diff --git a/.cirrus.yml b/.cirrus.yml index fae896cb..d291bb16 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -53,7 +53,7 @@ validate_task: # The git-validation tool doesn't work well on branch or tag push, # under Cirrus-CI, due to challenges obtaining the starting commit ID. # Only do validation for PRs. - only_if: $CIRRUS_PR != '' + only_if: &is_pr $CIRRUS_PR != '' container: image: '${SKOPEO_CIDEV_CONTAINER_FQIN}' cpu: 4 @@ -63,7 +63,7 @@ validate_task: make vendor && hack/tree_status.sh doccheck_task: - only_if: $CIRRUS_PR != '' + only_if: *is_pr depends_on: - validate container: @@ -81,7 +81,10 @@ doccheck_task: "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" doccheck osx_task: - only_if: ¬_docs $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' + # Run for regular PRs and those with [CI:BUILD] but not [CI:DOCS] + only_if: ¬_docs_multiarch >- + $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' && + $CIRRUS_CRON != 'multiarch' depends_on: - validate macos_instance: @@ -102,10 +105,10 @@ osx_task: cross_task: alias: cross - only_if: *not_docs + only_if: *not_docs_multiarch depends_on: - validate - gce_instance: + gce_instance: &standardvm image_project: libpod-218412 zone: "us-central1-f" cpu: 2 @@ -129,7 +132,11 @@ cross_task: ##### test_skopeo_task: alias: test_skopeo - only_if: *not_docs + # Don't test for [CI:DOCS], [CI:BUILD], or 'multiarch' cron. + only_if: >- + $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' && + $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' && + $CIRRUS_CRON != 'multiarch' depends_on: - validate gce_instance: @@ -162,6 +169,49 @@ test_skopeo_task: "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" system +image_build_task: &image-build + name: "Build multi-arch $CTXDIR" + alias: image_build + # Some of these container images take > 1h to build, limit + # this task to a specific Cirrus-Cron entry with this name. + only_if: $CIRRUS_CRON == 'multiarch' + timeout_in: 120m # emulation is sssllllooooowwww + gce_instance: + <<: *standardvm + image_name: build-push-${IMAGE_SUFFIX} + # More muscle required for parallel multi-arch build + type: "n2-standard-4" + matrix: + - env: + CTXDIR: contrib/skopeoimage/upstream + - env: + CTXDIR: contrib/skopeoimage/testing + - env: + CTXDIR: contrib/skopeoimage/stable + env: + SKOPEO_USERNAME: ENCRYPTED[4195884d23b154553f2ddb26a63fc9fbca50ba77b3e447e4da685d8639ed9bc94b9a86a9c77272c8c80d32ead9ca48da] + SKOPEO_PASSWORD: ENCRYPTED[36e06f9befd17e5da2d60260edb9ef0d40e6312e2bba4cf881d383f1b8b5a18c8e5a553aea2fdebf39cebc6bd3b3f9de] + CONTAINERS_USERNAME: ENCRYPTED[dd722c734641f103b394a3a834d51ca5415347e378637cf98ee1f99e64aad2ec3dbd4664c0d94cb0e06b83d89e9bbe91] + CONTAINERS_PASSWORD: ENCRYPTED[d8b0fac87fe251cedd26c864ba800480f9e0570440b9eb264265b67411b253a626fb69d519e188e6c9a7f525860ddb26] + main_script: + - source /etc/automation_environment + - main.sh $CIRRUS_REPO_CLONE_URL $CTXDIR + + +test_image_build_task: + <<: *image-build + alias: test_image_build + # Allow this to run inside a PR w/ [CI:BUILD] only. + only_if: $CIRRUS_PR != '' && $CIRRUS_CHANGE_TITLE =~ '.*CI:BUILD.*' + # This takes a LONG time, only run when requested. N/B: Any task + # made to depend on this one will block FOREVER unless triggered. + # DO NOT ADD THIS TASK AS DEPENDENCY FOR `success_task`. + trigger_type: manual + # Overwrite all 'env', don't push anything, just do the build. + env: + DRYRUN: 1 + + # This task is critical. It updates the "last-used by" timestamp stored # in metadata for all VM images. This mechanism functions in tandem with # an out-of-band pruning operation to remove disused VM images. @@ -200,6 +250,7 @@ success_task: - osx - cross - test_skopeo + - image_build - meta container: *smallcontainer env: diff --git a/.github/workflows/multi-arch-build.yaml b/.github/workflows/multi-arch-build.yaml deleted file mode 100644 index 3138b679..00000000 --- a/.github/workflows/multi-arch-build.yaml +++ /dev/null @@ -1,212 +0,0 @@ ---- - -# Please see contrib/image/README.md for details on the intentions -# of this workflow. -# -# BIG FAT WARNING: This workflow is duplicated across containers/skopeo, -# containers/buildah, and containers/podman. ANY AND -# ALL CHANGES MADE HERE MUST BE MANUALLY DUPLICATED -# TO THE OTHER REPOS. - -name: build multi-arch images - -on: - # Upstream tends to be very active, with many merges per day. - # Only run this daily via cron schedule, or manually, not by branch push. - schedule: - - cron: '0 8 * * *' - # allows to run this workflow manually from the Actions tab - workflow_dispatch: - -permissions: - contents: read - -jobs: - multi: - name: multi-arch image build - env: - REPONAME: skopeo # No easy way to parse this out of $GITHUB_REPOSITORY - # Server/namespace value used to format FQIN - REPONAME_QUAY_REGISTRY: quay.io/skopeo - CONTAINERS_QUAY_REGISTRY: quay.io/containers - # list of architectures for build - PLATFORMS: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 - # Command to execute in container to obtain project version number - VERSION_CMD: "--version" # skopeo is the entrypoint - - # build several images (upstream, testing, stable) in parallel - strategy: - # By default, failure of one matrix item cancels all others - fail-fast: false - matrix: - # Builds are located under contrib/image/ directory - source: - - upstream - - testing - - stable - runs-on: ubuntu-latest - # internal registry caches build for inspection before push - services: - registry: - image: quay.io/libpod/registry:2 - ports: - - 5000:5000 - steps: - - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2 - - - name: Set up QEMU - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1 - with: - driver-opts: network=host - install: true - - - name: Build and locally push image - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2 - with: - context: contrib/${{ env.REPONAME }}image/${{ matrix.source }} - file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile - platforms: ${{ env.PLATFORMS }} - push: true - tags: localhost:5000/${{ env.REPONAME }}/${{ matrix.source }} - - # Simple verification that stable images work, and - # also grab version number use in forming the FQIN. - - name: amd64 container sniff test - if: matrix.source == 'stable' - id: sniff_test - run: | - podman pull --tls-verify=false \ - localhost:5000/$REPONAME/${{ matrix.source }} - VERSION_OUTPUT=$(podman run \ - localhost:5000/$REPONAME/${{ matrix.source }} \ - $VERSION_CMD) - echo "$VERSION_OUTPUT" - VERSION=$(awk -r -e "/^${REPONAME} version /"'{print $3}' <<<"$VERSION_OUTPUT") - test -n "$VERSION" - echo "::set-output name=version::$VERSION" - - - name: Generate image FQIN(s) to push - id: reponame_reg - run: | - if [[ "${{ matrix.source }}" == 'stable' ]]; then - # The command version in image just built - VERSION='v${{ steps.sniff_test.outputs.version }}' - # workaround vim syntax-highlight bug: ' - # Push both new|updated version-tag and latest-tag FQINs - FQIN="$REPONAME_QUAY_REGISTRY/stable:$VERSION,$REPONAME_QUAY_REGISTRY/stable:latest" - elif [[ "${{ matrix.source }}" == 'testing' ]]; then - # Assume some contents changed, always push latest testing. - FQIN="$REPONAME_QUAY_REGISTRY/testing:latest" - elif [[ "${{ matrix.source }}" == 'upstream' ]]; then - # Assume some contents changed, always push latest upstream. - FQIN="$REPONAME_QUAY_REGISTRY/upstream:latest" - else - echo "::error::Unknown matrix item '${{ matrix.source }}'" - exit 1 - fi - echo "::warning::Pushing $FQIN" - echo "::set-output name=fqin::${FQIN}" - echo '::set-output name=push::true' - - # This is substantially similar to the above logic, - # but only handles $CONTAINERS_QUAY_REGISTRY for - # the stable "latest" and named-version tagged images. - - name: Generate containers reg. image FQIN(s) - if: matrix.source == 'stable' - id: containers_reg - run: | - VERSION='v${{ steps.sniff_test.outputs.version }}' - # workaround vim syntax-highlight bug: ' - # Push both new|updated version-tag and latest-tag FQINs - FQIN="$CONTAINERS_QUAY_REGISTRY/$REPONAME:$VERSION,$CONTAINERS_QUAY_REGISTRY/$REPONAME:latest" - echo "::warning::Pushing $FQIN" - echo "::set-output name=fqin::${FQIN}" - echo '::set-output name=push::true' - - - name: Define LABELS multi-line env. var. value - run: | - # This is a really hacky/strange workflow idiom, required - # for setting multi-line $LABELS value for consumption in - # a future step. There is literally no cleaner way to do this :< - # https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#multiline-strings - function set_labels() { - echo 'LABELS<> "$GITHUB_ENV" - for line; do - echo "$line" | tee -a "$GITHUB_ENV" - done - echo "DELIMITER" >> "$GITHUB_ENV" - } - - declare -a lines - lines=(\ - "org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}.git" - "org.opencontainers.image.revision=${GITHUB_SHA}" - "org.opencontainers.image.created=$(date -u --iso-8601=seconds)" - ) - - # Only the 'stable' matrix source obtains $VERSION - if [[ "${{ matrix.source }}" == "stable" ]]; then - lines+=(\ - "org.opencontainers.image.version=${{ steps.sniff_test.outputs.version }}" - ) - fi - - set_labels "${lines[@]}" - - # Separate steps to login and push for $REPONAME_QUAY_REGISTRY and - # $CONTAINERS_QUAY_REGISTRY are required, because 2 sets of credentials - # are used and namespaced within the registry. At the same time, reuse - # of non-shell steps is not supported by Github Actions nor are YAML - # anchors/aliases, nor composite actions. - - # Push to $REPONAME_QUAY_REGISTRY for stable, testing. and upstream - - name: Login to ${{ env.REPONAME_QUAY_REGISTRY }} - uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1 - if: steps.reponame_reg.outputs.push == 'true' - with: - registry: ${{ env.REPONAME_QUAY_REGISTRY }} - # N/B: Secrets are not passed to workflows that are triggered - # by a pull request from a fork - username: ${{ secrets.REPONAME_QUAY_USERNAME }} - password: ${{ secrets.REPONAME_QUAY_PASSWORD }} - - - name: Push images to ${{ steps.reponame_reg.outputs.fqin }} - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2 - if: steps.reponame_reg.outputs.push == 'true' - with: - cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }} - cache-to: type=inline - context: contrib/${{ env.REPONAME }}image/${{ matrix.source }} - file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile - platforms: ${{ env.PLATFORMS }} - push: true - tags: ${{ steps.reponame_reg.outputs.fqin }} - labels: | - ${{ env.LABELS }} - - # Push to $CONTAINERS_QUAY_REGISTRY only stable - - name: Login to ${{ env.CONTAINERS_QUAY_REGISTRY }} - if: steps.containers_reg.outputs.push == 'true' - uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1 - with: - registry: ${{ env.CONTAINERS_QUAY_REGISTRY}} - username: ${{ secrets.CONTAINERS_QUAY_USERNAME }} - password: ${{ secrets.CONTAINERS_QUAY_PASSWORD }} - - - name: Push images to ${{ steps.containers_reg.outputs.fqin }} - if: steps.containers_reg.outputs.push == 'true' - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2 - with: - cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }} - cache-to: type=inline - context: contrib/${{ env.REPONAME }}image/${{ matrix.source }} - file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile - platforms: ${{ env.PLATFORMS }} - push: true - tags: ${{ steps.containers_reg.outputs.fqin }} - labels: | - ${{ env.LABELS }} diff --git a/contrib/skopeoimage/README.md b/contrib/skopeoimage/README.md index 522cc47b..6d969d86 100644 --- a/contrib/skopeoimage/README.md +++ b/contrib/skopeoimage/README.md @@ -6,7 +6,7 @@ ## Overview -This directory contains the Dockerfiles necessary to create the skopeoimage container +This directory contains the Containerfiles necessary to create the skopeoimage container images that are housed on quay.io under the skopeo account. All repositories where the images live are public and can be pulled without credentials. These container images are secured and the resulting containers can run safely with privileges within the container. @@ -19,21 +19,22 @@ default to `/`. The container images are: * `quay.io/containers/skopeo:v` and `quay.io/skopeo/stable:v` - - These images are built when a new Skopeo version becomes available in - Fedora. These images are intended to be unchanging and stable, they will - never be updated by automation once they've been pushed. For build details, - please [see the configuration file](stable/Dockerfile). + These images are built daily. These images are intended