Merge pull request #1661 from cevich/multiarch_build

[CI:BUILD] Cirrus: Migrate multiarch build off github actions
2025-06-29 08:07:37 +00:00 · 2022-06-29 19:16:13 +02:00 · 2022-06-29 19:16:13 +02:00 · bc84a02bc4
commit bc84a02bc4
parent 1462a45c91 2024e2e258
9 changed files with 229 additions and 348 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -53,7 +53,7 @@ validate_task:
    # The git-validation tool doesn't work well on branch or tag push,
    # under Cirrus-CI, due to challenges obtaining the starting commit ID.
    # Only do validation for PRs.
-    only_if: $CIRRUS_PR != ''
+    only_if: &is_pr $CIRRUS_PR != ''
    container:
        image: '${SKOPEO_CIDEV_CONTAINER_FQIN}'
        cpu: 4
@ -63,7 +63,7 @@ validate_task:
        make vendor && hack/tree_status.sh
 doccheck_task:
-    only_if: $CIRRUS_PR != ''
+    only_if: *is_pr
    depends_on:
      - validate
    container:
@ -81,7 +81,10 @@ doccheck_task:
      "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" doccheck
 osx_task:
-    only_if: &not_docs $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+    # Run for regular PRs and those with [CI:BUILD] but not [CI:DOCS]
    only_if: &not_docs_multiarch >-
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
        $CIRRUS_CRON != 'multiarch'
    depends_on:
        - validate
    macos_instance:
@ -102,10 +105,10 @@ osx_task:
 cross_task:
    alias: cross
-    only_if: *not_docs
+    only_if: *not_docs_multiarch
    depends_on:
        - validate
-    gce_instance:
+    gce_instance: &standardvm
        image_project: libpod-218412
        zone: "us-central1-f"
        cpu: 2
@ -129,7 +132,11 @@ cross_task:
 #####
 test_skopeo_task:
    alias: test_skopeo
-    only_if: *not_docs
+    # Don't test for [CI:DOCS], [CI:BUILD], or 'multiarch' cron.
    only_if: >-
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
        $CIRRUS_CRON != 'multiarch'
    depends_on:
        - validate
    gce_instance:
@ -162,6 +169,49 @@ test_skopeo_task:
        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" system
 image_build_task: &image-build
    name: "Build multi-arch $CTXDIR"
    alias: image_build
    # Some of these container images take > 1h to build, limit
    # this task to a specific Cirrus-Cron entry with this name.
    only_if: $CIRRUS_CRON == 'multiarch'
    timeout_in: 120m  # emulation is sssllllooooowwww
    gce_instance:
        <<: *standardvm
        image_name: build-push-${IMAGE_SUFFIX}
        # More muscle required for parallel multi-arch build
        type: "n2-standard-4"
    matrix:
        - env:
            CTXDIR: contrib/skopeoimage/upstream
        - env:
            CTXDIR: contrib/skopeoimage/testing
        - env:
            CTXDIR: contrib/skopeoimage/stable
    env:
        SKOPEO_USERNAME: ENCRYPTED[4195884d23b154553f2ddb26a63fc9fbca50ba77b3e447e4da685d8639ed9bc94b9a86a9c77272c8c80d32ead9ca48da]
        SKOPEO_PASSWORD: ENCRYPTED[36e06f9befd17e5da2d60260edb9ef0d40e6312e2bba4cf881d383f1b8b5a18c8e5a553aea2fdebf39cebc6bd3b3f9de]
        CONTAINERS_USERNAME: ENCRYPTED[dd722c734641f103b394a3a834d51ca5415347e378637cf98ee1f99e64aad2ec3dbd4664c0d94cb0e06b83d89e9bbe91]
        CONTAINERS_PASSWORD: ENCRYPTED[d8b0fac87fe251cedd26c864ba800480f9e0570440b9eb264265b67411b253a626fb69d519e188e6c9a7f525860ddb26]
    main_script:
        - source /etc/automation_environment
        - main.sh $CIRRUS_REPO_CLONE_URL $CTXDIR
 test_image_build_task:
    <<: *image-build
    alias: test_image_build
    # Allow this to run inside a PR w/ [CI:BUILD] only.
    only_if: $CIRRUS_PR != '' && $CIRRUS_CHANGE_TITLE =~ '.*CI:BUILD.*'
