From 43ba50ef6ad80d4f748bbe227d8db15e9c8b7c7d Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <florian.wilhelm02@sap.com> Date: Fri, 25 Oct 2024 10:27:56 +0200 Subject: [PATCH 1/7] build bare image --- .github/workflows/ci.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ec854c8..02dd0cf 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -94,10 +94,24 @@ jobs: - name: Check images created run: buildah images | grep '${{ env.IMAGE_NAME }}' + - run: | + podman save --format oci-archive ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }} > glvd.oci + + podman pull ghcr.io/gardenlinux/gardenlinux:1592 + podman save --format oci-archive ghcr.io/gardenlinux/gardenlinux:1592 > gardenlinux.oci + + ./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree gardenlinux.oci glvd.oci glvd_bare.oci + + image="$(podman load < glvd_bare.oci | awk '{ print $NF }')" + podman tag "$image" ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}_bare + + - name: Check manifest run: | set -x buildah manifest inspect ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }} + buildah manifest inspect ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}_bare + - name: Push To ghcr.io id: push-to-ghcr From b3f6984aae46f8427f15660e9008ca89cc8c5279 Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <florian.wilhelm02@sap.com> Date: Fri, 25 Oct 2024 10:39:12 +0200 Subject: [PATCH 2/7] test --- .github/workflows/ci.yaml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 02dd0cf..b8d76ff 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -91,9 +91,6 @@ jobs: echo "Tags: ${{ steps.build_image.outputs.tags }}" echo "Tagged Image: ${{ steps.build_image.outputs.image-with-tag }}" - - name: Check images created - run: buildah images | grep '${{ env.IMAGE_NAME }}' - - run: | podman save --format oci-archive ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }} > glvd.oci @@ -105,13 +102,13 @@ jobs: image="$(podman load < glvd_bare.oci | awk '{ print $NF }')" podman tag "$image" ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}_bare + - name: Check images created + run: buildah images | grep '${{ env.IMAGE_NAME }}' - name: Check manifest run: | set -x buildah manifest inspect ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }} - buildah manifest inspect ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}_bare - - name: Push To ghcr.io id: push-to-ghcr @@ -124,6 +121,17 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Push To ghcr.io + id: push-to-ghcr + if: ${{ github.event_name != 'pull_request' }} + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build_image.outputs.image }} + tags: latest_bare + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Print image url if: ${{ github.event_name != 'pull_request' }} run: echo "Image pushed to ${{ steps.push-to-ghcr.outputs.registry-paths }}" From 5732085cb4a245e3227d369312e2ae0727673bd1 Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <florian.wilhelm02@sap.com> Date: Fri, 25 Oct 2024 10:40:08 +0200 Subject: [PATCH 3/7] fix --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b8d76ff..c13ac8d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -122,7 +122,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Push To ghcr.io - id: push-to-ghcr + id: push-to-ghcr-bare if: ${{ github.event_name != 'pull_request' }} uses: redhat-actions/push-to-registry@v2 with: From f47d1c75b03076db27cc02dd90a151a3a7f18beb Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <florian.wilhelm02@sap.com> Date: Mon, 28 Oct 2024 11:04:00 +0100 Subject: [PATCH 4/7] build bare --- .github/workflows/ci.yaml | 28 ++++++++++------------------ build_bare.sh | 22 ++++++++++++++++++++++ 2 files changed, 32 insertions(+), 18 deletions(-) create mode 100755 build_bare.sh diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c13ac8d..b2f2ac7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -91,17 +91,6 @@ jobs: echo "Tags: ${{ steps.build_image.outputs.tags }}" echo "Tagged Image: ${{ steps.build_image.outputs.image-with-tag }}" - - run: | - podman save --format oci-archive ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }} > glvd.oci - - podman pull ghcr.io/gardenlinux/gardenlinux:1592 - podman save --format oci-archive ghcr.io/gardenlinux/gardenlinux:1592 > gardenlinux.oci - - ./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree gardenlinux.oci glvd.oci glvd_bare.oci - - image="$(podman load < glvd_bare.oci | awk '{ print $NF }')" - podman tag "$image" ${{ steps.build_image.outputs.image }}:${{ env.IMAGE_TAG }}_bare - - name: Check images created run: buildah images | grep '${{ env.IMAGE_NAME }}' @@ -121,16 +110,19 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Push To ghcr.io - id: push-to-ghcr-bare - if: ${{ github.event_name != 'pull_request' }} - uses: redhat-actions/push-to-registry@v2 + - name: Log in to ghcr.io + uses: redhat-actions/podman-login@v1 with: - image: ${{ steps.build_image.outputs.image }} - tags: latest_bare - registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + + - name: Build bare images + if: ${{ github.event_name != 'pull_request' }} + run: | + ./build_bare.sh + podman push ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare + podman push ghcr.io/gardenlinux/glvd-api:latest-linuxarm64_bare - name: Print image url if: ${{ github.event_name != 'pull_request' }} diff --git a/build_bare.sh b/build_bare.sh new file mode 100755 index 0000000..6e41826 --- /dev/null +++ b/build_bare.