Add pki-builder image

The pki-builder image has been added to build the RPM packages. The pki-runner image has been modified to use the RPM packages built by pki-builder. The CI workflows have been modified to no longer build the RPM packages directly since it will be built automatically when the pki-runner is built. The rpminspect test has been modified to run the test inside pki-builder container since it already contains the RPM packages and the test scripts. The .dockerignore has been added to prevent container image tarballs from being included in subsequent builds.
dogtagpki · Sep 23, 2022 · 15aa3c8 · 15aa3c8
1 parent 9296222
commit 15aa3c8
Show file tree

Hide file tree

Showing 16 changed files with 77 additions and 148 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,6 @@
+pki-acme.tar
+pki-builder.tar
+pki-ca.tar
+pki-runner.tar
+pki-server.tar
+ipa-runner.tar
diff --git a/.github/workflows/acme-tests.yml b/.github/workflows/acme-tests.yml
@@ -30,20 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-pkgs=base,server,ca,acme --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -48,20 +48,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/ca-tests.yml b/.github/workflows/ca-tests.yml
@@ -30,20 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-pkgs=base,server,ca,tests --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/ca-tests2.yml b/.github/workflows/ca-tests2.yml
@@ -30,20 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-pkgs=base,server,ca,tests --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/kra-tests.yml b/.github/workflows/kra-tests.yml
@@ -30,20 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-pkgs=base,server,ca,kra,tests --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/ocsp-tests.yml b/.github/workflows/ocsp-tests.yml
@@ -30,20 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-pkgs=base,server,ca,ocsp,tests --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml
@@ -30,20 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-pkgs=base,server,tests --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/qe-tests.yml b/.github/workflows/qe-tests.yml
@@ -30,20 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/rpminspect-test.yml b/.github/workflows/rpminspect-test.yml
@@ -11,25 +11,47 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
-    container: registry.fedoraproject.org/fedora:${{ inputs.os }}
     env:
       SHARED: /tmp/workdir/pki
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Download PKI packages
-        uses: actions/download-artifact@v2
+      - name: Retrieve builder image
+        uses: actions/cache@v3
         with:
-          name: pki-build-${{ inputs.os }}
-          path: |
-            build/
+          key: pki-tools-builder-${{ inputs.os }}-${{ github.run_id }}
+          path: pki-builder.tar
+
+      - name: Load builder image
+        run: docker load --input pki-builder.tar
+
+      - name: Set up builder container
+        run: |
+          docker run \
+              --name=builder \
+              --privileged \
+              --detach \
+              pki-builder
+
+          while :
+          do
+              docker exec builder echo "Container is ready" && break
+              echo "Waiting for container..."
+              sleep 1
+              [ $((++i)) -ge 30 ] && exit 1
+          done
+
+      - name: Check builder container logs
+        if: always()
+        run: |
+          docker logs builder
 
       - name: Install rpminspect
         run: |
-          dnf install -y dnf-plugins-core rpm-build findutils
-          dnf copr enable -y copr.fedorainfracloud.org/dcantrell/rpminspect
-          dnf install -y rpminspect rpminspect-data-fedora
+          docker exec builder dnf copr enable -y copr.fedorainfracloud.org/dcantrell/rpminspect
+          docker exec builder dnf install -y rpminspect rpminspect-data-fedora
+
       - name: Run rpminspect on SRPM and RPMs
         run: |
-          tests/bin/rpminspect.sh
+          docker exec builder tests/bin/rpminspect.sh
diff --git a/.github/workflows/server-tests.yml b/.github/workflows/server-tests.yml
@@ -30,20 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-pkgs=base,server --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/sonarcloud-pull.yml b/.github/workflows/sonarcloud-pull.yml
@@ -115,15 +115,6 @@ jobs:
           git fetch pki
           git rebase pki/${{ needs.retrieve-pr.outputs.pr-base }}
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/tks-tests.yml b/.github/workflows/tks-tests.yml
@@ -30,20 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-pkgs=base,server,ca,tks --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/.github/workflows/tools-tests.yml b/.github/workflows/tools-tests.yml
@@ -30,30 +30,29 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-timestamp --work-dir=build rpm
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
 
-      - name: Upload PKI packages
-        uses: actions/upload-artifact@v2
+      - name: Build builder image
+        uses: docker/build-push-action@v2
         with:
-          name: pki-build-${{ matrix.os }}
-          path: |
-            build/RPMS/
-            build/SRPMS/
+          context: .
+          build-args: |
+            OS_VERSION=${{ matrix.os }}
+            COPR_REPO=${{ needs.init.outputs.repo }}
+          tags: pki-builder
+          target: pki-builder
+          outputs: type=docker,dest=pki-builder.tar
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+      - name: Store builder image
+        uses: actions/cache@v3
+        with:
+          key: pki-tools-builder-${{ matrix.os }}-${{ github.run_id }}
+          path: pki-builder.tar
 
       - name: Build runner image
         uses: docker/build-push-action@v2

diff --git a/.github/workflows/tps-tests.yml b/.github/workflows/tps-tests.yml
@@ -30,20 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
-    container: registry.fedoraproject.org/fedora:${{ matrix.os }}
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
 
-      - name: Install dependencies
-        run: |
-          dnf install -y dnf-plugins-core rpm-build moby-engine
-          dnf copr enable -y ${{ needs.init.outputs.repo }}
-          dnf builddep -y --allowerasing --spec ./pki.spec --nogpgcheck
-
-      - name: Build PKI packages
-        run: ./build.sh --with-pkgs=base,server,ca,kra,tks,tps --with-timestamp --work-dir=build rpm
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
 

diff --git a/Dockerfile b/Dockerfile
@@ -23,6 +23,27 @@ RUN dnf install -y systemd \
 
 CMD [ "/usr/sbin/init" ]
 
+################################################################################
+FROM fedora-runner AS pki-builder
+
+ARG COPR_REPO
+
+# Enable COPR repo if specified
+RUN if [ -n "$COPR_REPO" ]; then dnf install -y dnf-plugins-core; dnf copr enable -y $COPR_REPO; fi
+
+# Install packages
+RUN dnf install -y rpm-build
+
+# Import PKI sources
+COPY . /root/pki/
+WORKDIR /root/pki
+
+# Install PKI dependencies
+RUN dnf builddep -y --spec pki.spec
+
+# Build and install PKI packages
+RUN ./build.sh --work-dir=build rpm
+
 ################################################################################
 FROM fedora-runner AS pki-runner
 
@@ -31,8 +52,8 @@ ARG COPR_REPO
 # Enable COPR repo if specified
 RUN if [ -n "$COPR_REPO" ]; then dnf install -y dnf-plugins-core; dnf copr enable -y $COPR_REPO; fi
 
-# Import PKI packages
-COPY build/RPMS /tmp/RPMS/
+# Copy PKI packages
+COPY --from=pki-builder /root/pki/build/RPMS/* /tmp/RPMS/
 
 # Install PKI packages
 RUN dnf localinstall -y /tmp/RPMS/* \