    # This takes a LONG time, only run when requested.  N/B: Any task
    # made to depend on this one will block FOREVER unless triggered.
    # DO NOT ADD THIS TASK AS DEPENDENCY FOR `success_task`.
    trigger_type: manual
    # Overwrite all 'env', don't push anything, just do the build.
    env:
        DRYRUN: 1
 # This task is critical.  It updates the "last-used by" timestamp stored
 # in metadata for all VM images.  This mechanism functions in tandem with
 # an out-of-band pruning operation to remove disused VM images.
@ -200,6 +250,7 @@ success_task:
        - osx
        - cross
        - test_skopeo
        - image_build
        - meta
    container: *smallcontainer
    env:
--- a/.github/workflows/multi-arch-build.yaml
+++ b/.github/workflows/multi-arch-build.yaml
@ -1,212 +0,0 @@
 ---
 # Please see contrib/<reponame>image/README.md for details on the intentions
 # of this workflow.
 #
 # BIG FAT WARNING:  This workflow is duplicated across containers/skopeo,
 #                   containers/buildah, and containers/podman.  ANY AND
 #                   ALL CHANGES MADE HERE MUST BE MANUALLY DUPLICATED
 #                   TO THE OTHER REPOS.
 name: build multi-arch images
 on:
  # Upstream tends to be very active, with many merges per day.
  # Only run this daily via cron schedule, or manually, not by branch push.
  schedule:
    - cron:  '0 8 * * *'
  # allows to run this workflow manually from the Actions tab
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  multi:
    name: multi-arch image build
    env:
      REPONAME: skopeo  # No easy way to parse this out of $GITHUB_REPOSITORY
      # Server/namespace value used to format FQIN
      REPONAME_QUAY_REGISTRY: quay.io/skopeo
      CONTAINERS_QUAY_REGISTRY: quay.io/containers
      # list of architectures for build
      PLATFORMS: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
      # Command to execute in container to obtain project version number
      VERSION_CMD: "--version"  # skopeo is the entrypoint
    # build several images (upstream, testing, stable) in parallel
    strategy:
      # By default, failure of one matrix item cancels all others
      fail-fast: false
      matrix:
        # Builds are located under contrib/<reponame>image/<source> directory
        source:
          - upstream
          - testing
          - stable
    runs-on: ubuntu-latest
    # internal registry caches build for inspection before push
    services:
      registry:
        image: quay.io/libpod/registry:2
        ports:
          - 5000:5000
    steps:
      - name: Checkout
        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
      - name: Set up QEMU
        uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1
        with:
          driver-opts: network=host
          install: true
      - name: Build and locally push image
        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2
        with:
          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
      # Simple verification that stable images work, and
      # also grab version number use in forming the FQIN.
      - name: amd64 container sniff test
        if: matrix.source == 'stable'
        id: sniff_test
        run: |
          podman pull --tls-verify=false \
                            localhost:5000/$REPONAME/${{ matrix.source }}
          VERSION_OUTPUT=$(podman run \
                           localhost:5000/$REPONAME/${{ matrix.source }} \
                           $VERSION_CMD)
          echo "$VERSION_OUTPUT"
          VERSION=$(awk -r -e "/^${REPONAME} version /"'{print $3}' <<<"$VERSION_OUTPUT")
          test -n "$VERSION"
          echo "::set-output name=version::$VERSION"
      - name: Generate image FQIN(s) to push
        id: reponame_reg
        run: |
          if [[ "${{ matrix.source }}" == 'stable' ]]; then
            # The command version in image just built
            VERSION='v${{ steps.sniff_test.outputs.version }}'
            # workaround vim syntax-highlight bug: '
            # Push both new|updated version-tag and latest-tag FQINs
            FQIN="$REPONAME_QUAY_REGISTRY/stable:$VERSION,$REPONAME_QUAY_REGISTRY/stable:latest"
          elif [[ "${{ matrix.source }}" == 'testing' ]]; then
            # Assume some contents changed, always push latest testing.
            FQIN="$REPONAME_QUAY_REGISTRY/testing:latest"
