From 6aa7dcc2875bd5a6e59d8dcde7cdc359c0687a1e Mon Sep 17 00:00:00 2001 From: Justin Kromlinger Date: Thu, 15 Jun 2023 11:38:19 +0200 Subject: [PATCH] Replace kaniko with podman Resolves #71, fixes #70. --- .gitlab-ci.yml | 64 +++++++++++++++++++++++++++++--------------------- Makefile | 14 ++++++----- README.md | 8 +++---- 3 files changed, 49 insertions(+), 37 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 108c1e0..5ee42da 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -91,16 +91,15 @@ rootfs:secure: .image: stage: image - image: - name: gcr.io/kaniko-project/executor:v1.11.0-debug - entrypoint: [""] + image: docker:stable + tags: + - vm script: - - /kaniko/executor - --force - --ignore-var-run="false" - --context $CI_PROJECT_DIR/output - --dockerfile $CI_PROJECT_DIR/output/Dockerfile.$GROUP - --destination $CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG + - podman build + -f "$CI_PROJECT_DIR/output/Dockerfile.$GROUP" + -t "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" + "$CI_PROJECT_DIR/output" + - podman push "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG" image:build: extends: .image @@ -113,12 +112,13 @@ image:build: matrix: - GROUP: [base, base-devel] before_script: - - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json + - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" image:build:secure: extends: .image tags: - secure + - vm only: - master - schedules @@ -128,7 +128,7 @@ image:build:secure: matrix: - GROUP: [base, base-devel] before_script: - - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$GITLAB_PROJECT_USER\",\"password\":\"$GITLAB_PROJECT_TOKEN\"}}}" > /kaniko/.docker/config.json + - podman login -u "$GITLAB_PROJECT_USER" -p "$GITLAB_PROJECT_TOKEN" "$CI_REGISTRY" # Build and publish to the Arch Linux group namespaces: # https://hub.docker.com/r/archlinux/archlinux @@ -138,28 +138,35 @@ image:publish:secure: retry: 2 tags: - secure + - vm only: - tags parallel: matrix: - GROUP: [base, base-devel] before_script: - - echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"$DOCKERHUB_USERNAME\",\"password\":\"$DOCKERHUB_ACCESS_TOKEN\"}, \"quay.io\":{\"username\":\"$QUAY_USERNAME\",\"password\":\"$QUAY_PASSWORD\"}}}" > /kaniko/.docker/config.json + - podman login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_ACCESS_TOKEN" "docker.io" + - podman login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" "quay.io" script: - - LATEST="" + - podman build + -f "$CI_PROJECT_DIR/Dockerfile.$GROUP" + -t "archlinux:$GROUP-$BUILD_VERSION" + "$CI_PROJECT_DIR" + - podman tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:$GROUP" + - podman tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" + - podman tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:$GROUP" + - podman tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" + - podman push "docker.io/archlinux/archlinux:$GROUP" + - podman push "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" + - podman push "quay.io/archlinux/archlinux:$GROUP" + - podman push "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION" - if [[ "$GROUP" == "base" ]]; then - LATEST="--destination docker.io/archlinux/archlinux:latest --destination quay.io/archlinux/archlinux:latest"; + docker tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:latest"; + docker tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:latest"; + docker push "docker.io/archlinux/archlinux:latest"; + docker push "quay.io/archlinux/archlinux:latest"; fi - - /kaniko/executor - --force - --ignore-var-run="false" - --context $CI_PROJECT_DIR - --dockerfile $CI_PROJECT_DIR/Dockerfile.$GROUP - --destination docker.io/archlinux/archlinux:$GROUP - --destination docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION - --destination quay.io/archlinux/archlinux:$GROUP - --destination quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION - $LATEST + .test: stage: test @@ -179,8 +186,8 @@ image:publish:secure: - test "$(cat /etc/passwd | wc -l)" -gt 10 - pacman -Sy - pacman -Qqk - - pacman -Syu --noconfirm docker grep - - docker -v + - pacman -Syu --noconfirm podman grep + - podman -v - id -u http - locale | grep -q UTF-8 @@ -198,6 +205,9 @@ test:base-devel: - gcc -v - g++ -v - make -v + - echo "Test for #70" + - test -u /usr/bin/sudo + - test -u /usr/bin/passwd release: stage: release @@ -278,7 +288,7 @@ release: dotenv: build.env # Publish to the official Docker namespace: https://hub.docker.com/_/archlinux -publish: +publish-dockerhub: stage: publish only: refs: diff --git a/Makefile b/Makefile index d381332..83c3210 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -DOCKER=docker +OCITOOL=podman # or docker BUILDDIR=$(shell pwd)/build OUTPUTDIR=$(shell pwd)/output @@ -64,10 +64,12 @@ $(OUTPUTDIR)/Dockerfile.base: $(OUTPUTDIR)/base.tar.zst $(OUTPUTDIR)/Dockerfile.base-devel: $(OUTPUTDIR)/base-devel.tar.zst $(call dockerfile,base-devel) -.PHONY: docker-image-base -image-base: $(OUTPUTDIR)/Dockerfile.base - ${DOCKER} build -f $(OUTPUTDIR)/Dockerfile.base -t archlinux/archlinux:base $(OUTPUTDIR) +# The following is for local builds only, it is not used by the CI/CD pipeline -.PHONY: docker-image-base-devel +.PHONY: oci-image-base +image-base: $(OUTPUTDIR)/Dockerfile.base + ${OCITOOL} build -f $(OUTPUTDIR)/Dockerfile.base -t archlinux/archlinux:base $(OUTPUTDIR) + +.PHONY: oci-image-base-devel image-base-devel: $(OUTPUTDIR)/Dockerfile.base-devel - ${DOCKER} build -f $(OUTPUTDIR)/Dockerfile.base-devel -t archlinux/archlinux:base-devel $(OUTPUTDIR) + ${OCITOOL} build -f $(OUTPUTDIR)/Dockerfile.base-devel -t archlinux/archlinux:base-devel $(OUTPUTDIR) diff --git a/README.md b/README.md index 33ed32c..2b60b15 100644 --- a/README.md +++ b/README.md @@ -39,18 +39,18 @@ Install the following Arch Linux packages: * fakechroot * fakeroot -Make sure your user can directly interact with Docker (i.e. `docker info` works). +Make sure your user can directly interact with Podman (i.e. `podman info` works). ### Usage -Run `make docker-image-base` to build the `archlinux:base` image with the -`base` meta package installed. You can also run `make docker-image-base-devel` to +Run `make oci-image-base` to build the `archlinux:base` image with the +`base` meta package installed. You can also run `make oci-image-base-devel` to build the image `archlinux:base-devel` which additionally has the `base-devel` group installed. ## Pipeline ### Daily releases -Daily images are build with scheduled [GitLab CI](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/.gitlab-ci.yml) using our own runner infrastructure. Initially root filesystem archives are constructed and provided in our [package registry](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/packages). The released multi-stage Dockerfile downloads those archives and verifies their integrity before unpacking it into a OCI image layer. Images are built using [kaniko](https://github.com/GoogleContainerTools/kaniko) to avoid using privileged Docker containers, which also publishes them to our external repositories. +Daily images are build with scheduled [GitLab CI](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/.gitlab-ci.yml) using our own runner infrastructure. Initially root filesystem archives are constructed and provided in our [package registry](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/packages). The released multi-stage Dockerfile downloads those archives and verifies their integrity before unpacking it into an OCI image layer. Images are built using [podman](https://podman.io/), which also publishes them to our external repositories. ### Weekly releases