contain an unchanging + and stable version of skopeo. For the most recent `` tags (`vX`, + `vX.Y`, and `vX.Y.Z`) the image contents will be updated daily to incorporate + (especially) security updates. For build details, please[see the configuration + file](stable/Containerfile). * `quay.io/containers/skopeo:latest` and `quay.io/skopeo/stable:latest` - - Built daily using the same Dockerfile as above. The skopeo version - will remain the "latest" available in Fedora, however the image + Built daily using the same Containerfile as above. The skopeo version + will remain the "latest" available in Fedora, however the other image contents may vary compared to the version-tagged images. * `quay.io/skopeo/testing:latest` - This image is built daily, using the latest version of Skopeo that was in the Fedora `updates-testing` repository. - The image is Built with [the testing Dockerfile](testing/Dockerfile). + The image is Built with [the testing Containerfile](testing/Containerfile). * `quay.io/skopeo/upstream:latest` - This image is built daily using the latest code found in this GitHub repository. Due to the image changing frequently, it's not guaranteed to be stable or even executable. The image is built with - [the upstream Dockerfile](upstream/Dockerfile). + [the upstream Containerfile](upstream/Containerfile). ## Sample Usage diff --git a/contrib/skopeoimage/stable/Containerfile b/contrib/skopeoimage/stable/Containerfile new file mode 100644 index 00000000..0139e74a --- /dev/null +++ b/contrib/skopeoimage/stable/Containerfile @@ -0,0 +1,47 @@ +# stable/Containerfile +# +# Build a Skopeo container image from the latest +# stable version of Skopeo on the Fedoras Updates System. +# https://bodhi.fedoraproject.org/updates/?search=skopeo +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# +FROM registry.fedoraproject.org/fedora:latest + +# Don't include container-selinux and remove +# directories used by dnf that are just taking +# up space. +# TODO: rpm --setcaps... needed due to Fedora (base) image builds +# being (maybe still?) affected by +# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3 +RUN dnf -y update && \ + rpm --setcaps shadow-utils 2>/dev/null && \ + dnf -y install skopeo fuse-overlayfs \ + --exclude container-selinux && \ + dnf clean all && \ + rm -rf /var/cache /var/log/dnf* /var/log/yum.* + +RUN useradd skopeo && \ + echo skopeo:100000:65536 > /etc/subuid && \ + echo skopeo:100000:65536 > /etc/subgid + +# Copy & modify the defaults to provide reference if runtime changes needed. +# Changes here are required for running with fuse-overlay storage inside container. +RUN sed -e 's|^#mount_program|mount_program|g' \ + -e '/additionalimage.*/a "/var/lib/shared",' \ + -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \ + /usr/share/containers/storage.conf \ + > /etc/containers/storage.conf + +# Setup the ability to use additional stores +# with this container image. +RUN mkdir -p /var/lib/shared/overlay-images \ + /var/lib/shared/overlay-layers && \ + touch /var/lib/shared/overlay-images/images.lock && \ + touch /var/lib/shared/overlay-layers/layers.lock + +# Point to the Authorization file +ENV REGISTRY_AUTH_FILE=/tmp/auth.json + +# Set the entrypoint +ENTRYPOINT ["/usr/bin/skopeo"] diff --git a/contrib/skopeoimage/stable/Dockerfile b/contrib/skopeoimage/stable/Dockerfile deleted file mode 100644 index 55eae7a4..00000000 --- a/contrib/skopeoimage/stable/Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -# stable/Dockerfile -# -# Build a Skopeo container image from the latest -# stable version of Skopeo on the Fedoras Updates System. -# https://bodhi.fedoraproject.org/updates/?search=skopeo -# This image can be used to create a secured container -# that runs safely with privileges within the container. -# -FROM registry.fedoraproject.org/fedora:latest - -# Don't include container-selinux and remove -# directories used by yum that are just taking -# up space. Also reinstall shadow-utils as without -# doing so, the setuid/setgid bits on newuidmap -# and newgidmap are lost in the Fedora images. -RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum* - -# Adjust storage.conf to enable Fuse storage. -RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf - -# Setup the ability to use additional stores -# with this container image. -RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock - -# Setup skopeo's uid/guid entries -RUN echo skopeo:100000:65536 > /etc/subuid -RUN echo skopeo:100000:65536 > /etc/subgid - -# Point to the Authorization file -ENV REGISTRY_AUTH_FILE=/tmp/auth.json - -# Set the entrypoint -ENTRYPOINT ["/usr/bin/skopeo"] diff --git a/contrib/skopeoimage/testing/Containerfile b/contrib/skopeoimage/testing/Containerfile new file mode 100644 index 00000000..8ef6bf48 --- /dev/null +++ b/contrib/skopeoimage/testing/Containerfile @@ -0,0 +1,49 @@ +# testing/Containerfile +# +# Build a Skopeo container image from the latest +# version of Skopeo that is in updates-testing +# on the Fedoras Updates System. +# https://bodhi.fedoraproject.org/updates/?search=skopeo +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# +FROM registry.fedoraproject.org/fedora:latest + +# Don't include container-selinux and remove +# directories used by dnf that are just taking +# up space. +# TODO: rpm --setcaps... needed due to Fedora (base) image builds +# being (maybe still?) affected by +# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3 +RUN dnf -y update && \ + rpm --setcaps shadow-utils 2>/dev/null && \ + dnf -y install skopeo fuse-overlayfs \ + --exclude container-selinux \ + --enablerepo updates-testing && \ + dnf clean all && \ + rm -rf /var/cache /var/log/dnf* /var/log/yum.* + +RUN useradd skopeo && \ + echo skopeo:100000:65536 > /etc/subuid && \ + echo skopeo:100000:65536 > /etc/subgid + +# Copy & modify the defaults to provide reference if runtime changes needed. +# Changes here are required for running with fuse-overlay storage inside container. +RUN sed -e 's|^#mount_program|mount_program|g' \ + -e '/additionalimage.*/a "/var/lib/shared",' \ + -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \ + /usr/share/containers/storage.conf \ + > /etc/containers/storage.conf + +# Setup the ability to use additional stores +# with this container image. +RUN mkdir -p /var/lib/shared/overlay-images \ + /var/lib/shared/overlay-layers && \ + touch /var/lib/shared/overlay-images/images.lock && \ + touch /var/lib/shared/overlay-layers/layers.lock + +# Point to the Authorization file +ENV REGISTRY_AUTH_FILE=/tmp/auth.json + +# Set the entrypoint +ENTRYPOINT ["/usr/bin/skopeo"] diff --git a/contrib/skopeoimage/testing/Dockerfile b/contrib/skopeoimage/testing/Dockerfile deleted file mode 100644 index c9e1bab0..00000000 --- a/contrib/skopeoimage/testing/Dockerfile +++ /dev/null @@ -1,34 +0,0 @@ -# testing/Dockerfile -# -# Build a Skopeo container image from the latest -# version of Skopeo that is in updates-testing -# on the Fedoras Updates System. -# https://bodhi.fedoraproject.org/updates/?search=skopeo -# This image can be used to create a secured container -# that runs safely with privileges within the container. -# -FROM registry.fedoraproject.org/fedora:latest - -# Don't include container-selinux and remove -# directories used by yum that are just taking -# up space. Also reinstall shadow-utils as without -# doing so, the setuid/setgid bits on newuidmap -# and newgidmap are lost in the Fedora images. -RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --enablerepo updates-testing --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum* - -# Adjust storage.conf to enable Fuse storage. -RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf - -# Setup the ability to use additional stores -# with this container image. -RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock - -# Setup skopeo's uid/guid entries -RUN echo skopeo:100000:65536 > /etc/subuid -RUN echo skopeo:100000:65536 > /etc/subgid - -# Point to the Authorization file -ENV REGISTRY_AUTH_FILE=/tmp/auth.json - -# Set the entrypoint -ENTRYPOINT ["/usr/bin/skopeo"] diff --git a/contrib/skopeoimage/upstream/Containerfile b/contrib/skopeoimage/upstream/Containerfile new file mode 100644 index 00000000..8c1cef7c --- /dev/null +++ b/contrib/skopeoimage/upstream/Containerfile @@ -0,0 +1,66 @@ +# upstream/Containerfile +# +# Build a Skopeo container image from the latest +# upstream version of Skopeo on GitHub. +# https://github.com/containers/skopeo +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# +FROM registry.fedoraproject.org/fedora:latest + +# Don't include container-selinux and remove +# directories used by dnf that are just taking +# up space. +# TODO: rpm --setcaps... needed due to Fedora (base) image builds +# being (maybe still?) affected by +# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3 +RUN dnf -y update && \ + rpm --setcaps shadow-utils 2>/dev/null && \ + dnf -y --enablerepo updates-testing --exclude container-selinux install \ + make \ + golang \ + git \ + go-md2man \ + fuse-overlayfs \ + fuse3 \ + containers-common \ + gpgme-devel \ + libassuan-devel \ + btrfs-progs-devel \ + device-mapper-devel && \ + mkdir /root/skopeo && \ + git clone https://github.com/containers/skopeo \ + /root/skopeo/src/github.com/containers/skopeo && \ + export GOPATH=/root/skopeo && \ + cd /root/skopeo/src/github.com/containers/skopeo && \ + make bin/skopeo && \ + make PREFIX=/usr install && \ + rm -rf /root/skopeo/* && \ + dnf -y remove git golang go-md2man make && \ + dnf clean all && \ + rm -rf /var/cache /var/log/dnf* /var/log/yum.* + +RUN useradd skopeo && \ + echo skopeo:100000:65536 > /etc/subuid && \ + echo skopeo:100000:65536 > /etc/subgid + +# Copy & modify the defaults to provide reference if runtime changes needed. +# Changes here are required for running with fuse-overlay storage inside container. +RUN sed -e 's|^#mount_program|mount_program|g' \ + -e '/additionalimage.*/a "/var/lib/shared",' \ + -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \ + /usr/share/containers/storage.conf \ + > /etc/containers/storage.conf + +# Setup the ability to use additional stores +# with this container image. +RUN mkdir -p /var/lib/shared/overlay-images \ + /var/lib/shared/overlay-layers && \ + touch /var/lib/shared/overlay-images/images.lock && \ + touch /var/lib/shared/overlay-layers/layers.lock + +# Point to the Authorization file +ENV REGISTRY_AUTH_FILE=/tmp/auth.json + +# Set the entrypoint +ENTRYPOINT ["/usr/bin/skopeo"] diff --git a/contrib/skopeoimage/upstream/Dockerfile b/contrib/skopeoimage/upstream/Dockerfile deleted file mode 100644 index b56d38bf..00000000 --- a/contrib/skopeoimage/upstream/Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -# upstream/Dockerfile -# -# Build a Skopeo container image from the latest -# upstream version of Skopeo on GitHub. -# https://github.com/containers/skopeo -# This image can be used to create a secured container -# that runs safely with privileges within the container. -# -FROM registry.fedoraproject.org/fedora:latest - -# Don't include container-selinux and remove -# directories used by yum that are just taking -# up space. Also reinstall shadow-utils as without -# doing so, the setuid/setgid bits on newuidmap -# and newgidmap are lost in the Fedora images. -RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; \ -yum -y install make \ -golang \ -git \ -go-md2man \ -fuse-overlayfs \ -fuse3 \ -containers-common \ -gpgme-devel \ -libassuan-devel \ -btrfs-progs-devel \ -device-mapper-devel --enablerepo updates-testing --exclude container-selinux; \ -mkdir /root/skopeo; \ -git clone https://github.com/containers/skopeo /root/skopeo/src/github.com/containers/skopeo; \ -export GOPATH=/root/skopeo; \ -cd /root/skopeo/src/github.com/containers/skopeo; \ -make bin/skopeo;\ -make PREFIX=/usr install;\ -rm -rf /root/skopeo/*; \ -yum -y remove git golang go-md2man make; \ -yum -y clean all; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum* - - -# Adjust storage.conf to enable Fuse storage. -RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf - -# Setup the ability to use additional stores -# with this container image. -RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock - -# Setup skopeo's uid/guid entries -RUN echo skopeo:100000:65536 > /etc/subuid -RUN echo skopeo:100000:65536 > /etc/subgid - -# Point to the Authorization file -ENV REGISTRY_AUTH_FILE=/tmp/auth.json - -# Set the entrypoint -ENTRYPOINT ["/usr/bin/skopeo"]