          elif [[ "${{ matrix.source }}" == 'upstream' ]]; then
            # Assume some contents changed, always push latest upstream.
            FQIN="$REPONAME_QUAY_REGISTRY/upstream:latest"
          else
            echo "::error::Unknown matrix item '${{ matrix.source }}'"
            exit 1
          fi
          echo "::warning::Pushing $FQIN"
          echo "::set-output name=fqin::${FQIN}"
          echo '::set-output name=push::true'
      # This is substantially similar to the above logic,
      # but only handles $CONTAINERS_QUAY_REGISTRY for
      # the stable "latest" and named-version tagged images.
      - name: Generate containers reg. image FQIN(s)
        if: matrix.source == 'stable'
        id: containers_reg
        run: |
          VERSION='v${{ steps.sniff_test.outputs.version }}'
          # workaround vim syntax-highlight bug: '
          # Push both new|updated version-tag and latest-tag FQINs
          FQIN="$CONTAINERS_QUAY_REGISTRY/$REPONAME:$VERSION,$CONTAINERS_QUAY_REGISTRY/$REPONAME:latest"
          echo "::warning::Pushing $FQIN"
          echo "::set-output name=fqin::${FQIN}"
          echo '::set-output name=push::true'
      - name: Define LABELS multi-line env. var. value
        run: |
          # This is a really hacky/strange workflow idiom, required
          # for setting multi-line $LABELS value for consumption in
          # a future step.  There is literally no cleaner way to do this :<
          # https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#multiline-strings
          function set_labels() {
            echo 'LABELS<<DELIMITER' >> "$GITHUB_ENV"
            for line; do
                echo "$line" | tee -a "$GITHUB_ENV"
            done
            echo "DELIMITER" >> "$GITHUB_ENV"
          }
          declare -a lines
          lines=(\
            "org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}.git"
            "org.opencontainers.image.revision=${GITHUB_SHA}"
            "org.opencontainers.image.created=$(date -u --iso-8601=seconds)"
          )
          # Only the 'stable' matrix source obtains $VERSION
          if [[ "${{ matrix.source }}" == "stable" ]]; then
            lines+=(\
              "org.opencontainers.image.version=${{ steps.sniff_test.outputs.version }}"
            )
          fi
          set_labels "${lines[@]}"
      # Separate steps to login and push for $REPONAME_QUAY_REGISTRY and
      # $CONTAINERS_QUAY_REGISTRY are required, because 2 sets of credentials
      # are used and namespaced within the registry.  At the same time, reuse
      # of non-shell steps is not supported by Github Actions nor are YAML
      # anchors/aliases, nor composite actions.
      # Push to $REPONAME_QUAY_REGISTRY for stable, testing. and upstream
      - name: Login to ${{ env.REPONAME_QUAY_REGISTRY }}
        uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1
        if: steps.reponame_reg.outputs.push == 'true'
        with:
          registry: ${{ env.REPONAME_QUAY_REGISTRY }}
          # N/B: Secrets are not passed to workflows that are triggered
          #      by a pull request from a fork
          username: ${{ secrets.REPONAME_QUAY_USERNAME }}
          password: ${{ secrets.REPONAME_QUAY_PASSWORD }}
      - name: Push images to ${{ steps.reponame_reg.outputs.fqin }}
        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2
        if: steps.reponame_reg.outputs.push == 'true'
        with:
          cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
          cache-to: type=inline
          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: ${{ steps.reponame_reg.outputs.fqin }}
          labels: |
            ${{ env.LABELS }}
      # Push to $CONTAINERS_QUAY_REGISTRY only stable
      - name: Login to ${{ env.CONTAINERS_QUAY_REGISTRY }}
        if: steps.containers_reg.outputs.push == 'true'
        uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1
        with:
          registry: ${{ env.CONTAINERS_QUAY_REGISTRY}}
          username: ${{ secrets.CONTAINERS_QUAY_USERNAME }}
          password: ${{ secrets.CONTAINERS_QUAY_PASSWORD }}
      - name: Push images to ${{ steps.containers_reg.outputs.fqin }}
        if: steps.containers_reg.outputs.push == 'true'
        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2
        with:
          cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
          cache-to: type=inline
          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: ${{ steps.containers_reg.outputs.fqin }}
          labels: |
            ${{ env.LABELS }}
--- a/contrib/skopeoimage/README.md
+++ b/contrib/skopeoimage/README.md
@ -6,7 +6,7 @@
 ## Overview
-This directory contains the Dockerfiles necessary to create the skopeoimage container
+This directory contains the Containerfiles necessary to create the skopeoimage container
 images that are housed on quay.io under the skopeo account.  All repositories where
 the images live are public and can be pulled without credentials.  These container images are secured and the
 resulting containers can run safely with privileges within the container.
