[CI:BUILD] Contrib: Add containerfile to create podman-remote binary image

[praveenkumar]

Try to partial address #14664

- Add container file to build remote binary for each platform
- Add README.md file around same

Longer term plan is to have it attach either to quay and add github trigger to generate the image for each 4.x tag/branch. Only issue is as of now quay github trigger can only generate amd64 images not the arm64 one so may be we need to attach it to current cirrus CI to generate image for different arch and push to quay, same way we are doing for quay.io/containers/podman.

Another gap is created binaries for mac/windows are not signed one and we need to check if user try to copy those binary from the container image does it showing the signing warning.

[flouthoc]

LGTM other than two nits above.

[flouthoc]

Suggested change

	$ podman cp $(podman create --name remote-temp quay.io/praveenkumar/podman-remote-artifacts:latest):/podman-remote-static . && podman rm remote-temp
	$ podman cp $(podman create --name remote-temp quay.io/containers/podman-remote-artifacts:latest):/podman-remote-static . && podman rm remote-temp

[flouthoc]

Points to personal repo, are we expecting to create similar repo/tag in containers

[flouthoc]

I think similar comment goes for darwin

[praveenkumar]

@flouthoc yes I forgot to remove my personal repo :) . I think we should have similar repo/tag in containers org for consumption.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: flouthoc, praveenkumar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [flouthoc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhatdan]

@mheon @cevich @vrothberg PTAL

[vrothberg]

Suggested change

	for each PR merged (in any 4.x branch or tags).
	for each PR merged (for any branch or tag).

[vrothberg]

What is the benefit over curl-ing the binaries from the release pages? I assume for testing purposes but I'd appreciate making the intention explicit in the README.

I'd like some more maintainers to have a look.

[vrothberg]

Suggested change

	User can copy those binary on specific platform using following
	Users can copy the binaries onto the specific platforms using following instructions

[cevich]

Longer term plan is to have it attach either to quay and add github trigger to generate the image for each 4.x tag/branch.

Yeah, can't use quay. We have two Cirrus-CI tasks setup to build multi-arch image manifests, image_build and test_image_build. The later is intended for PRs (like this one) so you can test out new/changed builds. It's only available for manual-trigger, and only if you put [CI:BUILD] in the PR description (which I just did).

[cevich]

So on your next force-push, you'll see the test_image_build manual-trigger jobs pop up. I'll most likely need to help add the new one, since the build script is sensitive to the directory names.. I'll also need to setup the new repo in quay for it to push to.

[cevich]

Q: @rhatdan @TomSweeneyRedHat or anyone else: do we want to provide the stable, testing, and upstream flavors of the podman-remote image as well as a secondary push to quay.io/containers/podman:{stable, testing, upstream} and quay.io/podman-remote (new repo)? Since that logic is already cooked into the build script, it would be good to iron this all out up-front if possible.

[cevich]

All of our other container images are based on registry.fedoraproject.org/fedora:latest, for consistency it would be good to use that here too. An alternative could be registry.fedoraproject.org/fedora-minimal:latest. In either case, check out the contrib/podmanimage/*/Containerfiles to see how we install podman. It's MUCH faster to install than to compile during image-build time (due to needing emulation).

[cevich]

errr...nevermind 😞 that won't work for Mac or Windows will it? My concern is the multi-arch compiles are extremely slow under emulation. Hmmmm. Perhaps the thing to do is just grab the binaries directly from the CI system's artifacts task. They're not signed, but will be posted continuously for main, and recent release-branches (where we added ARM64 builds).

[praveenkumar]

@cevich Does it also published for specific tags like rc one? One of the use case which I am trying to solve with it, if we do any release on github (with specific branch) be it alpha, beta, rc we should have release binaries for those bits (longer term) either through the container image or from the CI artifacts. If I see #15202 (which is the PR for rc3) then looks like we just use the rc3 commit to do the tagging and there is no CI artifact for it.

[cevich]

Mostly, I don't think tags to, but for sure on most recent branches (and going forward) the CI system continuously publishes artifacts at a consistent URL. The URL will be of the form specified here: https://cirrus-ci.org/guide/writing-tasks/#latest-build-artifacts

[cevich]

What do you think of: Instead of compiling, curl the latest binaries from CI system using the branch-name specified as a build-arg?

[rhatdan]

I like that idea, then we know everyone is using the exact same binary.

[praveenkumar]

@cevich if we are adding this to CI for each PR then first we have to wait for other CI run to be succeed (to generate required images) as part of some step builds?

[cevich]

Not the way the builds run today. They're optional on [CI:BUILD] PRs (to support testing/development). Otherwise they only run via a daily cron-job on main.

[rhatdan]

/lgtm

[TomSweeneyRedHat]

Nit and way past, but just in case containerfile -> Containerfile

[TomSweeneyRedHat]

following -> the following