Skip to content

Commit

Permalink
feat: Improve Containerfile / enable workflow usage of containerized …
Browse files Browse the repository at this point in the history
…buildah (tag: v1) (#604)
  • Loading branch information
m0gg authored Jul 18, 2024
1 parent ccd1279 commit 85d2bd8
Show file tree
Hide file tree
Showing 6 changed files with 94 additions and 55 deletions.
33 changes: 33 additions & 0 deletions .github/workflows/reusable-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,39 @@ jobs:
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
# buildah on ubuntu-22.04 builder is pretty dated and the version on
# ubuntu-24.04 misbehaves when using heredocs in Containerfiles
# (as of 2024-07-12)
# this wrapper script mimics toolbx/distrobox behaviour for buildah which
# is invoked by redhat-actions/buildah-build@v2
- name: Install wrapper script for containerized buildah
id: fix-gh-buildah
shell: bash
run: |
cat > /usr/local/bin/buildah <<'EOF'
#!/bin/sh
set -eux
# get local graphroot at runtime
GRAPH_ROOT="$(/usr/bin/buildah info | jq -r '.store.GraphRoot')"
exec podman run --rm \
--privileged \
--net=host \
--cgroups=disabled \
--runtime=crun \
--runtime-flag=cgroup-manager=disabled \
--security-opt=label=disable \
--security-opt=seccomp=unconfined \
--device=/dev/fuse:rw \
-v /home/runner:/home/runner \
-v "$GRAPH_ROOT":/var/lib/containers/storage \
-v "$(pwd):"/builder \
-w /builder \
quay.io/buildah/stable:v1 buildah "$@"
EOF
chmod +x /usr/local/bin/buildah
# Build image using Buildah action
- name: Build Image
id: build_image
Expand Down
63 changes: 34 additions & 29 deletions Containerfile
Original file line number Diff line number Diff line change
@@ -1,39 +1,44 @@
ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}"
ARG SOURCE_IMAGE="${SOURCE_IMAGE:-silverblue}"
ARG SOURCE_ORG="${SOURCE_ORG:-fedora-ostree-desktops}"
ARG IMAGE_NAME=silverblue
ARG SOURCE_IMAGE=silverblue
ARG SOURCE_ORG=fedora-ostree-desktops
ARG BASE_IMAGE="quay.io/${SOURCE_ORG}/${SOURCE_IMAGE}"
ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
ARG KERNEL_VERSION="${KERNEL_VERSION:-6.9.7-200.fc40.x86_64}"
ARG FEDORA_MAJOR_VERSION=40
ARG KERNEL_VERSION=6.9.7-200.fc40.x86_64

# workaround for selinux denying direct access to mounted buildcontext
FROM scratch AS ctx
COPY / /

FROM ghcr.io/ublue-os/config:latest AS config
FROM ghcr.io/ublue-os/akmods:main-${FEDORA_MAJOR_VERSION} AS akmods
FROM ghcr.io/ublue-os/main-kernel:${KERNEL_VERSION} AS kernel

FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION}

ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}"
ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
ARG RPMFUSION_MIRROR="${:-}"
ARG KERNEL_VERSION="${KERNEL_VERSION:-6.9.7-200.fc40.x86_64}"

COPY github-release-install.sh \
install.sh \
post-install.sh \
packages.sh \
packages.json \
/tmp/
ARG IMAGE_NAME=silverblue
ARG FEDORA_MAJOR_VERSION=40
ARG RPMFUSION_MIRROR=
ARG KERNEL_VERSION=6.9.7-200.fc40.x86_64

COPY --from=config /rpms /tmp/rpms
COPY --from=akmods /rpms/ublue-os /tmp/rpms
COPY --from=kernel /tmp/rpms /tmp/kernel-rpms
COPY sys_files/usr /usr

