podvm_mkosi: multistage binaries

Simplify the podvm_mkosi binaries building process by combining the builder and binaries into a single multistage dockerfile Signed-off-by: stevenhorsman <[email protected]>
confidential-containers · Dec 10, 2024 · 991ac00 · 991ac00
1 parent e181107
commit 991ac00
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 82 deletions.
diff --git a/.github/workflows/podvm_mkosi.yaml b/.github/workflows/podvm_mkosi.yaml
@@ -120,12 +120,6 @@ jobs:
         with:
           version: ${{ env.ORAS_VERSION }}
 
-      - name: Build builder
-        id: build_builder
-        working-directory: src/cloud-api-adaptor/podvm-mkosi
-        run: make fedora-binaries-builder
-        env:
-          ARCH: ${{ inputs.arch }}
 
       - name: Build binaries
         id: build_binaries

diff --git a/src/cloud-api-adaptor/podvm-mkosi/Makefile b/src/cloud-api-adaptor/podvm-mkosi/Makefile
@@ -29,23 +29,6 @@ ifeq ($(ARCH),s390x)
 YQ_CHECKSUM = $(YQ_CHECKSUM_s390x)
 endif
 
-PHONY: fedora-binaries-builder
-fedora-binaries-builder:
-	@echo "Building $(BUILDER) image..."
-	docker buildx build \
-		-t $(PODVM_BUILDER_IMAGE) \
-		--build-arg GO_VERSION=$(GO_VERSION) \
-		--build-arg ARCH=$(ARCH) \
-		--build-arg PROTOC_VERSION=$(PROTOC_VERSION) \
-		--build-arg YQ_VERSION=$(YQ_VERSION) \
-		--build-arg YQ_CHECKSUM=$(YQ_CHECKSUM) \
-		--build-arg YQ_ARCH=$(ARCH) \
-		--build-arg PROTOC_ARCH=$(if $(filter amd64,$(ARCH)),x86_64,s390x) \
-		--build-arg ORAS_VERSION=$(ORAS_VERSION) \
-		--load \
-		-f ../podvm/Dockerfile.podvm_builder.fedora ../.
-
-PHONY: binaries
 binaries:
 	@echo "Building binaries..."
 	rm -rf ./resources/binaries-tree
@@ -55,7 +38,14 @@ endif
 	docker buildx build \
 		-t $(PODVM_BINARIES_IMAGE) \
 		--progress=plain \
-		--build-arg BUILDER_IMG=$(PODVM_BUILDER_IMAGE) \
+		--build-arg GO_VERSION=$(GO_VERSION) \
+		--build-arg ARCH=$(ARCH) \
+		--build-arg PROTOC_VERSION=$(PROTOC_VERSION) \
+		--build-arg YQ_VERSION=$(YQ_VERSION) \
+		--build-arg YQ_CHECKSUM=$(YQ_CHECKSUM) \
+		--build-arg YQ_ARCH=$(ARCH) \
+		--build-arg PROTOC_ARCH=$(if $(filter amd64,$(ARCH)),x86_64,s390x) \
+		--build-arg ORAS_VERSION=$(ORAS_VERSION) \
 		--build-arg TEE_PLATFORM=$(TEE_PLATFORM) \
 		--build-arg PAUSE_REPO=$(PAUSE_REPO) \
 		--build-arg PAUSE_VERSION=$(PAUSE_VERSION) \
@@ -64,8 +54,9 @@ endif
 		--build-arg VERIFY_PROVENANCE=$(VERIFY_PROVENANCE) \
 		$(if $(AUTHFILE),--build-arg AUTHFILE=$(AUTHFILE),) \
 		$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
-		-o type=local,dest="./resources/binaries-tree" \
-		-f ../podvm/Dockerfile.podvm_binaries.fedora ../../
+		$(if $(filter $(PUSH),true),,-o type=local,dest="./resources/binaries-tree") \
+		$(DOCKER_OPTS) \
+		-f ../podvm/Dockerfile.podvm.fedora ../../
 
 PHONY: image
 image:

diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora
@@ -1,12 +1,57 @@
+# syntax=docker/dockerfile:1.5-labs
 # Copyright Confidential Containers Contributors
 #
 # SPDX-License-Identifier: Apache-2.0
 #
-# Builds pod vm image inside container
+# Build binaries for mkosi podvm image
 #
-ARG BUILDER_IMG
+FROM registry.fedoraproject.org/fedora:40 AS builder
 
-FROM ${BUILDER_IMG} AS podvm_builder
+ARG ARCH="amd64"
+ARG YQ_ARCH="amd64"
+# PROTOC_ARCH="x86_64" | "s390_64"
+ARG PROTOC_ARCH="x86_64"
+ARG GO_VERSION
+ARG PROTOC_VERSION
+ARG YQ_VERSION
+ARG YQ_CHECKSUM
+ARG ORAS_VERSION
+
+RUN dnf groupinstall -y 'Development Tools' && \
+    dnf install -y yum-utils gnupg git perl-core pkg-config libseccomp-devel gpgme-devel \
+    device-mapper-devel unzip libassuan-devel \
+    perl-FindBin openssl-devel tpm2-tss-devel \
+    clang which xz jq && \
+    dnf clean all
+
+ADD https://dl.google.com/go/go${GO_VERSION}.linux-${ARCH}.tar.gz go${GO_VERSION}.linux-${ARCH}.tar.gz
+RUN rm -rf /usr/local/go && tar -C /usr/local -xzf go${GO_VERSION}.linux-${ARCH}.tar.gz && rm -f go${GO_VERSION}.linux-${ARCH}.tar.gz
+
+ENV PATH="/usr/local/go/bin:$PATH"
+
+RUN if [ "$(uname -m)" != "s390x" ]; then dnf install 'dnf-command(config-manager)' && \
+    dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo && \
+    dnf install -y gh --repo gh-cli; else git clone https://github.com/cli/cli.git gh-cli && \
+    cd gh-cli && mkdir -p /usr/local/gh && make install prefix=/usr/local/gh && cd .. && \
+    rm -rf gh-cli; fi
+
+ENV PATH="/usr/local/gh/bin:$PATH"
+
+ADD https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${YQ_ARCH} /usr/local/bin/yq
+RUN echo "${YQ_CHECKSUM#sha256:} /usr/local/bin/yq" | sha256sum -c
+RUN chmod a+x /usr/local/bin/yq
+
+ADD https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip
+RUN unzip protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip -d /usr/local && rm -f protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip
+
+ADD https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_${ARCH}.tar.gz oras_${ORAS_VERSION}_linux_${ARCH}.tar.gz
+RUN rm -rf /usr/local/bin/oras && tar -C /usr/local/bin -xzf oras_${ORAS_VERSION}_linux_${ARCH}.tar.gz && rm -f oras_${ORAS_VERSION}_linux_${ARCH}.tar.gz
+
+WORKDIR /src
+
+ENV GOPATH=/src
+
+FROM builder AS podvm_binaries_builder
 
 ARG CLOUD_PROVIDER
 ARG PODVM_DISTRO=rhel
@@ -54,4 +99,4 @@ RUN ./hack/cross-build-extras.sh
 RUN LIBC=gnu make binaries
 
 FROM scratch
-COPY --from=podvm_builder /src/cloud-api-adaptor/podvm/files /
+COPY --from=podvm_binaries_builder /src/cloud-api-adaptor/podvm/files /
diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.fedora b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_builder.fedora