@ -19,21 +19,22 @@ default to `/`.
 The container images are:
  * `quay.io/containers/skopeo:v<version>` and `quay.io/skopeo/stable:v<version>` -
-    These images are built when a new Skopeo version becomes available in
+    These images are built daily.  These images are intended contain an unchanging
-    Fedora.  These images are intended to be unchanging and stable, they will
+    and stable version of skopeo.  For the most recent `<version>` tags (`vX`,
-    never be updated by automation once they've been pushed.  For build details,
+    `vX.Y`, and `vX.Y.Z`) the image contents will be updated daily to incorporate
-    please [see the configuration file](stable/Dockerfile).
+    (especially) security updates.  For build details, please[see the configuration
    file](stable/Containerfile).
  * `quay.io/containers/skopeo:latest` and `quay.io/skopeo/stable:latest` -
-    Built daily using the same Dockerfile as above.  The skopeo version
+    Built daily using the same Containerfile as above.  The skopeo version
-    will remain the "latest" available in Fedora, however the image
+    will remain the "latest" available in Fedora, however the other image
    contents may vary compared to the version-tagged images.
  * `quay.io/skopeo/testing:latest` - This image is built daily, using the
    latest version of Skopeo that was in the Fedora `updates-testing` repository.
-    The image is Built with [the testing Dockerfile](testing/Dockerfile).
+    The image is Built with [the testing Containerfile](testing/Containerfile).
  * `quay.io/skopeo/upstream:latest` - This image is built daily using the latest
    code found in this GitHub repository.  Due to the image changing frequently,
    it's not guaranteed to be stable or even executable.  The image is built with
-    [the upstream Dockerfile](upstream/Dockerfile).
+    [the upstream Containerfile](upstream/Containerfile).
