From 774ff9d16f82fa4c5eec8effc30089ba43114262 Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Fri, 3 Jun 2022 10:57:31 -0400
Subject: [PATCH 1/2] Cirrus: Migrate multiarch build off github actions
The github actions workflow for this operation is complex and difficult
to maintain. For several months now a replacement has been running well
in the podman repository. It's scripts/components are centralized,
versioned, unit, and integration tested. Add cirrus tasks to run the
build, and another task to allow test builds in a PR.
This also adds support for a new magic CI string: `[CI:BUILD]`.
With this string in the PR title, automation will only do basic build
verification, and enable testing of the multi-arch build process.
Otherwise, many tasks were updated to not be created when running the
cirrus-cron multi-arch image builds, since this would simply be a waste
of time and invitation for flakes.
Lastly, since only native tooling is used in the new build process,
rename all the recipes to `Containerfile`.
Signed-off-by: Chris Evich <cevich@redhat.com>
---
.cirrus.yml | 63 +++++-
.github/workflows/multi-arch-build.yaml | 212 ------------------
.../stable/{Dockerfile => Containerfile} | 4 +-
.../testing/{Dockerfile => Containerfile} | 4 +-
.../upstream/{Dockerfile => Containerfile} | 4 +-
5 files changed, 63 insertions(+), 224 deletions(-)
delete mode 100644 .github/workflows/multi-arch-build.yaml
rename contrib/skopeoimage/stable/{Dockerfile => Containerfile} (95%)
rename contrib/skopeoimage/testing/{Dockerfile => Containerfile} (95%)
rename contrib/skopeoimage/upstream/{Dockerfile => Containerfile} (96%)
diff --git a/.cirrus.yml b/.cirrus.yml
index fae896cb..38f6b91c 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -53,7 +53,7 @@ validate_task:
# The git-validation tool doesn't work well on branch or tag push,
# under Cirrus-CI, due to challenges obtaining the starting commit ID.
# Only do validation for PRs.
- only_if: $CIRRUS_PR != ''
+ only_if: &is_pr $CIRRUS_PR != ''
container:
image: '${SKOPEO_CIDEV_CONTAINER_FQIN}'
cpu: 4
@@ -63,7 +63,7 @@ validate_task:
make vendor && hack/tree_status.sh
doccheck_task:
- only_if: $CIRRUS_PR != ''
+ only_if: *is_pr
depends_on:
- validate
container:
@@ -81,7 +81,10 @@ doccheck_task:
"${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" doccheck
osx_task:
- only_if: ¬_docs $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+ # Run for regular PRs and those with [CI:BUILD] but not [CI:DOCS]
+ only_if: ¬_docs_multiarch >-
+ $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
+ $CIRRUS_CRON != 'multiarch'
depends_on:
- validate
macos_instance:
@@ -102,10 +105,10 @@ osx_task:
cross_task:
alias: cross
- only_if: *not_docs
+ only_if: *not_docs_multiarch
depends_on:
- validate
- gce_instance:
+ gce_instance: &standardvm
image_project: libpod-218412
zone: "us-central1-f"
cpu: 2
@@ -129,7 +132,11 @@ cross_task:
#####
test_skopeo_task:
alias: test_skopeo
- only_if: *not_docs
+ # Don't test for [CI:DOCS], [CI:BUILD], or 'multiarch' cron.
+ only_if: >-
+ $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
+ $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
+ $CIRRUS_CRON != 'multiarch'
depends_on:
- validate
gce_instance:
@@ -162,6 +169,49 @@ test_skopeo_task:
"${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" system
+image_build_task: &image-build
+ name: "Build multi-arch $CTXDIR"
+ alias: image_build
+ # Some of these container images take > 1h to build, limit
+ # this task to a specific Cirrus-Cron entry with this name.