RUN mkdir -p /var/lib/alternatives && \
/tmp/install.sh && \
/tmp/post-install.sh && \
mv /var/lib/alternatives /staged-alternatives && \
rm -rf /tmp/* /var/* && \
ostree container commit && \
mkdir -p /var/lib && mv /staged-alternatives /var/lib/alternatives && \
mkdir -p /tmp /var/tmp && \
chmod -R 1777 /tmp /var/tmp
RUN --mount=type=bind,from=ctx,source=/,target=/buildcontext \
--mount=type=bind,from=config,source=/rpms,target=/rpms/config \
--mount=type=bind,from=akmods,source=/rpms,target=/rpms/akmods \
--mount=type=bind,from=kernel,source=/tmp/rpms,target=/rpms/kernel \
<<EOF
set -eux

export RPMS_DIR="/rpms"
export BUILDCONTEXT_DIR="/buildcontext"

mkdir -p /var/lib/alternatives
/buildcontext/install.sh
/buildcontext/post-install.sh
mv /var/lib/alternatives /staged-alternatives
rm -rf /tmp/* /var/*
ostree container commit
mkdir -p /var/lib
mv /staged-alternatives /var/lib/alternatives
mkdir -p /tmp /var/tmp
chmod -R 1777 /tmp /var/tmp
EOF
3 changes: 3 additions & 0 deletions github-release-install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ set -ouex pipefail
API_JSON=$(mktemp /tmp/api-XXXXXXXX.json)
API="https://api.github.com/repos/${ORG_PROJ}/releases/${RELTAG}"

# ensure deletion of api json tempfile
trap "[[ -f '$API_JSON' ]] && rm -v '$API_JSON'" EXIT

# retry up to 5 times with 5 second delays for any error included HTTP 404 etc
curl --fail --retry 5 --retry-delay 5 --retry-all-errors -sL ${API} -o ${API_JSON}
RPM_URLS=$(cat ${API_JSON} \
Expand Down
35 changes: 15 additions & 20 deletions install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,36 +6,31 @@ RELEASE="$(rpm -E %fedora)"
KERNEL_SUFFIX=""
QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(|'"$KERNEL_SUFFIX"'-)(\d+\.\d+\.\d+)' | sed -E 's/kernel-(|'"$KERNEL_SUFFIX"'-)//')"

RPMFUSION_MIRROR_RPMS="https://mirrors.rpmfusion.org"
if [ -n "${RPMFUSION_MIRROR}" ]; then
RPMFUSION_MIRROR_RPMS=${RPMFUSION_MIRROR}
fi

curl -Lo /tmp/rpms/rpmfusion-free-release-"${RELEASE}".noarch.rpm "${RPMFUSION_MIRROR_RPMS}"/free/fedora/rpmfusion-free-release-"${RELEASE}".noarch.rpm
curl -Lo /tmp/rpms/rpmfusion-nonfree-release-"${RELEASE}".noarch.rpm "${RPMFUSION_MIRROR_RPMS}"/nonfree/fedora/rpmfusion-nonfree-release-"${RELEASE}".noarch.rpm
RPMFUSION_MIRROR_RPMS="${RPMFUSION_MIRROR:-https://mirrors.rpmfusion.org}"

curl -Lo /etc/yum.repos.d/_copr_ublue-os_staging.repo https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-"${RELEASE}"/ublue-os-staging-fedora-"${RELEASE}".repo
curl -Lo /etc/yum.repos.d/_copr_kylegospo_oversteer.repo https://copr.fedorainfracloud.org/coprs/kylegospo/oversteer/repo/fedora-"${RELEASE}"/kylegospo-oversteer-fedora-"${RELEASE}".repo
curl -fSsLo /etc/yum.repos.d/_copr_ublue-os_staging.repo https://copr.fedorainfracloud.org/coprs/ublue-os/staging/repo/fedora-"${RELEASE}"/ublue-os-staging-fedora-"${RELEASE}".repo
curl -fSsLo /etc/yum.repos.d/_copr_kylegospo_oversteer.repo https://copr.fedorainfracloud.org/coprs/kylegospo/oversteer/repo/fedora-"${RELEASE}"/kylegospo-oversteer-fedora-"${RELEASE}".repo

rpm-ostree install \
/tmp/rpms/*.rpm \
fedora-repos-archive
fedora-repos-archive \
"${RPMFUSION_MIRROR_RPMS}/free/fedora/rpmfusion-free-release-${RELEASE}.noarch.rpm" \
"${RPMFUSION_MIRROR_RPMS}/nonfree/fedora/rpmfusion-nonfree-release-${RELEASE}.noarch.rpm"
find "$RPMS_DIR"/{config,akmods/ublue-os} -type f -name "*.rpm" -print0 | xargs -0 rpm-ostree install

