From 2024e2e258c3899d48383ef5346d5c142abdd39f Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Tue, 7 Jun 2022 14:08:46 -0400
Subject: [PATCH] Update & fix skopeo multiarch image Containerfiles

These changes substantially mirror similar updates made recently to both
podman and buildah.  Besides renaming `Dockerfile` -> `Containerfile`,
there are much needed updates to docs, and the build instructions.

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 .cirrus.yml                                |  8 +--
 contrib/skopeoimage/README.md              | 19 +++---
 contrib/skopeoimage/stable/Containerfile   | 38 +++++++----
 contrib/skopeoimage/testing/Containerfile  | 39 +++++++----
 contrib/skopeoimage/upstream/Containerfile | 76 +++++++++++++---------
 5 files changed, 111 insertions(+), 69 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index 38f6b91c..d291bb16 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -189,10 +189,10 @@ image_build_task: &image-build
         - env:
             CTXDIR: contrib/skopeoimage/stable
     env:
-        BUILDAH_USERNAME: ENCRYPTED[FIXME]
-        BUILDAH_PASSWORD: ENCRYPTED[FIXME]
-        CONTAINERS_USERNAME: ENCRYPTED[FIXME]
-        CONTAINERS_PASSWORD: ENCRYPTED[FIXME]
+        SKOPEO_USERNAME: ENCRYPTED[4195884d23b154553f2ddb26a63fc9fbca50ba77b3e447e4da685d8639ed9bc94b9a86a9c77272c8c80d32ead9ca48da]
+        SKOPEO_PASSWORD: ENCRYPTED[36e06f9befd17e5da2d60260edb9ef0d40e6312e2bba4cf881d383f1b8b5a18c8e5a553aea2fdebf39cebc6bd3b3f9de]
+        CONTAINERS_USERNAME: ENCRYPTED[dd722c734641f103b394a3a834d51ca5415347e378637cf98ee1f99e64aad2ec3dbd4664c0d94cb0e06b83d89e9bbe91]
+        CONTAINERS_PASSWORD: ENCRYPTED[d8b0fac87fe251cedd26c864ba800480f9e0570440b9eb264265b67411b253a626fb69d519e188e6c9a7f525860ddb26]
     main_script:
         - source /etc/automation_environment
         - main.sh $CIRRUS_REPO_CLONE_URL $CTXDIR
diff --git a/contrib/skopeoimage/README.md b/contrib/skopeoimage/README.md
index 522cc47b..6d969d86 100644
--- a/contrib/skopeoimage/README.md
+++ b/contrib/skopeoimage/README.md
@@ -6,7 +6,7 @@
 
 ## Overview
 
-This directory contains the Dockerfiles necessary to create the skopeoimage container
+This directory contains the Containerfiles necessary to create the skopeoimage container
 images that are housed on quay.io under the skopeo account.  All repositories where
 the images live are public and can be pulled without credentials.  These container images are secured and the
 resulting containers can run safely with privileges within the container.
@@ -19,21 +19,22 @@ default to `/`.
 The container images are:
 
   * `quay.io/containers/skopeo:v<version>` and `quay.io/skopeo/stable:v<version>` -
-    These images are built when a new Skopeo version becomes available in
-    Fedora.  These images are intended to be unchanging and stable, they will
-    never be updated by automation once they've been pushed.  For build details,
-    please [see the configuration file](stable/Dockerfile).
+    These images are built daily.  These images are intended contain an unchanging
+    and stable version of skopeo.  For the most recent `<version>` tags (`vX`,
+    `vX.Y`, and `vX.Y.Z`) the image contents will be updated daily to incorporate
+    (especially) security updates.  For build details, please[see the configuration
+    file](stable/Containerfile).
   * `quay.io/containers/skopeo:latest` and `quay.io/skopeo/stable:latest` -
-    Built daily using the same Dockerfile as above.  The skopeo version
-    will remain the "latest" available in Fedora, however the image
+    Built daily using the same Containerfile as above.  The skopeo version
+    will remain the "latest" available in Fedora, however the other image
     contents may vary compared to the version-tagged images.
   * `quay.io/skopeo/testing:latest` - This image is built daily, using the
     latest version of Skopeo that was in the Fedora `updates-testing` repository.
-    The image is Built with [the testing Dockerfile](testing/Dockerfile).
+    The image is Built with [the testing Containerfile](testing/Containerfile).
   * `quay.io/skopeo/upstream:latest` - This image is built daily using the latest
     code found in this GitHub repository.  Due to the image changing frequently,
     it's not guaranteed to be stable or even executable.  The image is built with
-    [the upstream Dockerfile](upstream/Dockerfile).
+    [the upstream Containerfile](upstream/Containerfile).
 
 
 ## Sample Usage
diff --git a/contrib/skopeoimage/stable/Containerfile b/contrib/skopeoimage/stable/Containerfile
index fa3a8a53..0139e74a 100644
--- a/contrib/skopeoimage/stable/Containerfile
+++ b/contrib/skopeoimage/stable/Containerfile
@@ -9,22 +9,36 @@
 FROM registry.fedoraproject.org/fedora:latest
 
 # Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images.
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    dnf -y install skopeo fuse-overlayfs \
+        --exclude container-selinux && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
 
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
+RUN useradd skopeo && \
+    echo skopeo:100000:65536 > /etc/subuid && \
+    echo skopeo:100000:65536 > /etc/subgid
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+        -e '/additionalimage.*/a "/var/lib/shared",' \
+        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+        /usr/share/containers/storage.conf \
+        > /etc/containers/storage.conf
 
 # Setup the ability to use additional stores
 # with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock
 
 # Point to the Authorization file
 ENV REGISTRY_AUTH_FILE=/tmp/auth.json
diff --git a/contrib/skopeoimage/testing/Containerfile b/contrib/skopeoimage/testing/Containerfile
index 044cf57d..8ef6bf48 100644
--- a/contrib/skopeoimage/testing/Containerfile
+++ b/contrib/skopeoimage/testing/Containerfile
@@ -10,22 +10,37 @@
 FROM registry.fedoraproject.org/fedora:latest
 
 # Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images.
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --enablerepo updates-testing --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    dnf -y install skopeo fuse-overlayfs \
+        --exclude container-selinux \
+        --enablerepo updates-testing && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
 
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
+RUN useradd skopeo && \
+    echo skopeo:100000:65536 > /etc/subuid && \
+    echo skopeo:100000:65536 > /etc/subgid
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+        -e '/additionalimage.*/a "/var/lib/shared",' \
+        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+        /usr/share/containers/storage.conf \
+        > /etc/containers/storage.conf
 
 # Setup the ability to use additional stores
 # with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock
 
 # Point to the Authorization file
 ENV REGISTRY_AUTH_FILE=/tmp/auth.json
diff --git a/contrib/skopeoimage/upstream/Containerfile b/contrib/skopeoimage/upstream/Containerfile
index 38b2b9bb..8c1cef7c 100644
--- a/contrib/skopeoimage/upstream/Containerfile
+++ b/contrib/skopeoimage/upstream/Containerfile
@@ -9,43 +9,55 @@
 FROM registry.fedoraproject.org/fedora:latest
 
 # Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images.
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; \
-yum -y install make \
-golang \
-git \
-go-md2man \
-fuse-overlayfs \
-fuse3 \
-containers-common \
-gpgme-devel \
-libassuan-devel \
-btrfs-progs-devel \
-device-mapper-devel --enablerepo updates-testing --exclude container-selinux; \
-mkdir /root/skopeo; \
-git clone https://github.com/containers/skopeo /root/skopeo/src/github.com/containers/skopeo; \
-export GOPATH=/root/skopeo; \
-cd /root/skopeo/src/github.com/containers/skopeo; \
-make bin/skopeo;\
-make PREFIX=/usr install;\
-rm -rf /root/skopeo/*; \
-yum -y remove git golang go-md2man make; \
-yum -y clean all; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    dnf -y --enablerepo updates-testing --exclude container-selinux install \
+        make \
+        golang \
+        git \
+        go-md2man \
+        fuse-overlayfs \
+        fuse3 \
+        containers-common \
+        gpgme-devel \
+        libassuan-devel \
+        btrfs-progs-devel \
+        device-mapper-devel && \
+    mkdir /root/skopeo && \
+    git clone https://github.com/containers/skopeo \
+        /root/skopeo/src/github.com/containers/skopeo && \
+    export GOPATH=/root/skopeo && \
+    cd /root/skopeo/src/github.com/containers/skopeo && \
+    make bin/skopeo && \
+    make PREFIX=/usr install && \
+    rm -rf /root/skopeo/* && \
+    dnf -y remove git golang go-md2man make && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
 
+RUN useradd skopeo && \
+    echo skopeo:100000:65536 > /etc/subuid && \
+    echo skopeo:100000:65536 > /etc/subgid
 
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+        -e '/additionalimage.*/a "/var/lib/shared",' \
+        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+        /usr/share/containers/storage.conf \
+        > /etc/containers/storage.conf
 
 # Setup the ability to use additional stores
 # with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock
 
 # Point to the Authorization file
 ENV REGISTRY_AUTH_FILE=/tmp/auth.json