+ only_if: $CIRRUS_CRON == 'multiarch'
+ timeout_in: 120m # emulation is sssllllooooowwww
+ gce_instance:
+ <<: *standardvm
+ image_name: build-push-${IMAGE_SUFFIX}
+ # More muscle required for parallel multi-arch build
+ type: "n2-standard-4"
+ matrix:
+ - env:
+ CTXDIR: contrib/skopeoimage/upstream
+ - env:
+ CTXDIR: contrib/skopeoimage/testing
+ - env:
+ CTXDIR: contrib/skopeoimage/stable
+ env:
+ BUILDAH_USERNAME: ENCRYPTED[FIXME]
+ BUILDAH_PASSWORD: ENCRYPTED[FIXME]
+ CONTAINERS_USERNAME: ENCRYPTED[FIXME]
+ CONTAINERS_PASSWORD: ENCRYPTED[FIXME]
+ main_script:
+ - source /etc/automation_environment
+ - main.sh $CIRRUS_REPO_CLONE_URL $CTXDIR
+
+
+test_image_build_task:
+ <<: *image-build
+ alias: test_image_build
+ # Allow this to run inside a PR w/ [CI:BUILD] only.
+ only_if: $CIRRUS_PR != '' && $CIRRUS_CHANGE_TITLE =~ '.*CI:BUILD.*'
+ # This takes a LONG time, only run when requested. N/B: Any task
+ # made to depend on this one will block FOREVER unless triggered.
+ # DO NOT ADD THIS TASK AS DEPENDENCY FOR `success_task`.
+ trigger_type: manual
+ # Overwrite all 'env', don't push anything, just do the build.
+ env:
+ DRYRUN: 1
+
+
# This task is critical. It updates the "last-used by" timestamp stored
# in metadata for all VM images. This mechanism functions in tandem with
# an out-of-band pruning operation to remove disused VM images.
@@ -200,6 +250,7 @@ success_task:
- osx
- cross
- test_skopeo
+ - image_build
- meta
container: *smallcontainer
env:
diff --git a/.github/workflows/multi-arch-build.yaml b/.github/workflows/multi-arch-build.yaml
deleted file mode 100644
index 3138b679..00000000
--- a/.github/workflows/multi-arch-build.yaml
+++ /dev/null
@@ -1,212 +0,0 @@
----
-
-# Please see contrib/<reponame>image/README.md for details on the intentions
-# of this workflow.
-#
-# BIG FAT WARNING: This workflow is duplicated across containers/skopeo,
-# containers/buildah, and containers/podman. ANY AND
-# ALL CHANGES MADE HERE MUST BE MANUALLY DUPLICATED
-# TO THE OTHER REPOS.
-
-name: build multi-arch images
-
-on:
- # Upstream tends to be very active, with many merges per day.
- # Only run this daily via cron schedule, or manually, not by branch push.
- schedule:
- - cron: '0 8 * * *'
- # allows to run this workflow manually from the Actions tab
- workflow_dispatch:
-
-permissions:
- contents: read
-
-jobs:
- multi:
- name: multi-arch image build
- env:
- REPONAME: skopeo # No easy way to parse this out of $GITHUB_REPOSITORY
- # Server/namespace value used to format FQIN
- REPONAME_QUAY_REGISTRY: quay.io/skopeo
- CONTAINERS_QUAY_REGISTRY: quay.io/containers
- # list of architectures for build
- PLATFORMS: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
- # Command to execute in container to obtain project version number
- VERSION_CMD: "--version" # skopeo is the entrypoint
-
- # build several images (upstream, testing, stable) in parallel
- strategy:
- # By default, failure of one matrix item cancels all others
- fail-fast: false
- matrix:
- # Builds are located under contrib/<reponame>image/<source> directory
- source:
- - upstream
- - testing
- - stable
- runs-on: ubuntu-latest
- # internal registry caches build for inspection before push
- services:
- registry:
- image: quay.io/libpod/registry:2
- ports:
- - 5000:5000
- steps:
- - name: Checkout
- uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
-
- - name: Set up QEMU
- uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1
-
- - name: Set up Docker Buildx
- uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1
- with:
- driver-opts: network=host
- install: true
-
- - name: Build and locally push image
- uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2
- with:
- context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
- file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
- platforms: ${{ env.PLATFORMS }}
- push: true
- tags: localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
-
- # Simple verification that stable images work, and
- # also grab version number use in forming the FQIN.
