Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[skip-ci] machine images #21335

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion .github/workflows/fcos-podman-next-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ on:
- cron: '0 0 * * *'

env:
IMAGE_NAME: fcos
FCOS_IMAGE_NAME: fcos
MACHINE_IMAGE_NAME: machine-images
# IMAGE_ARCHS has to be comma separated
IMAGE_ARCHS: amd64, arm64
IMAGE_REGISTRY: quay.io/podman
Expand All @@ -32,6 +33,10 @@ jobs:
run: |
pip3 install git+https://github.com/packit/wait-for-copr.git@main

- name: Set up cosa
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't need cosa for this.

So here's how I think this would go roughly:

  • Based on some trigger (e.g. polling new RPMs out of COPR, or there's a new quay.io/fedora/fedora-coreos:stable image published), start this job
  • Do a podman build of an image that does FROM: quay.io/fedora/fedora-coreos:stable, and e.g. removes moby, adds the podman RPMs, adds subscription manager, etc...
  • Run osbuild to convert the container image into disk images using the same manifests we use (these are currently hosted e.g. here and here, but I think the goal is to move them out). This requires running on a system with full root privileges. For aarch64, GHA was planning to add runners but it's not clear if that has happened yet. Alternatively, you can have a self-hosted runner on e.g. AWS. Nested virt shouldn't be required AIUI since osbuild uses loopbacks instead.
  • Bundle up the disk images into container images and push to the registry

For the triggering, probably the simplest is polling and comparing the latest versions of the RPMs and base FCOS image against the latest pushed podman machine images (e.g. you can store the versioning in labels).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

@dustymabe dustymabe Feb 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so basically step 3 turns into "run this script" in an environment that can run OSBuild (i.e. run as root, selinux permissive, some osbuild RPMs installed).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't need cosa for this.

Ack

  • Based on some trigger (e.g. polling new RPMs out of COPR, or there's a new quay.io/fedora/fedora-coreos:stable image published), start this job
  • Do a podman build of an image that does FROM: quay.io/fedora/fedora-coreos:stable, and e.g. removes moby, adds the podman RPMs, adds subscription manager, etc...

These two steps are pretty much happening already using https://github.com/containers/podman/blob/main/contrib/podman-next/fcos-podmanimage/Containerfile . This was taken from https://github.com/coreos/layering-examples/tree/main/podman-next .

subscription-manager addition isn't being done yet, I'll defer to @baude on that.

The container images built are pushed to https://quay.io/repository/podman/fcos?tab=tags .

  • Run osbuild to convert the container image into disk images using the same manifests we use (these are currently hosted e.g. here and here, but I think the goal is to move them out). This requires running on a system with full root privileges. For aarch64, GHA was planning to add runners but it's not clear if that has happened yet. Alternatively, you can have a self-hosted runner on e.g. AWS. Nested virt shouldn't be required AIUI since osbuild uses loopbacks instead.
  • Bundle up the disk images into container images and push to the registry

Ack, thanks. I'll look into these two.

For the triggering, probably the simplest is polling and comparing the latest versions of the RPMs and base FCOS image against the latest pushed podman machine images (e.g. you can store the versioning in labels).

Ack. The trigger for the existing action right now is a commit to the main branch of podman followed by a successful rpm build at the podman-next COPR. This is done using https://github.com/packit/wait-for-copr.git . So far, we haven't been checking for image updates at quay.io/fedora/fedora-coreos:stable though IIUC that's part of upcoming work.

run: |
# TBD

- name: Check out code
uses: actions/checkout@v4

Expand Down Expand Up @@ -63,6 +68,12 @@ jobs:
org.opencontainers.image.description=FCOS image with rpms from rhcontainerbot/podman-next copr
org.opencontainers.image.revision=${{ github.sha }}

