-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support VanillaOS images #206
base: main
Are you sure you want to change the base?
Changes from all commits
a04c3e9
019ab77
22e599d
bf8c41f
0c02923
60169a5
e65af40
2e4ecf8
3dcefae
4d55fc0
622f895
90c14b6
772137d
077ace9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
{%- import "modules/modules.j2" as modules -%} | ||
{%- include "stages.j2" %} | ||
|
||
# Main image | ||
FROM {{ recipe.base_image }}:{{ recipe.image_version }} AS {{ recipe.name|replace('/', "-") }} | ||
|
||
ARG RECIPE={{ recipe_path.display() }} | ||
ARG IMAGE_REGISTRY={{ registry }} | ||
|
||
{%- if self::files_dir_exists() %} | ||
ARG CONFIG_DIRECTORY="/tmp/files" | ||
{%- else if self::config_dir_exists() %} | ||
ARG CONFIG_DIRECTORY="/tmp/config" | ||
{%- endif %} | ||
ARG MODULE_DIRECTORY="/tmp/modules" | ||
ARG IMAGE_NAME="{{ recipe.name }}" | ||
ARG BASE_IMAGE="{{ recipe.base_image }}" | ||
|
||
# Key RUN | ||
# RUN --mount=type=bind,from=stage-keys,src=/keys,dst=/tmp/keys \ | ||
# mkdir -p /usr/etc/pki/containers/ \ | ||
# && cp /tmp/keys/* /usr/etc/pki/containers/ | ||
|
||
# Bin RUN | ||
RUN --mount=type=bind,from=stage-bins,src=/bins,dst=/tmp/bins \ | ||
mkdir -p /usr/bin/ \ | ||
&& cp /tmp/bins/* /usr/bin/ | ||
|
||
# Init step copied from VanillaOS template | ||
RUN lpkg --unlock && apt-get update | ||
|
||
{% call modules::generic_modules_run(recipe.modules_ext, os_version) %} | ||
|
||
# Cleanup step copied from VanillaOS template | ||
RUN apt-get autoremove -y && apt-get clean && lpkg --lock | ||
|
||
# FsGuard step copied from VanillaOS template | ||
# first download the required python script from the vib-fsguard module and the FsGuard binary | ||
RUN mkdir -p /sources/fsguard/ && \ | ||
wget https://github.com/linux-immutability-tools/FsGuard/releases/download/v0.1.2-2/FsGuard_0.1.2-2_linux_amd64.tar.gz -O /tmp/fsguard.tar.gz && tar -xf /tmp/fsguard.tar.gz -C /sources/fsguard/ && \ | ||
curl https://raw.githubusercontent.com/Vanilla-OS/vib-fsguard/main/genfilelist.py -o /sources/fsguard/genfilelist.py && \ | ||
rm -rf /FsGuard && rm -f ./minisign.pub ./minisign.key && chmod +x /usr/sbin/init && mkdir /FsGuard && \ | ||
chmod +x /sources/fsguard/genfilelist.py && minisign -WG -s ./minisign.key && \ | ||
python3 /sources/fsguard/genfilelist.py /usr/bin /FsGuard/filelist /usr/sbin/FsGuard && \ | ||
minisign -Sm /FsGuard/filelist -p .//minisign.pub -s .//minisign.key && touch /FsGuard/signature && \ | ||
echo -n "----begin attach----" >> /FsGuard/signature && cat /FsGuard/filelist.minisig >> /FsGuard/signature && \ | ||
echo -n "----begin second attach----" >> /FsGuard/signature && tail -n1 .//minisign.pub >> /FsGuard/signature && \ | ||
cat /FsGuard/signature >> /sources/fsguard/FsGuard && mv /sources/fsguard/FsGuard /usr/sbin/FsGuard && rm ./minisign.key ./minisign.pub | ||
|
||
RUN rm -fr /tmp/* /var/tmp/* /sources/* | ||
|
||
# Labels are added last since they cause cache misses with buildah | ||
LABEL {{ blue_build_utils::constants::BUILD_ID_LABEL }}="{{ build_id }}" | ||
LABEL org.opencontainers.image.title="{{ recipe.name }}" | ||
LABEL org.opencontainers.image.description="{{ recipe.description }}" | ||
{%- if let Some(repo) = self::get_repo_url() %} | ||
LABEL org.opencontainers.image.source="{{ repo }}" | ||
{%- endif %} | ||
LABEL io.artifacthub.package.readme-url=https://raw.githubusercontent.com/blue-build/cli/main/README.md |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,8 @@ | ||