- - name: amd64 container sniff test
- if: matrix.source == 'stable'
- id: sniff_test
- run: |
- podman pull --tls-verify=false \
- localhost:5000/$REPONAME/${{ matrix.source }}
- VERSION_OUTPUT=$(podman run \
- localhost:5000/$REPONAME/${{ matrix.source }} \
- $VERSION_CMD)
- echo "$VERSION_OUTPUT"
- VERSION=$(awk -r -e "/^${REPONAME} version /"'{print $3}' <<<"$VERSION_OUTPUT")
- test -n "$VERSION"
- echo "::set-output name=version::$VERSION"
-
- - name: Generate image FQIN(s) to push
- id: reponame_reg
- run: |
- if [[ "${{ matrix.source }}" == 'stable' ]]; then
- # The command version in image just built
- VERSION='v${{ steps.sniff_test.outputs.version }}'
- # workaround vim syntax-highlight bug: '
- # Push both new|updated version-tag and latest-tag FQINs
- FQIN="$REPONAME_QUAY_REGISTRY/stable:$VERSION,$REPONAME_QUAY_REGISTRY/stable:latest"
- elif [[ "${{ matrix.source }}" == 'testing' ]]; then
- # Assume some contents changed, always push latest testing.
- FQIN="$REPONAME_QUAY_REGISTRY/testing:latest"
- elif [[ "${{ matrix.source }}" == 'upstream' ]]; then
- # Assume some contents changed, always push latest upstream.
- FQIN="$REPONAME_QUAY_REGISTRY/upstream:latest"
- else
- echo "::error::Unknown matrix item '${{ matrix.source }}'"
- exit 1
- fi
- echo "::warning::Pushing $FQIN"
- echo "::set-output name=fqin::${FQIN}"
- echo '::set-output name=push::true'
-
- # This is substantially similar to the above logic,
- # but only handles $CONTAINERS_QUAY_REGISTRY for
- # the stable "latest" and named-version tagged images.
- - name: Generate containers reg. image FQIN(s)
- if: matrix.source == 'stable'
- id: containers_reg
- run: |
- VERSION='v${{ steps.sniff_test.outputs.version }}'
- # workaround vim syntax-highlight bug: '
- # Push both new|updated version-tag and latest-tag FQINs
- FQIN="$CONTAINERS_QUAY_REGISTRY/$REPONAME:$VERSION,$CONTAINERS_QUAY_REGISTRY/$REPONAME:latest"
- echo "::warning::Pushing $FQIN"
- echo "::set-output name=fqin::${FQIN}"
- echo '::set-output name=push::true'
-
- - name: Define LABELS multi-line env. var. value
- run: |
- # This is a really hacky/strange workflow idiom, required
- # for setting multi-line $LABELS value for consumption in
- # a future step. There is literally no cleaner way to do this :<
- # https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#multiline-strings
- function set_labels() {
- echo 'LABELS<<DELIMITER' >> "$GITHUB_ENV"
- for line; do
- echo "$line" | tee -a "$GITHUB_ENV"
- done
- echo "DELIMITER" >> "$GITHUB_ENV"
- }
-
- declare -a lines
- lines=(\
- "org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}.git"
- "org.opencontainers.image.revision=${GITHUB_SHA}"
- "org.opencontainers.image.created=$(date -u --iso-8601=seconds)"
- )
-
- # Only the 'stable' matrix source obtains $VERSION
- if [[ "${{ matrix.source }}" == "stable" ]]; then
- lines+=(\
- "org.opencontainers.image.version=${{ steps.sniff_test.outputs.version }}"
- )
- fi
-
- set_labels "${lines[@]}"
-
- # Separate steps to login and push for $REPONAME_QUAY_REGISTRY and
- # $CONTAINERS_QUAY_REGISTRY are required, because 2 sets of credentials
- # are used and namespaced within the registry. At the same time, reuse
- # of non-shell steps is not supported by Github Actions nor are YAML
- # anchors/aliases, nor composite actions.