# Handle Kernel Skew with override replace
rpm-ostree cliwrap install-to-root /
if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then
echo "Installing signed kernel from kernel-cache."
cd /tmp/kernel-rpms
rpm2cpio /tmp/kernel-rpms/kernel-core-*.rpm | cpio -idmv
cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz
cd /
tmpdir="$(mktemp -d)"
rpm2cpio "$RPMS_DIR"/kernel/kernel-core-*.rpm | ( cd "$tmpdir"; cpio -idmv )
cp "$tmpdir"/lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz
else
echo "Install kernel version ${KERNEL_VERSION} from kernel-cache."
rpm-ostree override replace \
--experimental \
/tmp/kernel-rpms/kernel-[0-9]*.rpm \
/tmp/kernel-rpms/kernel-core-*.rpm \
/tmp/kernel-rpms/kernel-modules-*.rpm
"$RPMS_DIR"/kernel/kernel-[0-9]*.rpm \
"$RPMS_DIR"/kernel/kernel-core-*.rpm \
"$RPMS_DIR"/kernel/kernel-modules-*.rpm
fi

if [[ "${FEDORA_MAJOR_VERSION}" -ge 39 ]]; then
Expand All @@ -59,10 +54,10 @@ if [ -n "${RPMFUSION_MIRROR}" ]; then
fi

# run common packages script
/tmp/packages.sh
"$BUILDCONTEXT_DIR/packages.sh"

## install packages direct from github
/tmp/github-release-install.sh sigstore/cosign x86_64
"$BUILDCONTEXT_DIR/github-release-install.sh" sigstore/cosign x86_64

if [ -n "${RPMFUSION_MIRROR}" ]; then
# reset forced use of single rpmfusion mirror
Expand Down
13 changes: 8 additions & 5 deletions packages.sh
Original file line number Diff line number Diff line change
@@ -1,18 +1,21 @@
#!/bin/sh
#!/usr/bin/bash

set -ouex pipefail

RELEASE="$(rpm -E %fedora)"
PACKAGE_JSON_PATH="$BUILDCONTEXT_DIR/packages.json"

declare -a INCLUDED_PACKAGES
declare -a EXCLUDED_PACKAGES

# build list of all packages requested for inclusion
INCLUDED_PACKAGES=($(jq -r "[(.all.include | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
(select(.\"$FEDORA_MAJOR_VERSION\" != null).\"$FEDORA_MAJOR_VERSION\".include | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
| sort | unique[]" /tmp/packages.json))
| sort | unique[]" "$PACKAGE_JSON_PATH"))

# build list of all packages requested for exclusion
EXCLUDED_PACKAGES=($(jq -r "[(.all.exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
(select(.\"$FEDORA_MAJOR_VERSION\" != null).\"$FEDORA_MAJOR_VERSION\".exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
| sort | unique[]" /tmp/packages.json))
| sort | unique[]" "$PACKAGE_JSON_PATH"))


# ensure exclusion list only contains packages already present on image
Expand Down Expand Up @@ -40,7 +43,7 @@ fi
# (this can happen if an included package pulls in a dependency)
EXCLUDED_PACKAGES=($(jq -r "[(.all.exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[]), \
(select(.\"$FEDORA_MAJOR_VERSION\" != null).\"$FEDORA_MAJOR_VERSION\".exclude | (.all, select(.\"$IMAGE_NAME\" != null).\"$IMAGE_NAME\")[])] \
| sort | unique[]" /tmp/packages.json))
| sort | unique[]" "$PACKAGE_JSON_PATH"))

if [[ "${#EXCLUDED_PACKAGES[@]}" -gt 0 ]]; then
EXCLUDED_PACKAGES=($(rpm -qa --queryformat='%{NAME} ' ${EXCLUDED_PACKAGES[@]}))
Expand Down
2 changes: 1 addition & 1 deletion post-install.sh
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/sh
#!/usr/bin/bash

set -ouex pipefail

Expand Down

0 comments on commit 85d2bd8

Please sign in to comment.