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +GLVD_API_IMAGE_REPOSITORY=ghcr.io/gardenlinux/glvd-api +GLVD_API_IMAGE_TAG=latest + +build () { + local ARCH="${1}"; shift + + SHA_GLVD=$(podman pull -q --arch="$ARCH" $GLVD_API_IMAGE_REPOSITORY:$GLVD_API_IMAGE_TAG) + podman save --format oci-archive "$SHA_GLVD" > glvd-"$ARCH".oci + + SHA_GL=$(podman pull -q --arch="$ARCH" ghcr.io/gardenlinux/gardenlinux:1592) + podman save --format oci-archive "$SHA_GL" > gardenlinux-"$ARCH".oci + + ./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree gardenlinux-"$ARCH".oci glvd-"$ARCH".oci glvd_bare-"$ARCH".oci + + image="$(podman load < glvd_bare-"$ARCH".oci | awk '{ print $NF }')" + podman tag "$image" $GLVD_API_IMAGE_REPOSITORY:$GLVD_API_IMAGE_TAG-linux"$ARCH"_bare +} + +build amd64 +build arm64 From f7053a48131cd36c5cffaabc942578d063e41aa6 Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <florian.wilhelm02@sap.com> Date: Mon, 28 Oct 2024 16:51:51 +0100 Subject: [PATCH 5/7] test --- build.sh | 19 ------------------- unbase_oci | 4 ++-- 2 files changed, 2 insertions(+), 21 deletions(-) delete mode 100755 build.sh diff --git a/build.sh b/build.sh deleted file mode 100755 index 51e2ec7..0000000 --- a/build.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bash - -set -eufo pipefail - -if [[ ! -f build/libs/glvd-0.0.1-SNAPSHOT.jar ]]; then - ./gradlew bootJar -fi - -podman build --tag ghcr.io/gardenlinux/glvd-api:edge . - -podman save --format oci-archive ghcr.io/gardenlinux/glvd-api:edge > glvd.oci - -podman pull ubuntu:22.04 -podman save --format oci-archive ubuntu:22.04 > ubuntu.oci - -./unbase_oci --exclude exclude --include include --ldd-dependencies --print-tree ubuntu.oci glvd.oci glvd_bare.oci - -image="$(podman load < glvd_bare.oci | awk '{ print $NF }')" -podman tag "$image" ghcr.io/gardenlinux/glvd-api:edge_bare diff --git a/unbase_oci b/unbase_oci index 1a6db1b..3e536d0 100755 --- a/unbase_oci +++ b/unbase_oci @@ -2,7 +2,7 @@ set -eufo pipefail -container_image=ghcr.io/gardenlinux/unbase_oci:233f4213036fadd4b91b965b4ca71b457f1a6b88 +container_image=localhost/unbase_oci container_engine=podman container_mount_opts=() @@ -52,4 +52,4 @@ container_mount_opts+=(-v "$(realpath "$1"):/mnt$(realpath "$1")") container_mount_opts+=(-v "$(realpath "$3"):/mnt$(realpath "$3")") args+=("/mnt$(realpath "$1")" "/mnt$(realpath "$2")" "/mnt$(realpath "$3")") -"$container_engine" run --rm --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}" +"$container_engine" run --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined --security-opt label=disable --read-only --tmpfs /tmp:rw,exec "${container_mount_opts[@]}" "$container_image" "${args[@]}" From 221ae5b682936fdf0f9c86fe930c4b7d6479099d Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <florian.wilhelm02@sap.com> Date: Mon, 28 Oct 2024 16:54:43 +0100 Subject: [PATCH 6/7] test --- unbase_oci | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unbase_oci b/unbase_oci index 3e536d0..f2634fc 100755 --- a/unbase_oci +++ b/unbase_oci @@ -2,7 +2,7 @@ set -eufo pipefail -container_image=localhost/unbase_oci +container_image=ghcr.io/gardenlinux/unbase_oci:8e33b68bf7b93d392fa8ef3248adb0a65d43c67a container_engine=podman container_mount_opts=() From 17ff1a748ec85d438382b8831edaaa0242da9ed6 Mon Sep 17 00:00:00 2001 From: Florian Wilhelm <florian.wilhelm02@sap.com> Date: Mon, 28 Oct 2024 17:19:54 +0100 Subject: [PATCH 7/7] deploy bare image --- .github/workflows/ci.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b2f2ac7..6e50cf2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -119,10 +119,12 @@ jobs: - name: Build bare images if: ${{ github.event_name != 'pull_request' }} + id: bare run: | ./build_bare.sh - podman push ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare + podman push --digestfile=bare-amd64-digest ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare podman push ghcr.io/gardenlinux/glvd-api:latest-linuxarm64_bare + echo "bare-amd64-digest=$(cat ./bare-amd64-digest)" >> $GITHUB_OUTPUT - name: Print image url if: ${{ github.event_name != 'pull_request' }} @@ -147,7 +149,7 @@ jobs: - name: Deploy the image if: ${{ github.event_name != 'pull_request' }} - run: kubectl --namespace default --token "${{ steps.get-token.outputs.idToken }}" set image deploy/glvd glvd-api=ghcr.io/gardenlinux/glvd-api:latest@${{ steps.push-to-ghcr.outputs.digest }} + run: kubectl --namespace default --token "${{ steps.get-token.outputs.idToken }}" set image deploy/glvd glvd-api=ghcr.io/gardenlinux/glvd-api:latest-linuxamd64_bare@${{ steps.bare.outputs.bare-amd64-digest }} dependency-submission: