Get release and image info from a single-source-of-truth

.cirrus.yml

@@ -59,6 +59,7 @@ image_builder_task:
       PACKER_BUILDS: 'image-builder'
       # Google Application Credentials (JSON) with access to create VM images
       GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9]
+      AWS_SHARED_CREDENTIALS_FILE: notused
 
     script: "ci/make_image_builder.sh"
     manifest_artifacts:

Makefile

@@ -13,6 +13,23 @@ export_full = $(eval export $(if $(call err_if_empty,$(1)),$(1)))
 # Evaluate to the value of $(1) if $(CI) is the literal string "true", else $(2)
 if_ci_else = $(if $(findstring true,$(CI)),$(1),$(2))
 
+##### Important image release and source details #####
+
+export CENTOS_STREAM_RELEASE = 8
+
+export FEDORA_RELEASE = 36
+export FEDORA_IMAGE_URL = https://dl.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2
+export FEDORA_CSUM_URL = https://dl.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-36-1.5-x86_64-CHECKSUM
+export FEDORA_AMI = ami-08b7bda26f4071b80
+export FEDORA_ARM64_AMI = ami-01925eb0821988986
+
+export PRIOR_FEDORA_RELEASE = 35
+export PRIOR_FEDORA_IMAGE_URL = https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Cloud/x86_64/images/Fedora-Cloud-Base-35-1.2.x86_64.qcow2
+export PRIOR_FEDORA_CSUM_URL = https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Cloud/x86_64/images/Fedora-Cloud-35-1.2-x86_64-CHECKSUM
+
+export UBUNTU_RELEASE = 22.04
+export UBUNTU_BASE_FAMILY = ubuntu-2204-lts
+
 ##### Important Paths and variables #####
 
 # Most targets require possession of service-account credentials (JSON file)
@@ -74,6 +91,10 @@ override _HLPFMT = "%-20s %s\n"
 # N/B: There are length/character limitations in GCE for image names
 IMG_SFX ?=
 
+# Env. vars needed by packer
+export CHECKPOINT_DISABLE = 1  # Disable hashicorp phone-home
+export PACKER_CACHE_DIR = $(call err_if_empty,_TEMPDIR)
+
 ##### Targets #####
 
 # N/B: The double-# after targets is gawk'd out as the target description
@@ -105,6 +126,7 @@ define podman_build
 		--security-opt seccomp=unconfined \
 		-v $(_TEMPDIR)/.cache/$(4):/var/cache/dnf:Z \
 		-v $(_TEMPDIR)/.cache/$(4):/var/cache/apt:Z \
+		--build-arg CENTOS_STREAM_RELEASE=$(CENTOS_STREAM_RELEASE) \
 		--build-arg PACKER_VERSION=$(call err_if_empty,PACKER_VERSION) \
 		-f $(3)/Containerfile .
 	rm -f $(1)
@@ -159,19 +181,19 @@ $(_TEMPDIR)/user-data: $(_TEMPDIR) $(_TEMPDIR)/cidata.ssh.pub $(_TEMPDIR)/cidata
 .PHONY: cidata
 cidata: $(_TEMPDIR)/user-data $(_TEMPDIR)/meta-data
 
-# First argument is the path to the template JSON, second
-# argument is the path to AWS_SHARED_CREDENTIALS_FILE
-# when required.  N/B: GAC_FILEPATH is always required.
+define build_podman_container
+	$(MAKE) $(_TEMPDIR)/$(1).tar BASE_TAG=$(2)
+endef
+
+# First argument is the path to the template JSON
 define packer_build
-	env PACKER_CACHE_DIR="$(_TEMPDIR)" \
-		AWS_SHARED_CREDENTIALS_FILE="$(2)" \
+	env AWS_SHARED_CREDENTIALS_FILE="$(call err_if_empty,AWS_SHARED_CREDENTIALS_FILE)" \
 		GAC_FILEPATH="$(call err_if_empty,GAC_FILEPATH)" \
-		CHECKPOINT_DISABLE=1 \
 			$(PACKER_INSTALL_DIR)/packer build \
 			-force \
 			-var TEMPDIR="$(_TEMPDIR)" \
+			-var IMG_SFX="$(call err_if_empty,IMG_SFX)" \
 			$(if $(PACKER_BUILDS),-only=$(PACKER_BUILDS)) \
-			$(if $(IMG_SFX),-var IMG_SFX=$(IMG_SFX)) \
 			$(if $(DEBUG_NESTED_VM),-var TTYDEV=$(shell tty),-var TTYDEV=/dev/null) \
 			$(if $(PACKER_BUILD_ARGS),$(PACKER_BUILD_ARGS)) \
 			$(1)
@@ -180,7 +202,7 @@ endef
 .PHONY: image_builder
 image_builder: image_builder/manifest.json ## Create image-building image and import into GCE (needed for making all other images)
 image_builder/manifest.json: image_builder/gce.json image_builder/setup.sh lib.sh systemd_banish.sh $(PACKER_INSTALL_DIR)/packer
-	$(call packer_build,$<,)
+	$(call packer_build,image_builder/gce.json)
 
 # Note: We assume this repo is checked out somewhere under the caller's
 # home-dir for bind-mounting purposes.  Otherwise possibly necessary
@@ -209,31 +231,24 @@ $(_TEMPDIR)/image_builder_debug.tar: $(_TEMPDIR)/.cache/centos $(wildcard image_
 base_images: base_images/manifest.json ## Create, prepare, and import base-level images into GCE.  Optionally, set PACKER_BUILDS=<csv> to select builder(s).
 
 base_images/manifest.json: base_images/cloud.json $(wildcard base_images/*.sh) cidata $(_TEMPDIR)/cidata.ssh $(PACKER_INSTALL_DIR)/packer
-	$(call packer_build,base_images/cloud.json,$(call err_if_empty,AWS_SHARED_CREDENTIALS_FILE))
+	$(call packer_build,base_images/cloud.json)
 
 .PHONY: cache_images
 cache_images: cache_images/manifest.json ## Create, prepare, and import top-level images into GCE.  Optionally, set PACKER_BUILDS=<csv> to select builder(s).
 cache_images/manifest.json: cache_images/cloud.json $(wildcard cache_images/*.sh) $(PACKER_INSTALL_DIR)/packer
-	$(call packer_build,cache_images/cloud.json,$(call err_if_empty,AWS_SHARED_CREDENTIALS_FILE))
-
-override _fedora_podman_release := $(file < podman/fedora_release)
-override _prior-fedora_podman_release := $(file < podman/prior-fedora_release)
-override _ubuntu_podman_release := $(file < podman/ubuntu_release)
-define build_podman_container
-	$(MAKE) $(_TEMPDIR)/$(1).tar BASE_TAG=$(_$(1)_release)
-endef
+	$(call packer_build,cache_images/cloud.json)
 
 .PHONY: fedora_podman
 fedora_podman:  ## Build Fedora podman development container
-	$(call build_podman_container,$@,fedora)
+	$(call build_podman_container,$@,$(FEDORA_RELEASE))
 
 .PHONY: prior-fedora_podman
 prior-fedora_podman:  ## Build Prior-Fedora podman development container
-	$(call build_podman_container,$@,prior-fedora)
+	$(call build_podman_container,$@,$(PRIOR_FEDORA_RELEASE))
 
 .PHONY: ubuntu_podman
 ubuntu_podman:  ## Build Ubuntu podman development container
-	$(call build_podman_container,$@,ubuntu)
+	$(call build_podman_container,$@,$(UBUNTU_RELEASE))
 
 $(_TEMPDIR)/%_podman.tar: podman/Containerfile podman/setup.sh $(wildcard base_images/*.sh) $(wildcard cache_images/*.sh) $(_TEMPDIR)/.cache/%
 	podman build -t $*_podman:$(call err_if_empty,IMG_SFX) \
@@ -249,10 +264,10 @@ $(_TEMPDIR)/%_podman.tar: podman/Containerfile podman/setup.sh $(wildcard base_i
 
 .PHONY: skopeo_cidev
 skopeo_cidev: $(_TEMPDIR)/skopeo_cidev.tar  ## Build Skopeo development and CI container
-$(_TEMPDIR)/skopeo_cidev.tar: podman/fedora_release $(wildcard skopeo_base/*) $(_TEMPDIR)/.cache/fedora
+$(_TEMPDIR)/skopeo_cidev.tar: $(wildcard skopeo_base/*) $(_TEMPDIR)/.cache/fedora
 	podman build -t skopeo_cidev:$(call err_if_empty,IMG_SFX) \
 		--security-opt seccomp=unconfined \
-		--build-arg=BASE_TAG=$(_fedora_podman_release) \
+		--build-arg=BASE_TAG=$(FEDORA_RELEASE) \
 		-v $(_TEMPDIR)/.cache/fedora:/var/cache/dnf:Z \
 		skopeo_cidev
 	rm -f $@
@@ -263,7 +278,7 @@ ccia: $(_TEMPDIR)/ccia.tar  ## Build the Cirrus-CI Artifacts container image
 $(_TEMPDIR)/ccia.tar: ccia/Containerfile
 	podman build -t ccia:$(call err_if_empty,IMG_SFX) \
 		--security-opt seccomp=unconfined \
-		--build-arg=BASE_TAG=$(_fedora_podman_release) \
+		--build-arg=BASE_TAG=$(FEDORA_RELEASE) \
 		ccia
 	rm -f $@
 	podman save --quiet -o $@ ccia:$(IMG_SFX)

