Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

container: Revamp container image installation #1021

Merged
merged 12 commits into from
Dec 10, 2024
Merged

container: Revamp container image installation #1021

merged 12 commits into from
Dec 10, 2024

Conversation

apyrgio
Copy link
Contributor

@apyrgio apyrgio commented Dec 2, 2024
edited
Loading

Revamp the container image installation process in a way that does not involve using image IDs. We don't want to rely on image IDs anymore, since they are brittle (see #933). Instead, we use image tags, as provided in the image-id.txt file. This allows us to check fast if an image is up to date, and we no longer need to maintain multiple image IDs from various container runtimes.

Refs #933
Refs #988
Fixes #1020

@apyrgio apyrgio force-pushed the 1020-ditch-ids branch 5 times, most recently from a71f125 to 57973b8 Compare December 2, 2024 19:15
@apyrgio apyrgio requested a review from almet December 2, 2024 19:16
almet
almet reviewed Dec 3, 2024
View reviewed changes
dangerzone/isolation_provider/base.py Show resolved Hide resolved
dangerzone/isolation_provider/container.py Outdated Show resolved Hide resolved
install/common/build-image.py Show resolved Hide resolved
install/common/build-image.py Outdated Show resolved Hide resolved
.github/workflows/build.yml Show resolved Hide resolved
@apyrgio apyrgio mentioned this pull request Dec 4, 2024
Merged
almet
almet reviewed Dec 4, 2024
View reviewed changes
dangerzone/container_utils.py Outdated Show resolved Hide resolved
almet
almet approved these changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@almet almet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks good to me, thanks! I added a comment about maybe splitting utils in a module, do what you want with it, I believe we're good to merge!

@apyrgio
Move container-specific method from base class
309bd12 
Move the `is_runtime_available()` method from the base
`IsolationProvider` class, and into the `Dummy` provider class. This
method was originally defined in the base class, in order to be mocked
in our tests for the `Dummy` provider. There's no reason for the `Qubes`
class to have it though, so we can just move it to the `Dummy` provider.
apyrgio added 11 commits December 10, 2024 11:18
@apyrgio
container: Manipulate Dangerzone image tags
6b51d56 
Add the following methods that allow the `Container` isolation provider
to work with tags for the Dangerzone image:
* `list_image_tag()`
* `delete_image_tag()`
* `add_image_tag()`
@apyrgio
container: Factor out loading an image tarball
20152fa
@apyrgio
Build and tag Dangerzone images
6a5e76f 
Build Dangerzone images and tag them with a unique ID that stems from
the Git reop. Note that using tags as image IDs instead of regular image
IDs breaks the current Dangerzone expectations, but this will be
addressed in subsequent commits.
@apyrgio
Build and tag Dangerzone images
9095603 
Build Dangerzone images and tag them with a unique ID that stems from
the Git reop. Note that using tags as image IDs instead of regular image
IDs breaks the current Dangerzone expectations, but this will be
addressed in subsequent commits.
@apyrgio
container: Revamp container image installation
e22c795 
Revamp the container image installation process in a way that does not
involve using image IDs. We don't want to rely on image IDs anymore,
since they are brittle (see
#933). Instead, we
use image tags, as provided in the `image-id.txt` file.  This allows us
to check fast if an image is up to date, and we no longer need to
maintain multiple image IDs from various container runtimes.

Refs #933
Refs #988
Fixes #1020
@apyrgio
Update our release instructions
2a8355f
@apyrgio
Fix minor typos in our docs
e54567b
@apyrgio
Extend the interface of the isolation provider
25fba42 
Add the following two methods in the isolation provider:
1. `.is_available()`: Mainly used for the Container isolation provider,
   it specifies whether the container runtime is up and running. May be
   used in the future by other similar providers.
2. `.should_wait_install()`: Whether the isolation provider takes a
   while to be installed. Should be `True` only for the Container
   isolation provider, for the time being.
@apyrgio
Factor out container utilities to separate module
0383081
@apyrgio
Move container security arg to proper place
ec9f883 
Now that #748 has been merged, we can move the `--userns nomap` argument
to the list with the rest of our security arguments.
@apyrgio
ci: Work with image tarballs that are not tagged as 'latest'
3eac00b 
Now that our image tarball is not tagged as 'latest', we must first grab
the image tag first, and then refer to it. We can grab the tag either
from `share/image-id.txt` (if available) or with:

    docker load dangerzone.rocks/dangerzone --format {{ .Tag }}
@apyrgio apyrgio merged commit 3eac00b into main Dec 10, 2024
46 checks passed
@apyrgio apyrgio deleted the 1020-ditch-ids branch December 10, 2024 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@almet almet almet approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Dangerzone ✨
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Do not maintain multiple image IDs
2 participants
@apyrgio @almet