- name: Build Machine images
run: |
# TBD

- name: Add Machine images to Manifest
# TBD

- name: Echo Outputs
run: |
Expand Down
103 changes: 103 additions & 0 deletions .github/workflows/machine-images.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
workflow_dispatch: false

name: MACHINE IMAGE TRIAL

on:
pull_request:
branches:
- main

env:
MANIFEST_ADD_ARGS: --artifact --artifact-type="" --artifact-config-type="application/vnd.oci.image.config.v1+json" --artifact-layer-type=application/vnd.oci.image.layer.v1.tar --os=linux --arch=x86_64

defaults:
run:
shell: bash -l {0}

jobs:
build:
runs-on: ubuntu-latest

steps:
- name: Install qemu dependency
run: |
sudo apt update
sudo apt -y install qemu-user-static

- name: Delete hostedtoolcache
run: rm -rf /opt/hostedtoolcache

- name: Check out code
uses: actions/checkout@v4

- name: Pull coreos-assembler image
run: podman pull quay.io/coreos-assembler/coreos-assembler

- name: create fcos work dir
run: mkdir ./fcos

- name: Cosa init
run: |
source ./contrib/podman-next/fcos-podmanimage/cosa-snippet
cd fcos
cosa init --branch podman-next https://github.com/lsm5/fedora-coreos-config

- name: Cosa Fetch
run: |
source ./contrib/podman-next/fcos-podmanimage/cosa-snippet
cd fcos
cosa fetch --update-lockfile

- name: Cosa Build Qcow2
run: |
source ./contrib/podman-next/fcos-podmanimage/cosa-snippet
cd fcos
cosa build

- name: Cosa Build Hyperv
run: |
source ./contrib/podman-next/fcos-podmanimage/cosa-snippet
cd fcos
cosa buildextend-hyperv

- name: Cosa Build Applehv
run: |
source ./contrib/podman-next/fcos-podmanimage/cosa-snippet
cd fcos
cosa buildextend-applehv

- name: Cosa Compress Qcow2
run: |
source ./contrib/podman-next/fcos-podmanimage/cosa-snippet
cd fcos
cosa compress

- name: Create manifest
run: buildah manifest create quay.io/podman/machine-images:5.0

- name: Add Qcow2 to manifest
run: |
cd ./fcos/builds/latest/x86_64
echo "QCOW_IMAGE_X86_64=$(ls | grep qcow2.xz)" >> $GITHUB_ENV
buildah manifest add --artifact --artifact-type="" --artifact-config-type="application/vnd.oci.image.config.v1+json" --artifact-layer-type=application/vnd.oci.image.layer.v1.tar --os=linux --arch=x86_64 --annotation "disktype=qemu" quay.io/podman/machine-images:5.0 ${{ env.QCOW_IMAGE }}

- name: Add Applehv to manifest
run: |
cd ./fcos/builds/latest/x86_64
echo "APPLEHV_IMAGE=$(ls | grep applehv.x86_64.raw.gz)" >> $GITHUB_ENV
buildah manifest add --artifact --artifact-type="" --artifact-config-type="application/vnd.oci.image.config.v1+json" --artifact-layer-type=application/vnd.oci.image.layer.v1.tar --os=linux --arch=x86_64 --annotation "disktype=applehv" quay.io/podman/machine-images:5.0 ${{ env.APPLEHV_IMAGE }}

- name: Add Hyperv to manifest
run: |
cd ./fcos/builds/latest/x86_64
echo "HYPERV_IMAGE=$(ls | grep hyperv.x86_64.vhdx.zip)" >> $GITHUB_ENV
buildah manifest add --artifact --artifact-type="" --artifact-config-type="application/vnd.oci.image.config.v1+json" --artifact-layer-type=application/vnd.oci.image.layer.v1.tar --os=linux --arch=x86_64 --annotation "disktype=hyperv" quay.io/podman/machine-images:5.0 ${{ env.HYPERV_IMAGE }}