 ## Sample Usage
--- a/contrib/skopeoimage/stable/Containerfile
+++ b/contrib/skopeoimage/stable/Containerfile
@ -0,0 +1,47 @@
 # stable/Containerfile
 #
 # Build a Skopeo container image from the latest
 # stable version of Skopeo on the Fedoras Updates System.
 # https://bodhi.fedoraproject.org/updates/?search=skopeo
 # This image can be used to create a secured container
 # that runs safely with privileges within the container.
 #
 FROM registry.fedoraproject.org/fedora:latest
 # Don't include container-selinux and remove
 # directories used by dnf that are just taking
 # up space.
 # TODO: rpm --setcaps... needed due to Fedora (base) image builds
 #       being (maybe still?) affected by
 #       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
 RUN dnf -y update && \
    rpm --setcaps shadow-utils 2>/dev/null && \
    dnf -y install skopeo fuse-overlayfs \
        --exclude container-selinux && \
    dnf clean all && \
    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
 RUN useradd skopeo && \
    echo skopeo:100000:65536 > /etc/subuid && \
    echo skopeo:100000:65536 > /etc/subgid
 # Copy & modify the defaults to provide reference if runtime changes needed.
 # Changes here are required for running with fuse-overlay storage inside container.
 RUN sed -e 's|^#mount_program|mount_program|g' \
        -e '/additionalimage.*/a "/var/lib/shared",' \
        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
        /usr/share/containers/storage.conf \
        > /etc/containers/storage.conf
 # Setup the ability to use additional stores
 # with this container image.
 RUN mkdir -p /var/lib/shared/overlay-images \
             /var/lib/shared/overlay-layers && \
    touch /var/lib/shared/overlay-images/images.lock && \
    touch /var/lib/shared/overlay-layers/layers.lock
 # Point to the Authorization file
 ENV REGISTRY_AUTH_FILE=/tmp/auth.json
 # Set the entrypoint
 ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/stable/Dockerfile
+++ b/contrib/skopeoimage/stable/Dockerfile
@ -1,33 +0,0 @@
 # stable/Dockerfile
 #
 # Build a Skopeo container image from the latest
 # stable version of Skopeo on the Fedoras Updates System.
 # https://bodhi.fedoraproject.org/updates/?search=skopeo
 # This image can be used to create a secured container
 # that runs safely with privileges within the container.
 #
 FROM registry.fedoraproject.org/fedora:latest
 # Don't include container-selinux and remove
 # directories used by yum that are just taking
 # up space.  Also reinstall shadow-utils as without
 # doing so, the setuid/setgid bits on newuidmap
 # and newgidmap are lost in the Fedora images. 
 RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
 # Adjust storage.conf to enable Fuse storage.
 RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
 # Setup the ability to use additional stores
 # with this container image.
 RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
 # Setup skopeo's uid/guid entries
 RUN echo skopeo:100000:65536 > /etc/subuid
 RUN echo skopeo:100000:65536 > /etc/subgid
 # Point to the Authorization file
 ENV REGISTRY_AUTH_FILE=/tmp/auth.json
 # Set the entrypoint
 ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/testing/Containerfile
+++ b/contrib/skopeoimage/testing/Containerfile
@ -0,0 +1,49 @@
 # testing/Containerfile
 #
 # Build a Skopeo container image from the latest
 # version of Skopeo that is in updates-testing
 # on the Fedoras Updates System.
 # https://bodhi.fedoraproject.org/updates/?search=skopeo
 # This image can be used to create a secured container
 # that runs safely with privileges within the container.
 #
 FROM registry.fedoraproject.org/fedora:latest
 # Don't include container-selinux and remove
 # directories used by dnf that are just taking
 # up space.
 # TODO: rpm --setcaps... needed due to Fedora (base) image builds
 #       being (maybe still?) affected by
 #       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
 RUN dnf -y update && \
    rpm --setcaps shadow-utils 2>/dev/null && \
    dnf -y install skopeo fuse-overlayfs \
        --exclude container-selinux \
        --enablerepo updates-testing && \
    dnf clean all && \
    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
 RUN useradd skopeo && \
    echo skopeo:100000:65536 > /etc/subuid && \
    echo skopeo:100000:65536 > /etc/subgid
 # Copy & modify the defaults to provide reference if runtime changes needed.
 # Changes here are required for running with fuse-overlay storage inside container.
 RUN sed -e 's|^#mount_program|mount_program|g' \
        -e '/additionalimage.*/a "/var/lib/shared",' \
        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
        /usr/share/containers/storage.conf \
        > /etc/containers/storage.conf
 # Setup the ability to use additional stores
 # with this container image.
 RUN mkdir -p /var/lib/shared/overlay-images \
             /var/lib/shared/overlay-layers && \
    touch /var/lib/shared/overlay-images/images.lock && \
    touch /var/lib/shared/overlay-layers/layers.lock
 # Point to the Authorization file
 ENV REGISTRY_AUTH_FILE=/tmp/auth.json
 # Set the entrypoint
 ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/testing/Dockerfile
+++ b/contrib/skopeoimage/testing/Dockerfile
@ -1,34 +0,0 @@
 # testing/Dockerfile
 #
 # Build a Skopeo container image from the latest
 # version of Skopeo that is in updates-testing
 # on the Fedoras Updates System.
 # https://bodhi.fedoraproject.org/updates/?search=skopeo
 # This image can be used to create a secured container
 # that runs safely with privileges within the container.
 #
 FROM registry.fedoraproject.org/fedora:latest
 # Don't include container-selinux and remove
 # directories used by yum that are just taking
 # up space.  Also reinstall shadow-utils as without
 # doing so, the setuid/setgid bits on newuidmap
 # and newgidmap are lost in the Fedora images. 
 RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --enablerepo updates-testing --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