base_images/cloud.yml

@@ -17,31 +17,19 @@ variables:  # Empty value means it must be passed in on command-line
     # Allows providing handy cross-reference to the build log
     CIRRUS_TASK_ID: "{{env `CIRRUS_TASK_ID`}}"
 
-    # BIG-FAT-WARNING:  When updating the image names and/or URLs below,
-    # ensure the distro version numbers contained in the `podman/*_release`
-    # files exactly match.  These represent the container base-image tags
-    # to build from - just as the sources below are the base-images to
-    # start from building VM images.
+    # See Makefile for definitions
+    FEDORA_RELEASE: "{{env `FEDORA_RELEASE`}}"
+    FEDORA_IMAGE_URL: "{{env `FEDORA_IMAGE_URL`}}"
+    FEDORA_CSUM_URL: "{{env `FEDORA_CSUM_URL`}}"
+    FEDORA_AMI: "{{env `FEDORA_AMI`}}"
+    FEDORA_ARM64_AMI: "{{env `FEDORA_ARM64_AMI`}}"
 
-    # Upstream source for Ubuntu image to duplicate (prevents expiration).
-    # Use the most recent image based on this family name.
-    UBUNTU_BASE_FAMILY: 'ubuntu-2204-lts'
+    PRIOR_FEDORA_RELEASE: "{{env `PRIOR_FEDORA_RELEASE`}}"
+    PRIOR_FEDORA_IMAGE_URL: "{{env `PRIOR_FEDORA_IMAGE_URL`}}"
+    PRIOR_FEDORA_CSUM_URL: "{{env `PRIOR_FEDORA_CSUM_URL`}}"
 
-    # AWS base image in 'US East (N. Virginia)' region
-    # from https://alt.fedoraproject.org/cloud
-    FEDORAPROJECT_AMI: "ami-08b7bda26f4071b80"
-    FEDORAPROJECT_AARCH64_AMI: "ami-01925eb0821988986"
-
-    # Latest Fedora release (qcow and CHECKSUM) download URLs
-    # N/B: There are Fedora-Cloud...GCP.tar.gz images available, however
-    #      as of this comment, they lack the cloud-init package which is
-    #      required by GCP for startup resizing of the rootfs.
-    FEDORA_CSUM_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-36-1.5-x86_64-CHECKSUM"
-    FEDORA_IMAGE_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/36/Cloud/x86_64/images/Fedora-Cloud-Base-36-1.5.x86_64.qcow2"
-
-    # Prior Fedora release
-    PRIOR_FEDORA_CSUM_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Cloud/x86_64/images/Fedora-Cloud-35-1.2-x86_64-CHECKSUM"
-    PRIOR_FEDORA_IMAGE_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Cloud/x86_64/images/Fedora-Cloud-Base-35-1.2.x86_64.qcow2"
+    UBUNTU_RELEASE: "{{env `UBUNTU_RELEASE`}}"
+    UBUNTU_BASE_FAMILY: "{{env `UBUNTU_BASE_FAMILY`}}"
 
