podman/setup.sh $(wildcard base_images/*.sh) $(_TEMPDIR) $(wildcard cache_images/*.sh)
-	podman build -t $*_podman:$(call err_if_empty,_IMG_SFX) \
+	podman build --manifest=$*_podman:$(call err_if_empty,_IMG_SFX) \
+		--security-opt label=disable \
 		--security-opt seccomp=unconfined \
+		--platform=linux/amd64$(if $(subst prior-fedora,,$*),$(COMMA)linux/arm64) \
+		--jobs=2 \
 		--iidfile=$@ \
 		--build-arg=BASE_NAME=$(subst prior-,,$*) \
 		--build-arg=BASE_TAG=$(call err_if_empty,BASE_TAG) \
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		20240819t164934z-f40f39d13
		20240820t174250z-f40f39d13