- name: Push to Quay
uses: redhat-actions/push-to-registry@v2
with:
image: machine-images
tags: 5.0
registry: quay.io/podman
username: ${{ secrets.QUAY_PODMAN_USERNAME }}
password: ${{ secrets.QUAY_PODMAN_PASSWORD }}
97 changes: 97 additions & 0 deletions .github/workflows/new-machine-image.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
name: MACHINE IMAGE FROM FCOS IAMGE

on:
pull_request:
branches:
main

env:
IMAGE_NAME: fcos
MACHINE_IMAGE_NAME: machine-images
# IMAGE_ARCHS has to be comma separated
IMAGE_ARCHS: amd64, arm64
IMAGE_REGISTRY: quay.io/podman
COPR_OWNER: rhcontainerbot
COPR_PROJECT: podman-next

jobs:
fcos-podman-next-image-build:
runs-on: ubuntu-latest

steps:
- name: Install qemu dependency
run: |
sudo apt update
sudo apt -y install qemu-user-static

- name: Set up wait-for-copr
# Do not run on scheduled nightly builds
if: ${{ github.event_name != 'schedule' }}
run: |
pip3 install git+https://github.com/packit/wait-for-copr.git@main

- name: Check out code
uses: actions/checkout@v4

- name: Get short SHA from HEAD
#run: echo "SHORT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
# USE A KNOWN BUILT COMMIT FOR TESTING
run: echo "SHORT_SHA=f756e5db6" >> "$GITHUB_ENV"
id: short_sha

- name: Wait for successful podman-next build with the latest commit
# Do not run on scheduled nightly builds
if: ${{ github.event_name != 'schedule' }}
run: |
# TODO: add this in the Containerfile itself or as a --build-arg
wait-for-copr --owner ${{ env.COPR_OWNER }} --project ${{ env.COPR_PROJECT }} podman ${{ env.SHORT_SHA }}
echo "podman-next build with ${{ env.SHORT_SHA }} successful."

- name: Build FCOS Image
id: build_image_multiarch
# Ref: https://github.com/redhat-actions/buildah-build
uses: redhat-actions/buildah-build@v2
with:
image: ${{ env.IMAGE_NAME }}
tags: ${{ env.COPR_PROJECT }} podman-${{ env.SHORT_SHA }}
archs: ${{ env.IMAGE_ARCHS }}
containerfiles: ./contrib/podman-next/fcos-podmanimage/Containerfile
labels: |
org.opencontainers.image.title=fcos-podman-next image
org.opencontainers.image.source=https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/contrib/podman-next/fcos-podmanimage/Containerfile
org.opencontainers.image.url=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
org.opencontainers.image.description=FCOS image with rpms from rhcontainerbot/podman-next copr
org.opencontainers.image.revision=${{ github.sha }}

#- name: Echo Outputs
#run: |
#echo "Image: ${{ steps.build_image_multiarch.outputs.image }}"
#echo "Tags: ${{ steps.build_image_multiarch.outputs.tags }}"
#echo "Tagged Image: ${{ steps.build_image_multiarch.outputs.image-with-tag }}"

#- name: Check images created
#run: buildah images | grep '${{ env.IMAGE_NAME }}'

#- name: Check image metadata
#run: |
#set -x
# COPR_PROJECT envvar is used for the `podman-next` floating tag
#buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:${{ env.COPR_PROJECT }} | jq ".OCIv1.architecture"
#buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:${{ env.COPR_PROJECT }} | jq ".Docker.architecture"
#buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:podman-${{ env.SHORT_SHA }} | jq ".OCIv1.architecture"
#buildah inspect ${{ steps.build_image_multiarch.outputs.image }}:podman-${{ env.SHORT_SHA }} | jq ".Docker.architecture"

#- name: Run image
#run: podman run --privileged --rm ${{ steps.build_image_multiarch.outputs.image-with-tag }} podman system info