-
- # Push to $REPONAME_QUAY_REGISTRY for stable, testing. and upstream
- - name: Login to ${{ env.REPONAME_QUAY_REGISTRY }}
- uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1
- if: steps.reponame_reg.outputs.push == 'true'
- with:
- registry: ${{ env.REPONAME_QUAY_REGISTRY }}
- # N/B: Secrets are not passed to workflows that are triggered
- # by a pull request from a fork
- username: ${{ secrets.REPONAME_QUAY_USERNAME }}
- password: ${{ secrets.REPONAME_QUAY_PASSWORD }}
-
- - name: Push images to ${{ steps.reponame_reg.outputs.fqin }}
- uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2
- if: steps.reponame_reg.outputs.push == 'true'
- with:
- cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
- cache-to: type=inline
- context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
- file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
- platforms: ${{ env.PLATFORMS }}
- push: true
- tags: ${{ steps.reponame_reg.outputs.fqin }}
- labels: |
- ${{ env.LABELS }}
-
- # Push to $CONTAINERS_QUAY_REGISTRY only stable
- - name: Login to ${{ env.CONTAINERS_QUAY_REGISTRY }}
- if: steps.containers_reg.outputs.push == 'true'
- uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1
- with:
- registry: ${{ env.CONTAINERS_QUAY_REGISTRY}}
- username: ${{ secrets.CONTAINERS_QUAY_USERNAME }}
- password: ${{ secrets.CONTAINERS_QUAY_PASSWORD }}
-
- - name: Push images to ${{ steps.containers_reg.outputs.fqin }}
- if: steps.containers_reg.outputs.push == 'true'
- uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2
- with:
- cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
- cache-to: type=inline
- context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
- file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
- platforms: ${{ env.PLATFORMS }}
- push: true
- tags: ${{ steps.containers_reg.outputs.fqin }}
- labels: |
- ${{ env.LABELS }}
diff --git a/contrib/skopeoimage/stable/Dockerfile b/contrib/skopeoimage/stable/Containerfile
similarity index 95%
rename from contrib/skopeoimage/stable/Dockerfile
rename to contrib/skopeoimage/stable/Containerfile
index 55eae7a4..fa3a8a53 100644
--- a/contrib/skopeoimage/stable/Dockerfile
+++ b/contrib/skopeoimage/stable/Containerfile
@@ -1,4 +1,4 @@
-# stable/Dockerfile
+# stable/Containerfile
#
# Build a Skopeo container image from the latest
# stable version of Skopeo on the Fedoras Updates System.
@@ -12,7 +12,7 @@ FROM registry.fedoraproject.org/fedora:latest
# directories used by yum that are just taking
# up space. Also reinstall shadow-utils as without
# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images.
+# and newgidmap are lost in the Fedora images.
RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
# Adjust storage.conf to enable Fuse storage.
diff --git a/contrib/skopeoimage/testing/Dockerfile b/contrib/skopeoimage/testing/Containerfile
similarity index 95%
rename from contrib/skopeoimage/testing/Dockerfile
rename to contrib/skopeoimage/testing/Containerfile
index c9e1bab0..044cf57d 100644
--- a/contrib/skopeoimage/testing/Dockerfile
+++ b/contrib/skopeoimage/testing/Containerfile
@@ -1,4 +1,4 @@
-# testing/Dockerfile
+# testing/Containerfile
#
# Build a Skopeo container image from the latest
# version of Skopeo that is in updates-testing
@@ -13,7 +13,7 @@ FROM registry.fedoraproject.org/fedora:latest
# directories used by yum that are just taking
# up space. Also reinstall shadow-utils as without
# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images.
+# and newgidmap are lost in the Fedora images.
RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --enablerepo updates-testing --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
# Adjust storage.conf to enable Fuse storage.
diff --git a/contrib/skopeoimage/upstream/Dockerfile b/contrib/skopeoimage/upstream/Containerfile
similarity index 96%
rename from contrib/skopeoimage/upstream/Dockerfile
rename to contrib/skopeoimage/upstream/Containerfile
index b56d38bf..38b2b9bb 100644
--- a/contrib/skopeoimage/upstream/Dockerfile
+++ b/contrib/skopeoimage/upstream/Containerfile
@@ -1,4 +1,4 @@
-# upstream/Dockerfile
+# upstream/Containerfile
#
# Build a Skopeo container image from the latest
# upstream version of Skopeo on GitHub.
@@ -12,7 +12,7 @@ FROM registry.fedoraproject.org/fedora:latest
# directories used by yum that are just taking
# up space. Also reinstall shadow-utils as without
# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images.
+# and newgidmap are lost in the Fedora images.
RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; \
yum -y install make \
golang \
From 2024e2e258c3899d48383ef5346d5c142abdd39f Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Tue, 7 Jun 2022 14:08:46 -0400
Subject: [PATCH 2/2] Update & fix skopeo multiarch image Containerfiles
These changes substantially mirror similar updates made recently to both
podman and buildah. Besides renaming `Dockerfile` -> `Containerfile`,
there are much needed updates to docs, and the build instructions.
Signed-off-by: Chris Evich <cevich@redhat.com>
---
.cirrus.yml | 8 +--
contrib/skopeoimage/README.md | 19 +++---
contrib/skopeoimage/stable/Containerfile | 38 +++++++----
contrib/skopeoimage/testing/Containerfile | 39 +++++++----
contrib/skopeoimage/upstream/Containerfile | 76 +++++++++++++---------
5 files changed, 111 insertions(+), 69 deletions(-)
diff --git a/.cirrus.yml b/.cirrus.yml
index 38f6b91c..d291bb16 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -189,10 +189,10 @@ image_build_task: &image-build
- env:
CTXDIR: contrib/skopeoimage/stable
env:
- BUILDAH_USERNAME: ENCRYPTED[FIXME]
- BUILDAH_PASSWORD: ENCRYPTED[FIXME]
- CONTAINERS_USERNAME: ENCRYPTED[FIXME]
- CONTAINERS_PASSWORD: ENCRYPTED[FIXME]
+ SKOPEO_USERNAME: ENCRYPTED[4195884d23b154553f2ddb26a63fc9fbca50ba77b3e447e4da685d8639ed9bc94b9a86a9c77272c8c80d32ead9ca48da]
+ SKOPEO_PASSWORD: ENCRYPTED[36e06f9befd17e5da2d60260edb9ef0d40e6312e2bba4cf881d383f1b8b5a18c8e5a553aea2fdebf39cebc6bd3b3f9de]
+ CONTAINERS_USERNAME: ENCRYPTED[dd722c734641f103b394a3a834d51ca5415347e378637cf98ee1f99e64aad2ec3dbd4664c0d94cb0e06b83d89e9bbe91]
+ CONTAINERS_PASSWORD: ENCRYPTED[d8b0fac87fe251cedd26c864ba800480f9e0570440b9eb264265b67411b253a626fb69d519e188e6c9a7f525860ddb26]
main_script:
- source /etc/automation_environment
- main.sh $CIRRUS_REPO_CLONE_URL $CTXDIR
diff --git a/contrib/skopeoimage/README.md b/contrib/skopeoimage/README.md
index 522cc47b..6d969d86 100644
--- a/contrib/skopeoimage/README.md
+++ b/contrib/skopeoimage/README.md
@@ -6,7 +6,7 @@
## Overview
-This directory contains the Dockerfiles necessary to create the skopeoimage container
+This directory contains the Containerfiles necessary to create the skopeoimage container
images that are housed on quay.io under the skopeo account. All repositories where
the images live are public and can be pulled without credentials. These container images are secured and the
resulting containers can run safely with privileges within the container.
