diff --git a/.cirrus.yml b/.cirrus.yml index b640ab11..8858264a 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -96,9 +96,15 @@ container_images_task: &container_images env: TARGET_NAME: 'prior-ubuntu_podman' DEST_FQIN: *fqin + - name: *name + env: + TARGET_NAME: 'skopeo_cidev' + DEST_FQIN: *fqin env: &image_env TEMPDIR: '$CIRRUS_WORKING_DIR' - LOGIN_CMD: ENCRYPTED[d15806d68c90cf74faca59bc4f81ada269538092b8449c7d8cd4cf44cd8d58a7482d2b249a9da06508f32f9e4075dc18] + # For quay.io/libpod namespace + REG_USERNAME: ENCRYPTED[de755aef351c501ee480231c24eae25b15e2b2a2b7c629f477c1d427fc5269e360bb358a53bd8914605bae588e99b52a] + REG_PASSWORD: ENCRYPTED[52268944bb0d6642c33efb1c5d7fb82d0c40f9e6988448de35827f9be2cc547c1383db13e8b21516dbd7a0a69a7ae536] script: ci/make_container_images.sh; diff --git a/Makefile b/Makefile index 1abcbd7c..3168576c 100644 --- a/Makefile +++ b/Makefile @@ -220,11 +220,8 @@ ubuntu_podman: ## Build Ubuntu podman development container prior-ubuntu_podman: ## Build Prior-Ubuntu podman development container $(call build_podman_container,$@) -# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=1927635 -# with `--security-opt...--privileged` until bug fixed for CentOS 8. $(_TEMPDIR)/%_podman.tar: podman/Containerfile podman/setup.sh $(wildcard base_images/*.sh) $(wildcard cache_images/*.sh) $(_TEMPDIR) $(_TEMPDIR)/var_cache_dnf - buildah bud -t $*_podman:$(call err_if_empty,IMG_SFX) \ - --security-opt seccomp=unconfined \ + podman build -t $*_podman:$(call err_if_empty,IMG_SFX) \ --build-arg=BASE_NAME=$(subst prior-,,$*) \ --build-arg=BASE_TAG=$(call err_if_empty,BASE_TAG) \ --build-arg=PACKER_BUILD_NAME=$(subst _podman,,$*) \ @@ -234,6 +231,17 @@ $(_TEMPDIR)/%_podman.tar: podman/Containerfile podman/setup.sh $(wildcard base_i rm -f $@ podman save --quiet -o $@ $*_podman:$(IMG_SFX) +.PHONY: skopeo_cidev +skopeo_cidev: $(_TEMPDIR)/skopeo_cidev.tar ## Build Skopeo development and CI container + +$(_TEMPDIR)/skopeo_cidev.tar: podman/fedora_release $(wildcard skopeo_base/*) $(_TEMPDIR) $(_TEMPDIR)/var_cache_dnf + podman build -t skopeo_cidev:$(call err_if_empty,IMG_SFX) \ + --build-arg=BASE_TAG=$(_fedora_podman_release) \ + -v $(_TEMPDIR)/var_cache_dnf:/var/cache/dnf:Z \ + skopeo_cidev + rm -f $@ + podman save --quiet -o $@ skopeo_cidev:$(IMG_SFX) + .PHONY: imgts imgts: $(_TEMPDIR)/imgts.tar ## Build the VM image time-stamping container image $(_TEMPDIR)/imgts.tar: imgts/Containerfile imgts/entrypoint.sh imgts/google-cloud-sdk.repo imgts/lib_entrypoint.sh $(_TEMPDIR) diff --git a/ci/make_container_images.sh b/ci/make_container_images.sh index d283a602..b6e6edc2 100755 --- a/ci/make_container_images.sh +++ b/ci/make_container_images.sh @@ -5,7 +5,7 @@ # of this script in any other context/environment is unlikely to # function as intended. -set -e +set -eo pipefail SCRIPT_FILEPATH=$(realpath "$0") SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH") @@ -15,24 +15,31 @@ REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../") source "$REPO_DIRPATH/lib.sh" # shellcheck disable=SC2154 -if [[ -z "$CI" ]] || [[ "$CI" != "true" ]] || [[ "$CIRRUS_CI" != "$CI" ]]; then +if [[ "$CI" != "true" ]] || [[ "$CIRRUS_CI" != "$CI" ]]; then die "Unexpected \$CI='$CI' and/or \$CIRRUS_CI='$CIRRUS_CI'" -elif [[ -z "$IMG_SFX" ]]; then - die "Script requires non-empty values for \$IMG_SFX='$IMG_SFX'" -elif [[ -z "$TARGET_NAME" ]]; then - die "Script requiresmakefile target \$TARGET_NAME to be non-empty" -elif [[ -z "$DEST_FQIN" ]]; then - die "Script requires destination FQIN \$DEST_FQIN to be non-empty" -elif [[ $LOGIN_CMD =~ ENCRYPTED ]]; then - die "\$LOGIN_CMD did not get decrypted by Cirrus" -elif [[ ${#LOGIN_CMD} -le 5 ]]; then - die "\$LOGIN_CMD is a ${#LOGIN_CMD}-length string; something almost certainly went wrong with Cirrus decryption" fi -set -eo pipefail +declare -a req_vars +req_vars=(\ + IMG_SFX + TARGET_NAME + DEST_FQIN + REG_USERNAME + REG_PASSWORD +) +for req_var in "${req_vars[@]}"; do + if [[ -z "${!req_var}" ]]; then + echo "ERROR: Required variable \$$req_var is unset or empty." + exit 1 + fi +done + +# These both come in from Cirrus-CI +# shellcheck disable=SC2154 +SRC_FQIN="$TARGET_NAME:$IMG_SFX" + make "$TARGET_NAME" IMG_SFX=$IMG_SFX -set +x # Prevent pushing 'latest' images from PRs, only branches and tags # shellcheck disable=SC2154 if [[ $PUSH_LATEST -eq 1 ]] && [[ -n "$CIRRUS_PR" ]]; then @@ -40,12 +47,17 @@ if [[ $PUSH_LATEST -eq 1 ]] && [[ -n "$CIRRUS_PR" ]]; then PUSH_LATEST=0 fi +# Don't leave credential file sticking around anywhere trap "podman logout --all" EXIT INT CONT -# Out of pure laziness, the entire command is encrypted in Cirrus-CI -${LOGIN_CMD} +set +x # protect username/password values +# These both come in from Cirrus-CI +# shellcheck disable=SC2154 +echo "$REG_PASSWORD" | \ + podman login --password-stdin --username "$REG_USERNAME" "$DEST_FQIN" set -x # Easier than echo'ing out status for everything -SRC_FQIN="$TARGET_NAME:$IMG_SFX" +# DEST_FQIN comes in from Cirrus-CI +# shellcheck disable=SC2154 podman tag "$SRC_FQIN" "$DEST_FQIN" podman push "$DEST_FQIN" diff --git a/skopeo_cidev/Containerfile b/skopeo_cidev/Containerfile new file mode 100644 index 00000000..f1fe4f04 --- /dev/null +++ b/skopeo_cidev/Containerfile @@ -0,0 +1,18 @@ +ARG BASE_NAME=fedora +ARG BASE_TAG=latest +FROM ${BASE_NAME}:${BASE_TAG} + +COPY /packages.txt /root/ +RUN dnf -y update && \ + dnf -y install $(sed -r -e '/^#/d' -e '/^$/d' /root/packages.txt) && \ + dnf -y upgrade && \ + dnf clean all + +ENV REG_REPO="https://github.com/docker/distribution.git" \ + REG_COMMIT="47a064d4195a9b56133891bbb13620c3ac83a827" \ + REG_COMMIT_SCHEMA1="ec87e9b6971d831f0eff752ddb54fb64693e51cd" \ + OSO_REPO="https://github.com/openshift/origin.git" \ + OSO_TAG="v1.5.0-alpha.3" + +COPY /setup.sh /root/ +RUN bash /root/setup.sh diff --git a/skopeo_cidev/README.md b/skopeo_cidev/README.md new file mode 100644 index 00000000..c9cb24a8 --- /dev/null +++ b/skopeo_cidev/README.md @@ -0,0 +1,8 @@ +# Skopeo CI/Dev image + +The contents of this directory are intended to be utilized via +the `Makefile` at the top of the repository. Typically as +`make skopeo_cidev IMG_SFX=`. The resultant image is utilized +as part of the [skopeo