{% macro main_modules_run(modules_ext, os_version) %} | ||
{% macro generic_modules_run(modules_ext, os_version) %} | ||
# Module RUNs | ||
{%- for module in modules_ext.modules %} | ||
{%- if let Some(module) = module.required_fields %} | ||
|
||
{%- if module.no_cache %} | ||
ARG CACHEBUST="{{ build_id }}" | ||
{%- endif %} | ||
|
@@ -22,22 +23,18 @@ RUN \ | |
{%- else %} | ||
--mount=type=bind,from=stage-modules,src=/modules,dst=/tmp/modules,rw \ | ||
{%- endif %} | ||
{%- if module.module_type == "akmods" %} | ||
--mount=type=bind,from=stage-akmods-{{ module.generate_akmods_info(os_version).stage_name }},src=/rpms,dst=/tmp/rpms,rw \ | ||
{%- endif %} | ||
--mount=type=bind,from=ghcr.io/blue-build/cli:{{ exports_tag }}-build-scripts,src=/scripts/,dst=/tmp/scripts/ \ | ||
--mount=type=cache,dst=/var/cache/rpm-ostree,id=rpm-ostree-cache-{{ recipe.name }}-{{ recipe.image_version }},sharing=locked \ | ||
/tmp/scripts/run_module.sh '{{ module.module_type }}' '{{ module.print_module_context() }}' \ | ||
&& ostree container commit | ||
/tmp/scripts/run_module.sh '{{ module.module_type }}' '{{ module.print_module_context() }}' | ||
{%- endif %} | ||
{%- endif %} | ||
{%- endfor %} | ||
{% endmacro %} | ||
{% macro stage_modules_run(modules_ext, os_version) %} | ||
|
||
|
||
{% macro ostree_modules_run(modules_ext, os_version) %} | ||
# Module RUNs | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The original module macros here should remain unchanged. I would suggest making a new module macro for the vanilla OS. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I split this to generic / ostree macros, because only rpm-ostree module calls require the things added by the ostree macro, VanillaOS, stages, etc., do not and probably never will require anything like I'm envisioning that we'd also ship a |
||
{%- for module in modules_ext.modules %} | ||
{%- if let Some(module) = module.required_fields %} | ||
|
||
{%- if module.no_cache %} | ||
ARG CACHEBUST="{{ build_id }}" | ||
{%- endif %} | ||
|
@@ -58,9 +55,14 @@ RUN \ | |
{%- else %} | ||
--mount=type=bind,from=stage-modules,src=/modules,dst=/tmp/modules,rw \ | ||
{%- endif %} | ||
{%- if module.module_type == "akmods" %} | ||
--mount=type=bind,from=stage-akmods-{{ module.generate_akmods_info(os_version).stage_name }},src=/rpms,dst=/tmp/rpms,rw \ | ||
{%- endif %} | ||
--mount=type=bind,from=ghcr.io/blue-build/cli:{{ exports_tag }}-build-scripts,src=/scripts/,dst=/tmp/scripts/ \ | ||
/tmp/scripts/run_module.sh '{{ module.module_type }}' '{{ module.print_module_context() }}' | ||
--mount=type=cache,dst=/var/cache/rpm-ostree,id=rpm-ostree-cache-{{ recipe.name }}-{{ recipe.image_version }},sharing=locked \ | ||
/tmp/scripts/run_module.sh '{{ module.module_type }}' '{{ module.print_module_context() }}' \ | ||
&& ostree container commit | ||
{%- endif %} | ||
{%- endif %} | ||
{%- endfor %} | ||
{% endmacro %} | ||
{% endmacro %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's leave this function alone and instead call a different function for whatever the vanilla template needs. We want to try to keep the fedora templates and the vanilla templates separate as possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. I just did it like this because I couldn't figure out any easier way to fix this error. We should have some way to detect and declare what the base image is, and call different functions based on that, and remove the hard requirement for
os_version
in the tagging system, etc.