Replace kaniko with podman

Resolves #71, fixes #70.

.gitlab-ci.yml

@@ -91,16 +91,15 @@ rootfs:secure:
 
 .image:
   stage: image
-  image:
+  image: docker:stable
-    name: gcr.io/kaniko-project/executor:v1.11.0-debug
+  tags:
-    entrypoint: [""]
+    - vm
   script:
-    - /kaniko/executor
+    - podman build
-      --force
+        -f "$CI_PROJECT_DIR/output/Dockerfile.$GROUP"
-      --ignore-var-run="false"
+        -t "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
-      --context $CI_PROJECT_DIR/output
+        "$CI_PROJECT_DIR/output"
-      --dockerfile $CI_PROJECT_DIR/output/Dockerfile.$GROUP
+    - podman push "$CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG"
-      --destination $CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG
 
 image:build:
   extends: .image
@@ -113,12 +112,13 @@ image:build:
     matrix:
       - GROUP: [base, base-devel]
   before_script:
-    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
+    - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
 
 image:build:secure:
   extends: .image
   tags:
     - secure
+    - vm
   only:
     - master
     - schedules
@@ -128,7 +128,7 @@ image:build:secure:
     matrix:
       - GROUP: [base, base-devel]
   before_script:
-    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$GITLAB_PROJECT_USER\",\"password\":\"$GITLAB_PROJECT_TOKEN\"}}}" > /kaniko/.docker/config.json
+    - podman login -u "$GITLAB_PROJECT_USER" -p "$GITLAB_PROJECT_TOKEN" "$CI_REGISTRY"
 
 # Build and publish to the Arch Linux group namespaces:
 # https://hub.docker.com/r/archlinux/archlinux
@@ -138,28 +138,35 @@ image:publish:secure:
   retry: 2
   tags:
     - secure
+    - vm
   only:
     - tags
   parallel:
     matrix:
       - GROUP: [base, base-devel]
   before_script:
-    - echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"$DOCKERHUB_USERNAME\",\"password\":\"$DOCKERHUB_ACCESS_TOKEN\"}, \"quay.io\":{\"username\":\"$QUAY_USERNAME\",\"password\":\"$QUAY_PASSWORD\"}}}" > /kaniko/.docker/config.json
+    - podman login -u "$DOCKERHUB_USERNAME" -p "$DOCKERHUB_ACCESS_TOKEN" "docker.io"
+    - podman login -u "$QUAY_USERNAME" -p "$QUAY_PASSWORD" "quay.io"
   script:
-    - LATEST=""
+    - podman build
+        -f "$CI_PROJECT_DIR/Dockerfile.$GROUP"
+        -t "archlinux:$GROUP-$BUILD_VERSION"
+        "$CI_PROJECT_DIR"
+    - podman tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:$GROUP"
+    - podman tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
+    - podman tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:$GROUP"
+    - podman tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
+    - podman push "docker.io/archlinux/archlinux:$GROUP"
+    - podman push "docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
+    - podman push "quay.io/archlinux/archlinux:$GROUP"
+    - podman push "quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION"
     - if [[ "$GROUP" == "base" ]]; then
-        LATEST="--destination docker.io/archlinux/archlinux:latest --destination quay.io/archlinux/archlinux:latest";
+        docker tag "archlinux:$GROUP-$BUILD_VERSION" "docker.io/archlinux/archlinux:latest";
+        docker tag "archlinux:$GROUP-$BUILD_VERSION" "quay.io/archlinux/archlinux:latest";
+        docker push "docker.io/archlinux/archlinux:latest";
+        docker push "quay.io/archlinux/archlinux:latest";
       fi
-    - /kaniko/executor
+
-      --force
-      --ignore-var-run="false"
-      --context $CI_PROJECT_DIR
-      --dockerfile $CI_PROJECT_DIR/Dockerfile.$GROUP
-      --destination docker.io/archlinux/archlinux:$GROUP
-      --destination docker.io/archlinux/archlinux:$GROUP-$BUILD_VERSION
-      --destination quay.io/archlinux/archlinux:$GROUP
-      --destination quay.io/archlinux/archlinux:$GROUP-$BUILD_VERSION
-      $LATEST
 