project's](https://github.com/containers/skopeo) +development and CI automation. It should not be used outside +of those contexts. diff --git a/skopeo_cidev/packages.txt b/skopeo_cidev/packages.txt new file mode 100644 index 00000000..c818a1e7 --- /dev/null +++ b/skopeo_cidev/packages.txt @@ -0,0 +1,50 @@ +# general deps +git +golang +golang-github-cpuguy83-md2man +make + +# Skopeo documentation building +btrfs-progs-devel +device-mapper-devel +golang +gpgme-devel +make + +# storage deps +btrfs-progs-devel +device-mapper-devel + +# gpgme bindings deps +libassuan-devel +gnupg +gpgme-devel + +# htpasswd for system tests +httpd-tools + +# OpenShift deps +bats +bsdtar +device-mapper +docker +e2fsprogs +ethtool +findutils +golint +hostname +iproute +iptables +jq +lsof +nmap-ncat +openssl +podman +runc +socat +tar +tree +util-linux +wget +which +xfsprogs diff --git a/skopeo_cidev/setup.sh b/skopeo_cidev/setup.sh new file mode 100644 index 00000000..408ad139 --- /dev/null +++ b/skopeo_cidev/setup.sh @@ -0,0 +1,74 @@ + + +# This script is used by the Containerfile when building an image. +# It should NEVER ever (EVER!) be used under any other circumstances +# (nor set as executable). + +set -e + +declare -a req_vars +req_vars=(\ + REG_REPO + REG_COMMIT + REG_COMMIT_SCHEMA1 + OSO_REPO + OSO_TAG +) +for req_var in "${req_vars[@]}"; do + if [[ -z "${!req_var}" ]]; then + echo "ERROR: Required variable \$$req_var is unset or empty." + exit 1 + fi +done + +GOPATH=$(mktemp -d -p '' ".tmp_$(basename ${BASH_SOURCE[0]})_XXXXXXXX") +REG_GOSRC="$GOPATH/src/github.com/docker/distribution" \ +OSO_GOSRC="$GOPATH/src/github.com/openshift/origin" + +# All golang code built here pre-dates support of go modules +export GO111MODULE=off + +# Workaround unnecessary swap-enabling shenanagains in openshift-origin build +export OS_BUILD_SWAP_DISABLE=1 + +# Make debugging easier +set -x + +# This comes in from the Containerfile +# shellcheck disable=SC2154 +git clone "$REG_REPO" "$REG_GOSRC" +cd "$REG_GOSRC" + +# Don't pollute the environment +( + # This is required to be set like this by the build system + export GOPATH="$PWD/Godeps/_workspace:$GOPATH" + # This comes in from the Containerfile + # shellcheck disable=SC2154 + git checkout -q "$REG_COMMIT" + go build -o /usr/local/bin/registry-v2 \ + github.com/docker/distribution/cmd/registry + + # This comes in from the Containerfile + # shellcheck disable=SC2154 + git checkout -q "$REG_COMMIT_SCHEMA1" + go build -o /usr/local/bin/registry-v2-schema1 \ + github.com/docker/distribution/cmd/registry +) + +# These come in from the Containerfile +# shellcheck disable=SC2154 +git clone --depth 1 -b "$OSO_TAG" "$OSO_REPO" "$OSO_GOSRC" +cd "$OSO_GOSRC" + +# Edit out a "go < 1.5" check which works incorrectly with go ≥ 1.10. +sed -i -e 's/\[\[ "\${go_version\[2]}" < "go1.5" ]]/false/' ./hack/common.sh + +make build +make all WHAT=cmd/dockerregistry +cp -a ./_output/local/bin/linux/*/* /usr/local/bin/ +cp ./images/dockerregistry/config.yml /atomic-registry-config.yml +mkdir /registry + +# When script unsuccessful, leave this behind for debugging +rm -rf $GOPATH