@@ -19,21 +19,22 @@ default to `/`.
The container images are:
* `quay.io/containers/skopeo:v<version>` and `quay.io/skopeo/stable:v<version>` -
- These images are built when a new Skopeo version becomes available in
- Fedora. These images are intended to be unchanging and stable, they will
- never be updated by automation once they've been pushed. For build details,
- please [see the configuration file](stable/Dockerfile).
+ These images are built daily. These images are intended contain an unchanging
+ and stable version of skopeo. For the most recent `<version>` tags (`vX`,
+ `vX.Y`, and `vX.Y.Z`) the image contents will be updated daily to incorporate
+ (especially) security updates. For build details, please[see the configuration
+ file](stable/Containerfile).
* `quay.io/containers/skopeo:latest` and `quay.io/skopeo/stable:latest` -
- Built daily using the same Dockerfile as above. The skopeo version
- will remain the "latest" available in Fedora, however the image
+ Built daily using the same Containerfile as above. The skopeo version
+ will remain the "latest" available in Fedora, however the other image
contents may vary compared to the version-tagged images.
* `quay.io/skopeo/testing:latest` - This image is built daily, using the
latest version of Skopeo that was in the Fedora `updates-testing` repository.
- The image is Built with [the testing Dockerfile](testing/Dockerfile).
+ The image is Built with [the testing Containerfile](testing/Containerfile).
* `quay.io/skopeo/upstream:latest` - This image is built daily using the latest
code found in this GitHub repository. Due to the image changing frequently,
it's not guaranteed to be stable or even executable. The image is built with
- [the upstream Dockerfile](upstream/Dockerfile).
+ [the upstream Containerfile](upstream/Containerfile).
## Sample Usage
diff --git a/contrib/skopeoimage/stable/Containerfile b/contrib/skopeoimage/stable/Containerfile
index fa3a8a53..0139e74a 100644
--- a/contrib/skopeoimage/stable/Containerfile
+++ b/contrib/skopeoimage/stable/Containerfile
@@ -9,22 +9,36 @@
FROM registry.fedoraproject.org/fedora:latest
# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space. Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images.
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+# being (maybe still?) affected by
+# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+ rpm --setcaps shadow-utils 2>/dev/null && \
+ dnf -y install skopeo fuse-overlayfs \
+ --exclude container-selinux && \
+ dnf clean all && \
+ rm -rf /var/cache /var/log/dnf* /var/log/yum.*
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
+RUN useradd skopeo && \
+ echo skopeo:100000:65536 > /etc/subuid && \
+ echo skopeo:100000:65536 > /etc/subgid
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+ -e '/additionalimage.*/a "/var/lib/shared",' \
+ -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+ /usr/share/containers/storage.conf \
+ > /etc/containers/storage.conf
# Setup the ability to use additional stores
# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
+RUN mkdir -p /var/lib/shared/overlay-images \
+ /var/lib/shared/overlay-layers && \
+ touch /var/lib/shared/overlay-images/images.lock && \
+ touch /var/lib/shared/overlay-layers/layers.lock
# Point to the Authorization file
ENV REGISTRY_AUTH_FILE=/tmp/auth.json
diff --git a/contrib/skopeoimage/testing/Containerfile b/contrib/skopeoimage/testing/Containerfile
index 044cf57d..8ef6bf48 100644
--- a/contrib/skopeoimage/testing/Containerfile
+++ b/contrib/skopeoimage/testing/Containerfile
@@ -10,22 +10,37 @@
FROM registry.fedoraproject.org/fedora:latest
# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space. Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images.