#- name: Push to Quay
#id: push-to-quay
# Ref: https://github.com/redhat-actions/push-to-registry
#uses: redhat-actions/push-to-registry@v2
#with:
# image: ${{ env.MACHINE_IMAGE_NAME }}
# tags: ${{ steps.build_image_multiarch.outputs.tags }}
# registry: ${{ env.IMAGE_REGISTRY }}
# username: ${{ secrets.QUAY_PODMAN_USERNAME }}
# password: ${{ secrets.QUAY_PODMAN_PASSWORD }}
18 changes: 18 additions & 0 deletions .github/workflows/try-tmt-gha.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: TRY TMT GHA

on:
pull_request:
branches:
main

jobs:
fcos-podman-next-image-build:
runs-on: ubuntu-latest

steps:
- name: Schedule test on Testing Farm
uses: sclorg/[email protected]
with:
api_key: ${{ secrets.TF_API_KEY }}
git_url: https://github.com/sclorg/sclorg-testing-farm
pull_request_status_name: "TEST"
78 changes: 39 additions & 39 deletions .packit.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,54 +14,54 @@ actions:
- "bash .packit.sh"

jobs:
- job: copr_build
trigger: pull_request
notifications:
failure_comment:
message: "Ephemeral COPR build failed. @containers/packit-build please check."
enable_net: true
targets:
- fedora-all-x86_64
- fedora-all-aarch64
- fedora-eln-x86_64
- fedora-eln-aarch64
- centos-stream+epel-next-8-x86_64
- centos-stream+epel-next-8-aarch64
- centos-stream+epel-next-9-x86_64
- centos-stream+epel-next-9-aarch64
additional_repos:
- "copr://rhcontainerbot/podman-next"
# - job: copr_build
# trigger: pull_request
# #notifications:
#failure_comment:
# message: "Ephemeral COPR build failed. @containers/packit-build please check."
# enable_net: true
#targets:
#- fedora-all-x86_64
#- fedora-all-aarch64
#- fedora-eln-x86_64
# - fedora-eln-aarch64
#- centos-stream+epel-next-8-x86_64
#- centos-stream+epel-next-8-aarch64
# - centos-stream+epel-next-9-x86_64
#- centos-stream+epel-next-9-aarch64
#additional_repos:
# - "copr://rhcontainerbot/podman-next"

# Run on commit to main branch
- job: copr_build
trigger: commit
notifications:
failure_comment:
message: "podman-next COPR build failed. @containers/packit-build please check."
#notifications:
#failure_comment:
# message: "podman-next COPR build failed. @containers/packit-build please check."
branch: main
owner: rhcontainerbot
project: podman-next
enable_net: true

- job: tests
identifier: cockpit-revdeps
trigger: pull_request
notifications:
failure_comment:
message: "Cockpit tests failed for commit {commit_sha}. @martinpitt, @jelly, @mvollmer please check."
targets:
- fedora-latest-stable
- fedora-development
tf_extra_params:
environments:
- artifacts:
- type: repository-file
id: https://copr.fedorainfracloud.org/coprs/g/cockpit/main-builds/repo/fedora-$releasever/group_cockpit-main-builds-fedora-$releasever.repo
- type: repository-file
id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
tmt:
context:
revdeps: "yes"
# - job: tests
#identifier: cockpit-revdeps
#trigger: pull_request
#notifications:
#failure_comment:
# message: "Cockpit tests failed for commit {commit_sha}. @martinpitt, @jelly, @mvollmer please check."
#targets:
#- fedora-latest-stable
#- fedora-development
#tf_extra_params:
# environments:
# - artifacts:
# - type: repository-file
# id: https://copr.fedorainfracloud.org/coprs/g/cockpit/main-builds/repo/fedora-$releasever/group_cockpit-main-builds-fedora-$releasever.repo
# - type: repository-file
#id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
#tmt:
#context:
# revdeps: "yes"

- job: propose_downstream
trigger: release
Expand Down
Loading
Loading