-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bootc e2e workflow - build temp image shim with ssh keys around bootc #428
Conversation
03db31e
to
c9b6fa5
Compare
360f280
to
be72cb1
Compare
e3fe0d3
to
32f2826
Compare
32f2826
to
1685042
Compare
7642e9a
to
6802b0e
Compare
6843b72
to
72a276d
Compare
72a276d
to
ee6e914
Compare
Signed-off-by: greg pereira <grpereir@redhat.com>
Signed-off-by: greg pereira <grpereir@redhat.com>
Signed-off-by: greg pereira <grpereir@redhat.com>
Signed-off-by: greg pereira <grpereir@redhat.com>
548b83b
to
5382b76
Compare
training/provision/playbook.yml
Outdated
containers.podman.podman_image: | ||
name: "quay.io/ai-lab/{{ image_name }}:latest" | ||
build: | ||
target: localhost/derivied_image:latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo "derived"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But um...actually looking at the ansible docs for this module I see
https://docs.ansible.com/ansible/latest/collections/containers/podman/podman_image_module.html#parameter-build/target
"Specify the target build stage to build." which doesn't sound like what's desired here...
I think what you want is to use what you have in target
for name
actually.
Listen so...I like Ansible, I think it's a powerful swiss army knife that absolutely has its uses.
But this specific code, it doesn't seem like the ansible abstractions are buying us anything over plain old basic shell script executing podman build
+ podman run
...
training/provision/playbook.yml
Outdated
@@ -37,7 +72,9 @@ | |||
privileged: yes | |||
pid_mode: host | |||
command: "bootc install to-filesystem --karg=console=ttyS0,115200n8 --replace=alongside /target" | |||
become: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe this is necessary as there's a toplevel become: true
on the whole playbook.
- name: Required packages | ||
ansible.builtin.dnf: | ||
name: | ||
- https://s3.eu-west-2.amazonaws.com/amazon-ssm-eu-west-2/latest/linux_amd64/amazon-ssm-agent.rpm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious why...this beast has deep hooks into everything, it's Amazon wanting to own systems management.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I use it for connecting to the instance for debugging purposes. It will be removed as soon as the workflow starts working
- name: Derived Image Containerfile | ||
ansible.builtin.template: | ||
src: ./templates/Containerfile.j2 | ||
dest: /tmp/Containerfile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nit but, predictable filenames in /tmp
are a CWE: https://capec.mitre.org/data/definitions/149.html
There's a tempfile module.
Not a big deal, but just noting.
@@ -0,0 +1,9 @@ | |||
FROM quay.io/ai-lab/{{ image_name }}:latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
podman build
already has --from
to template this without writing a new containerfile btw.
RUN mkdir /usr/etc-system && \ | ||
chown -R root:root /usr/etc-system && \ | ||
echo 'AuthorizedKeysFile /usr/etc-system/root.keys' >> /etc/ssh/sshd_config.d/30-auth-system.conf && \ | ||
echo {{ ssh_public_key }} > /usr/etc-system/root.keys && \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And this one I think is better as a build argument instead of jinja templating, which can be passed already via --build-arg
.
5382b76
to
cc795e5
Compare
Signed-off-by: greg pereira <grpereir@redhat.com>
cc795e5
to
bcf522f
Compare
username: "{{ registry_user }}" | ||
password: "{{ registry_password }}" | ||
registry: quay.io | ||
authfile: /etc/containers/auth.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, we really want containers/image#1746 ...will see if I or someone else can get back to it.
The previous PRs have setup our ENV and given us access to the bootc installed instance, now we want to run the e2e tests