 
 builders:
@@ -50,7 +38,7 @@ builders:
       # Prefix IMG_SFX with "b" so this is never confused with a cache_image name
       image_name: '{{build_name}}-b{{user `IMG_SFX`}}'
       image_family: '{{build_name}}-base'
-      image_description: 'Built in https://cirrus-ci.com/build/{{user `IMG_SFX`}}'
+      image_description: 'Built in https://cirrus-ci.com/task/{{user `CIRRUS_TASK_ID`}}'
       source_image_family: '{{user `UBUNTU_BASE_FAMILY`}}'
       source_image_project_id: 'ubuntu-os-cloud'
       project_id: '{{user `GCP_PROJECT_ID`}}'
@@ -64,6 +52,7 @@ builders:
         src: '{{user `UBUNTU_BASE_FAMILY`}}'
         stage: 'base'
         arch: 'x86_64'
+        release: 'ubuntu-{{user `UBUNTU_RELEASE` | clean_resource_name}}'
       # Gotcha: https://www.packer.io/docs/builders/googlecompute#gotchas
       ssh_username: 'packer'
       temporary_key_pair_type: ed25519
@@ -119,7 +108,7 @@ builders:
     - &fedora-aws
       name: 'fedora-aws'
       type: 'amazon-ebs'
-      source_ami: '{{user `FEDORAPROJECT_AMI`}}'
+      source_ami: '{{user `FEDORA_AMI`}}'
       instance_type: 'm5zn.metal'
       # In case of packer problem or ungraceful exit, don't wait for shutdown.
       # This doesn't always work properly, sometimes leaving EC2 instances in
@@ -132,7 +121,7 @@ builders:
       security_group_id: "sg-042c75677872ef81c"
       # Prefix IMG_SFX with "b" so this is never confused with a cache_image
       ami_name: 'fedora-aws-b{{user `IMG_SFX`}}'
-      ami_description: 'Built in https://cirrus-ci.com/build/{{user `IMG_SFX`}}'
+      ami_description: 'Built in https://cirrus-ci.com/task/{{user `CIRRUS_TASK_ID`}}'
       ebs_optimized: true
       launch_block_device_mappings:
         - device_name: '/dev/sda1'
@@ -145,8 +134,9 @@ builders:
         <<: *imgcpylabels
         # EC2 expects "Name" to be capitalized
         Name: 'fedora-aws-b{{user `IMG_SFX`}}'
-        src: '{{user `FEDORAPROJECT_AMI`}}'
+        src: '{{user `FEDORA_AMI`}}'
         automation: 'true'
+        release: 'fedora-{{user `FEDORA_RELEASE`}}'
       run_tags: *awstags
       run_volume_tags: *awstags
       snapshot_tags: *awstags
@@ -164,12 +154,12 @@ builders:
 
     - <<: *fedora-aws
       name: 'fedora-aws-arm64'
-      source_ami: '{{user `FEDORAPROJECT_AARCH64_AMI`}}'
+      source_ami: '{{user `FEDORA_ARM64_AMI`}}'
       instance_type: 't4g.medium'  # arm64 type
       ami_name: 'fedora-aws-arm64-b{{user `IMG_SFX`}}'  # must be unique
       tags: &awsarm64tags
         <<: *awstags
-        src: '{{user `FEDORAPROJECT_AARCH64_AMI`}}'
+        src: '{{user `FEDORA_ARM64_AMI`}}'
         arch: 'arm64'
       run_tags: *awsarm64tags
       run_volume_tags: *awsarm64tags
@@ -214,16 +204,19 @@ post-processors:
         gcs_object_name: '{{build_name}}-{{user `IMG_SFX`}}.tar.gz'
         image_name: "fedora-b{{user `IMG_SFX`}}"
         image_family: '{{build_name}}-base'
-        # Can't save the url in an image_label
-        image_description: '{{user `FEDORA_IMAGE_URL`}}'
-        image_labels: &importlabels
+        image_description: 'Built in https://cirrus-ci.com/task/{{user `CIRRUS_TASK_ID`}}'
+        image_labels:
           <<: *imgcpylabels
           src: 'fedoraproject'
+          release: 'fedora-{{user `FEDORA_RELEASE`}}'
       - <<: *gcp_import
         only: ['prior-fedora']
         image_name: "prior-fedora-b{{user `IMG_SFX`}}"
         image_family: '{{build_name}}-base'
-        image_description: '{{user `PRIOR_FEDORA_IMAGE_URL`}}'
+        image_labels:
+          <<: *imgcpylabels
+          src: 'fedoraproject'
+          release: 'fedora-{{user `PRIOR_FEDORA_RELEASE`}}'
       # This is critical, especially for the aws builders.
       # Producing the cache-images from these base images
       # needs to lookup the runtime-produced AMI ID.

cache_images/cloud.yml

@@ -16,6 +16,11 @@ variables:  # Empty value means it must be passed in on command-line
     # Allows providing handy cross-reference to the build log
     CIRRUS_TASK_ID: "{{env `CIRRUS_TASK_ID`}}"
 