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --enablerepo updates-testing --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+# being (maybe still?) affected by
+# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+ rpm --setcaps shadow-utils 2>/dev/null && \
+ dnf -y install skopeo fuse-overlayfs \
+ --exclude container-selinux \
+ --enablerepo updates-testing && \
+ dnf clean all && \
+ rm -rf /var/cache /var/log/dnf* /var/log/yum.*
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
+RUN useradd skopeo && \
+ echo skopeo:100000:65536 > /etc/subuid && \
+ echo skopeo:100000:65536 > /etc/subgid
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+ -e '/additionalimage.*/a "/var/lib/shared",' \
+ -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+ /usr/share/containers/storage.conf \
+ > /etc/containers/storage.conf
# Setup the ability to use additional stores
# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
+RUN mkdir -p /var/lib/shared/overlay-images \
+ /var/lib/shared/overlay-layers && \
+ touch /var/lib/shared/overlay-images/images.lock && \
+ touch /var/lib/shared/overlay-layers/layers.lock
# Point to the Authorization file
ENV REGISTRY_AUTH_FILE=/tmp/auth.json
diff --git a/contrib/skopeoimage/upstream/Containerfile b/contrib/skopeoimage/upstream/Containerfile
index 38b2b9bb..8c1cef7c 100644
--- a/contrib/skopeoimage/upstream/Containerfile
+++ b/contrib/skopeoimage/upstream/Containerfile
@@ -9,43 +9,55 @@
FROM registry.fedoraproject.org/fedora:latest
# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space. Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images.
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; \
-yum -y install make \
-golang \
-git \
-go-md2man \
-fuse-overlayfs \
-fuse3 \
-containers-common \
-gpgme-devel \
-libassuan-devel \
-btrfs-progs-devel \
-device-mapper-devel --enablerepo updates-testing --exclude container-selinux; \
-mkdir /root/skopeo; \
-git clone https://github.com/containers/skopeo /root/skopeo/src/github.com/containers/skopeo; \
-export GOPATH=/root/skopeo; \
-cd /root/skopeo/src/github.com/containers/skopeo; \
-make bin/skopeo;\
-make PREFIX=/usr install;\
-rm -rf /root/skopeo/*; \
-yum -y remove git golang go-md2man make; \
-yum -y clean all; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+# being (maybe still?) affected by
+# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+ rpm --setcaps shadow-utils 2>/dev/null && \
+ dnf -y --enablerepo updates-testing --exclude container-selinux install \
+ make \
+ golang \
+ git \
+ go-md2man \
+ fuse-overlayfs \
+ fuse3 \
+ containers-common \
+ gpgme-devel \
+ libassuan-devel \
+ btrfs-progs-devel \
+ device-mapper-devel && \
+ mkdir /root/skopeo && \
+ git clone https://github.com/containers/skopeo \
+ /root/skopeo/src/github.com/containers/skopeo && \
+ export GOPATH=/root/skopeo && \
+ cd /root/skopeo/src/github.com/containers/skopeo && \
+ make bin/skopeo && \
+ make PREFIX=/usr install && \
+ rm -rf /root/skopeo/* && \
+ dnf -y remove git golang go-md2man make && \
+ dnf clean all && \
+ rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+RUN useradd skopeo && \
+ echo skopeo:100000:65536 > /etc/subuid && \
+ echo skopeo:100000:65536 > /etc/subgid
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+ -e '/additionalimage.*/a "/var/lib/shared",' \
+ -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+ /usr/share/containers/storage.conf \
+ > /etc/containers/storage.conf
# Setup the ability to use additional stores
# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
+RUN mkdir -p /var/lib/shared/overlay-images \
+ /var/lib/shared/overlay-layers && \
+ touch /var/lib/shared/overlay-images/images.lock && \
+ touch /var/lib/shared/overlay-layers/layers.lock
# Point to the Authorization file
ENV REGISTRY_AUTH_FILE=/tmp/auth.json