From ad726ea585db9ba67ba4968e86a01a22dbb5e752 Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Fri, 16 Aug 2024 12:33:53 -0400
Subject: [PATCH] Produce x86_64 & ARM64 fedora container images

At the time of this commit, podman's Makefile has a target to allow
validating code changes locally (`validatepr`).  However, it's based
on a bespoke image completely unassociated with the image used in CI.
This can easily lead to a situation where validation passes in the local
environment but fails in CI.  Support the podman `validatepr` target
use of `quay.io/libpod/*fedora_podman:latest` images by performing
a manifest-list build that includes `arm64` (a.k.a. `aarch64`).

The trade-off here is image build-time, since emulation is
extremely slow (over an hour).  Therefore, the `container_images` CI
task has also been removed as a dependency from `base_images` CI task,
allowing them to run in parallel.

Note: This will not impact pulling the image, since the client always
only pulls the layers necessary for the indicated architecture.

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 .cirrus.yml | 19 +++++++++++++------
 IMG_SFX     |  2 +-
 Makefile    | 12 +++++++++++-
 3 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index 44d40e44..a1915a1d 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -71,13 +71,14 @@ container_images_task: &container_images
     skip: *ci_docs_tooling
     depends_on:
         - image_builder
-    timeout_in: &cntr_timeout 40m
-    gce_instance: &ibi_vm
+    timeout_in: 120m  # emulation is very slow
+    gce_instance:
         image_project: "libpod-218412"
         # Trust whatever was built most recently is functional
         image_family: "image-builder"
         zone: "us-central1-a"
         disk: 200  # Must be 200, negatively affects performance otherwise.
+        type: "c2d-standard-4"  # Extra muscle needed for multi-arch emulation
     matrix:
         - name: &name "Build ${TARGET_NAME} container"
           env:
@@ -102,7 +103,9 @@ container_images_task: &container_images
         # For $REGPFX namespace, select FQINs only.
         REG_USERNAME: ENCRYPTED[df4efe530b9a6a731cfea19233e395a5206d24dfac25e84329de035393d191e94ead8c39b373a0391fa025cab15470f8]
         REG_PASSWORD: ENCRYPTED[255ec05057707c20237a6c7d15b213422779c534f74fe019b8ca565f635dba0e11035a034e533a6f39e146e7435d87b5]
-    script: ci/make_container_images.sh;
+    script: |
+        podman run --rm --privileged mirror.gcr.io/multiarch/qemu-user-static:latest --reset -p yes
+        ci/make_container_images.sh
     package_cache: &package_cache
         folder: "/var/tmp/automation_images_tmp/.cache/**"
         fingerprint_key: "${TARGET_NAME}-cache-version-1"
@@ -117,8 +120,13 @@ imgts_build_task:
     skip: &ci_docs $CIRRUS_CHANGE_TITLE =~ '.*CI:DOCS.*'
     depends_on:
         - image_builder
-    timeout_in: *cntr_timeout
-    gce_instance: *ibi_vm
+    timeout_in: &cntr_timeout 40m
+    gce_instance: &ibi_vm
+        image_project: "libpod-218412"
+        # Trust whatever was built most recently is functional
+        image_family: "image-builder"
+        zone: "us-central1-a"
+        disk: 200  # Must be 200, negatively affects performance otherwise.
     env: *image_env
     script: |
         export TARGET_NAME=imgts
@@ -159,7 +167,6 @@ base_images_task:
     only_if: *is_pr
     skip: *ci_docs_tooling
     depends_on:
-        - container_images
         - image_builder
     # Packer needs time to clean up partially created VM images
     auto_cancellation: $CI != "true"
diff --git a/IMG_SFX b/IMG_SFX
index b0846c52..25c7007a 100644
--- a/IMG_SFX
+++ b/IMG_SFX
@@ -1 +1 @@
-20240819t164934z-f40f39d13
+20240820t151015z-f40f39d13
diff --git a/Makefile b/Makefile
index 48f510a1..ca2f92da 100644
--- a/Makefile
+++ b/Makefile
@@ -117,6 +117,9 @@ GIT_HEAD = $(shell git rev-parse HEAD)
 # Save some typing
 _IMGTS_FQIN := quay.io/libpod/imgts:c$(_IMG_SFX)
 
+# Necessary for embedding a ',' in an $(if ...) conditional
+COMMA = ,
+
 ##### Targets #####
 
 # N/B: The double-# after targets is gawk'd out as the target description
@@ -308,9 +311,16 @@ fedora_podman:  ## Build Fedora podman development container
 prior-fedora_podman:  ## Build Prior-Fedora podman development container
 	$(call build_podman_container,$@,$(PRIOR_FEDORA_RELEASE))
 
+# Build multi-arch manifest list for the fedora_podman target only (not prior-fedora_podman).
+# N/B: This assumes that qemu_user_static is present and installed into the kernel or (as root)
+# podman run --rm --privileged mirror.gcr.io/multiarch/qemu-user-static:latest --reset -p yes
+# must been executed (e.g. on CentOS).
 $(_TEMPDIR)/%_podman.iid: podman/Containerfile podman/setup.sh $(wildcard base_images/*.sh) $(_TEMPDIR) $(wildcard cache_images/*.sh)
-	podman build -t $*_podman:$(call err_if_empty,_IMG_SFX) \
+	podman build --manifest=$*_podman:$(call err_if_empty,_IMG_SFX) \
+		--security-opt label=disable \
 		--security-opt seccomp=unconfined \
+		--platform=linux/amd64$(if $(subst prior-fedora,,$*),$(COMMA)linux/arm64) \
+		--jobs=2 \
 		--iidfile=$@ \
 		--build-arg=BASE_NAME=$(subst prior-,,$*) \
 		--build-arg=BASE_TAG=$(call err_if_empty,BASE_TAG) \