+    # See Makefile for definitions
+    FEDORA_RELEASE: "{{env `FEDORA_RELEASE`}}"
+    PRIOR_FEDORA_RELEASE: "{{env `PRIOR_FEDORA_RELEASE`}}"
+    UBUNTU_RELEASE: "{{env `UBUNTU_RELEASE`}}"
+
 builders:
     - &gce_hosted_image
       name: 'ubuntu'
@@ -25,14 +30,16 @@ builders:
       # Prefix IMG_SFX with "c" so this is never confused with a base_image name
       image_name: '{{ build_name }}-c{{user `IMG_SFX`}}'
       image_family: '{{ build_name }}-cache'
+      image_description: 'Built in https://cirrus-ci.com/task/{{user `CIRRUS_TASK_ID`}}'
       project_id: '{{user `GCP_PROJECT_ID`}}'
       account_file: '{{user `GAC_FILEPATH`}}'
       zone: 'us-central1-a'
       disk_size: 20  # REQUIRED: Runtime allocation > this value
       disable_default_service_account: true
-      labels:  # For the VM
+      labels: &gce_labels # For the VM
         sfx: '{{user `IMG_SFX`}}'
         src: '{{ build_name }}-b{{user `IMG_SFX` }}'
+        release: 'ubuntu-{{user `UBUNTU_RELEASE` | clean_resource_name}}'
         stage: cache
       ssh_username: packer  # arbitrary, packer will create & setup w/ temp. keypair
       ssh_pty: 'true'
@@ -43,15 +50,20 @@ builders:
 
     - <<: *gce_hosted_image
       name: 'fedora'
+      labels: &fedora_gce_labels
+        <<: *gce_labels
+        release: 'fedora-{{user `FEDORA_RELEASE`}}'
 
     - <<: *gce_hosted_image
       name: 'prior-fedora'
+      labels: *fedora_gce_labels
 
     - &aux_fed_img
       <<: *gce_hosted_image
       name: 'build-push'
       source_image: 'fedora-b{{user `IMG_SFX`}}'
       source_image_family: 'fedora-base'
+      labels: *fedora_gce_labels
 
     - <<: *aux_fed_img
       name: 'fedora-podman-py'
@@ -92,25 +104,26 @@ builders:
       security_group_id: "sg-042c75677872ef81c"
       # Prefix IMG_SFX with "b" so this is never confused with a cache_image
       ami_name: '{{build_name}}-c{{user `IMG_SFX`}}'
-      ami_description: 'Built in https://cirrus-ci.com/build/{{user `IMG_SFX`}}'
+      ami_description: 'Built in https://cirrus-ci.com/task/{{user `CIRRUS_TASK_ID`}}'
       ebs_optimized: true
       launch_block_device_mappings:
         - device_name: '/dev/sda1'
           volume_size: 200
           volume_type: 'gp2'
           delete_on_termination: true
       # These are critical and used by security-polciy to enforce instance launch limits.
-      tags: &tags
+      tags: &ami_tags
         # EC2 expects "Name" tag to be capitalized
         Name: '{{build_name}}-c{{user `IMG_SFX`}}'
         sfx: '{{user `IMG_SFX`}}'
         src: '{{.SourceAMI}}'  # Generated AMI ID looked up at runtime
         automation: 'true'
         stage: 'cache'
         arch: 'x86_64'
-      run_tags: *tags
-      run_volume_tags: *tags
-      snapshot_tags: *tags
+        release: 'fedora-{{user `FEDORA_RELEASE`}}'
+      run_tags: *ami_tags
+      run_volume_tags: *ami_tags
+      snapshot_tags: *ami_tags
       # Also required to make AMI private
       ami_users:
         - *accountid
@@ -131,7 +144,7 @@ builders:
             name: 'fedora-aws-arm64-b{{user `IMG_SFX`}}'
       instance_type: 't4g.medium'  # arm64 type
       tags: &netavark_tags
-        <<: *tags
+        <<: *ami_tags
         Name: '{{build_name}}-c{{user `IMG_SFX`}}'
         arch: 'arm64'
       run_tags: *netavark_tags
@@ -149,7 +162,7 @@ builders:
             name: 'fedora-aws-arm64-b{{user `IMG_SFX`}}'
       instance_type: 't4g.medium'  # arm64 type
       tags: &podman_tags
-        <<: *tags
+        <<: *ami_tags
         Name: '{{build_name}}-c{{user `IMG_SFX`}}'
         arch: 'arm64'
       run_tags: *podman_tags

image_builder/Containerfile

@@ -4,8 +4,8 @@
 # at the root of this repository.  It should be built with
 # the repository root as the context directory.
 
-ARG CENTOS_RELEASE=stream8
-FROM quay.io/centos/centos:${CENTOS_RELEASE}
+ARG CENTOS_STREAM_RELEASE=8
+FROM quay.io/centos/centos:stream${CENTOS_STREAM_RELEASE}
 ARG PACKER_VERSION
 MAINTAINER https://github.com/containers/automation_images/image_builder