 # Adjust storage.conf to enable Fuse storage.
 RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
 # Setup the ability to use additional stores
 # with this container image.
 RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
 # Setup skopeo's uid/guid entries
 RUN echo skopeo:100000:65536 > /etc/subuid
 RUN echo skopeo:100000:65536 > /etc/subgid
 # Point to the Authorization file
 ENV REGISTRY_AUTH_FILE=/tmp/auth.json
 # Set the entrypoint
 ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/upstream/Containerfile
+++ b/contrib/skopeoimage/upstream/Containerfile
@ -0,0 +1,66 @@
 # upstream/Containerfile
 #
 # Build a Skopeo container image from the latest
 # upstream version of Skopeo on GitHub.
 # https://github.com/containers/skopeo
 # This image can be used to create a secured container
 # that runs safely with privileges within the container.
 #
 FROM registry.fedoraproject.org/fedora:latest
 # Don't include container-selinux and remove
 # directories used by dnf that are just taking
 # up space.
 # TODO: rpm --setcaps... needed due to Fedora (base) image builds
 #       being (maybe still?) affected by
 #       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
 RUN dnf -y update && \
    rpm --setcaps shadow-utils 2>/dev/null && \
    dnf -y --enablerepo updates-testing --exclude container-selinux install \
        make \
        golang \
        git \
        go-md2man \
        fuse-overlayfs \
        fuse3 \
        containers-common \
        gpgme-devel \
        libassuan-devel \
        btrfs-progs-devel \
        device-mapper-devel && \
    mkdir /root/skopeo && \
    git clone https://github.com/containers/skopeo \
        /root/skopeo/src/github.com/containers/skopeo && \
    export GOPATH=/root/skopeo && \
    cd /root/skopeo/src/github.com/containers/skopeo && \
    make bin/skopeo && \
    make PREFIX=/usr install && \
    rm -rf /root/skopeo/* && \
    dnf -y remove git golang go-md2man make && \
    dnf clean all && \
    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
 RUN useradd skopeo && \
    echo skopeo:100000:65536 > /etc/subuid && \
    echo skopeo:100000:65536 > /etc/subgid
 # Copy & modify the defaults to provide reference if runtime changes needed.
 # Changes here are required for running with fuse-overlay storage inside container.
 RUN sed -e 's|^#mount_program|mount_program|g' \
        -e '/additionalimage.*/a "/var/lib/shared",' \
        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
        /usr/share/containers/storage.conf \
        > /etc/containers/storage.conf
 # Setup the ability to use additional stores
 # with this container image.
 RUN mkdir -p /var/lib/shared/overlay-images \
             /var/lib/shared/overlay-layers && \
    touch /var/lib/shared/overlay-images/images.lock && \
    touch /var/lib/shared/overlay-layers/layers.lock
 # Point to the Authorization file
 ENV REGISTRY_AUTH_FILE=/tmp/auth.json
 # Set the entrypoint
 ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/upstream/Dockerfile
+++ b/contrib/skopeoimage/upstream/Dockerfile
@ -1,54 +0,0 @@
 # upstream/Dockerfile
 #
 # Build a Skopeo container image from the latest
 # upstream version of Skopeo on GitHub.
 # https://github.com/containers/skopeo
 # This image can be used to create a secured container
 # that runs safely with privileges within the container.
 #
 FROM registry.fedoraproject.org/fedora:latest
 # Don't include container-selinux and remove
 # directories used by yum that are just taking
 # up space.  Also reinstall shadow-utils as without
 # doing so, the setuid/setgid bits on newuidmap
 # and newgidmap are lost in the Fedora images. 
 RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; \
 yum -y install make \
 golang \
 git \
 go-md2man \
 fuse-overlayfs \
 fuse3 \
 containers-common \
 gpgme-devel \
 libassuan-devel \
 btrfs-progs-devel \
 device-mapper-devel --enablerepo updates-testing --exclude container-selinux; \
 mkdir /root/skopeo; \
 git clone https://github.com/containers/skopeo /root/skopeo/src/github.com/containers/skopeo; \
 export GOPATH=/root/skopeo; \
 cd /root/skopeo/src/github.com/containers/skopeo; \
 make bin/skopeo;\
 make PREFIX=/usr install;\
 rm -rf /root/skopeo/*; \
 yum -y remove git golang go-md2man make; \
 yum -y clean all; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
 # Adjust storage.conf to enable Fuse storage.
 RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
 # Setup the ability to use additional stores
 # with this container image.
 RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
 # Setup skopeo's uid/guid entries
 RUN echo skopeo:100000:65536 > /etc/subuid
 RUN echo skopeo:100000:65536 > /etc/subgid
 # Point to the Authorization file
 ENV REGISTRY_AUTH_FILE=/tmp/auth.json
 # Set the entrypoint
 ENTRYPOINT ["/usr/bin/skopeo"]