 .test:
   stage: test
@@ -179,8 +186,8 @@ image:publish:secure:
   - test "$(cat /etc/passwd | wc -l)" -gt 10
   - pacman -Sy
   - pacman -Qqk
-  - pacman -Syu --noconfirm docker grep
+  - pacman -Syu --noconfirm podman grep
-  - docker -v
+  - podman -v
   - id -u http
   - locale | grep -q UTF-8
 
@@ -198,6 +205,9 @@ test:base-devel:
     - gcc -v
     - g++ -v
     - make -v
+    - echo "Test for #70"
+    - test -u /usr/bin/sudo
+    - test -u /usr/bin/passwd
 
 release:
   stage: release
@@ -278,7 +288,7 @@ release:
       dotenv: build.env
 
 # Publish to the official Docker namespace: https://hub.docker.com/_/archlinux
-publish:
+publish-dockerhub:
   stage: publish
   only:
     refs:

Makefile

@@ -1,4 +1,4 @@
-DOCKER=docker
+OCITOOL=podman # or docker
 BUILDDIR=$(shell pwd)/build
 OUTPUTDIR=$(shell pwd)/output
 
@@ -64,10 +64,12 @@ $(OUTPUTDIR)/Dockerfile.base: $(OUTPUTDIR)/base.tar.zst
 $(OUTPUTDIR)/Dockerfile.base-devel: $(OUTPUTDIR)/base-devel.tar.zst
 	$(call dockerfile,base-devel)
 
-.PHONY: docker-image-base
+# The following is for local builds only, it is not used by the CI/CD pipeline
-image-base: $(OUTPUTDIR)/Dockerfile.base
-	${DOCKER} build -f $(OUTPUTDIR)/Dockerfile.base -t archlinux/archlinux:base $(OUTPUTDIR)
 
-.PHONY: docker-image-base-devel
+.PHONY: oci-image-base
+image-base: $(OUTPUTDIR)/Dockerfile.base
+	${OCITOOL} build -f $(OUTPUTDIR)/Dockerfile.base -t archlinux/archlinux:base $(OUTPUTDIR)
+
+.PHONY: oci-image-base-devel
 image-base-devel: $(OUTPUTDIR)/Dockerfile.base-devel
-	${DOCKER} build -f $(OUTPUTDIR)/Dockerfile.base-devel -t archlinux/archlinux:base-devel $(OUTPUTDIR)
+	${OCITOOL} build -f $(OUTPUTDIR)/Dockerfile.base-devel -t archlinux/archlinux:base-devel $(OUTPUTDIR)

README.md

@@ -39,18 +39,18 @@ Install the following Arch Linux packages:
 * fakechroot
 * fakeroot
 
-Make sure your user can directly interact with Docker (i.e. `docker info` works).
+Make sure your user can directly interact with Podman (i.e. `podman info` works).
 
 ### Usage
-Run `make docker-image-base` to build the `archlinux:base` image with the
+Run `make oci-image-base` to build the `archlinux:base` image with the
-`base` meta package installed. You can also run `make docker-image-base-devel` to
+`base` meta package installed. You can also run `make oci-image-base-devel` to
 build the image `archlinux:base-devel` which additionally has the `base-devel` group installed.
 
 ## Pipeline
 
 ### Daily releases
 
-Daily images are build with scheduled [GitLab CI](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/.gitlab-ci.yml) using our own runner infrastructure. Initially root filesystem archives are constructed and provided in our [package registry](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/packages). The released multi-stage Dockerfile downloads those archives and verifies their integrity before unpacking it into a OCI image layer. Images are built using [kaniko](https://github.com/GoogleContainerTools/kaniko) to avoid using privileged Docker containers, which also publishes them to our external repositories.
+Daily images are build with scheduled [GitLab CI](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/.gitlab-ci.yml) using our own runner infrastructure. Initially root filesystem archives are constructed and provided in our [package registry](https://gitlab.archlinux.org/archlinux/archlinux-docker/-/packages). The released multi-stage Dockerfile downloads those archives and verifies their integrity before unpacking it into an OCI image layer. Images are built using [podman](https://podman.io/), which also publishes them to our external repositories.
 
 ### Weekly releases