build bare image (#50)

.github/workflows/ci.yaml

@@ -110,6 +110,22 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Log in to ghcr.io
+        uses: redhat-actions/podman-login@v1
+        with:
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+
+      - name: Build bare images
+        if: ${{ github.event_name != 'pull_request' }}
+        id: bare
+        run: |
+          ./build_bare.sh
+          podman push --digestfile=bare-amd64-digest ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare
+          podman push ghcr.io/gardenlinux/glvd-api:latest-linuxarm64_bare
+          echo "bare-amd64-digest=$(cat ./bare-amd64-digest)" >> $GITHUB_OUTPUT
+
       - name: Print image url
         if: ${{ github.event_name != 'pull_request' }}
         run: echo "Image pushed to ${{ steps.push-to-ghcr.outputs.registry-paths }}"
@@ -133,7 +149,7 @@ jobs:
 
       - name: Deploy the image
         if: ${{ github.event_name != 'pull_request' }}
-        run: kubectl --namespace default --token "${{ steps.get-token.outputs.idToken }}" set image deploy/glvd glvd-api=ghcr.io/gardenlinux/glvd-api:latest@${{ steps.push-to-ghcr.outputs.digest }}
+        run: kubectl --namespace default --token "${{ steps.get-token.outputs.idToken }}" set image deploy/glvd glvd-api=ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare@${{ steps.bare.outputs.bare-amd64-digest }}
 
   dependency-submission:
 

build_bare.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+GLVD_API_IMAGE_REPOSITORY=ghcr.io/gardenlinux/glvd-api
+GLVD_API_IMAGE_TAG=latest
+
+build () {
+    local ARCH="${1}"; shift
+
+    SHA_GLVD=$(podman pull -q --arch="$ARCH" $GLVD_API_IMAGE_REPOSITORY:$GLVD_API_IMAGE_TAG)
+    podman save --format oci-archive "$SHA_GLVD" > glvd-"$ARCH".oci
+
+    SHA_GL=$(podman pull -q --arch="$ARCH" ghcr.io/gardenlinux/gardenlinux:1592)
+    podman save --format oci-archive "$SHA_GL" > gardenlinux-"$ARCH".oci
+
+    ./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree gardenlinux-"$ARCH".oci glvd-"$ARCH".oci glvd_bare-"$ARCH".oci
+
+    image="$(podman load < glvd_bare-"$ARCH".oci | awk '{ print $NF }')"
+    podman tag "$image" $GLVD_API_IMAGE_REPOSITORY:$GLVD_API_IMAGE_TAG-linux"$ARCH"_bare
+}
+
+build amd64
+build arm64

unbase_oci

@@ -2,7 +2,7 @@
 
 set -eufo pipefail
 
-container_image=ghcr.io/gardenlinux/unbase_oci:233f4213036fadd4b91b965b4ca71b457f1a6b88
+container_image=ghcr.io/gardenlinux/unbase_oci:8e33b68bf7b93d392fa8ef3248adb0a65d43c67a
 container_engine=podman
 
 container_mount_opts=()
@@ -52,4 +52,4 @@ container_mount_opts+=(-v "$(realpath "$1"):/mnt$(realpath "$1")")
 container_mount_opts+=(-v "$(realpath "$3"):/mnt$(realpath "$3")")
 args+=("/mnt$(realpath "$1")" "/mnt$(realpath "$2")" "/mnt$(realpath "$3")")
 
-"$container_engine" run --rm --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}"
+"$container_engine" run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --security-opt label=disable --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}"