-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathContainerfile.image_build
112 lines (96 loc) · 5.22 KB
/
Containerfile.image_build
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
FROM registry.fedoraproject.org/fedora-minimal:40 as builder
ARG BUILDER_RPMS="make golang glib2-devel gpgme-devel libassuan-devel libseccomp-devel git bzip2 runc containers-common"
RUN microdnf -y install $BUILDER_RPMS
ENV GOPROXY='https://proxy.golang.org,direct'
ENV GOSUMDB='sum.golang.org'
WORKDIR /go/src/containers/buildah
COPY buildah/ .
RUN make buildah
# buildah/Containerfile
#
# Source from the included submodule at
# image_build/blob/main/buildah/Containerfile.
# We will install buildah as an RPM to ensure that we have
# all dependencies but we will overwrite the binary with the
# one that we built previously.
#
# Build a Buildah container image from the latest version
# from https://github.com/containers/buildah.
#
# This image can be used to create a secured container
# that runs safely with privileges within the container.
#
FROM registry.fedoraproject.org/fedora-minimal:40
LABEL "io.containers.capabilities"="CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,CHOWN,DAC_OVERRIDE,FOWNER,FSETID,KILL,NET_BIND_SERVICE,SETFCAP,SETGID,SETPCAP,SETUID,SYS_CHROOT"
LABEL name="buildah" \
summary="Containerized version of buildah which can be used to build OCI artifacts" \
com.redhat.component="konflux-ci-buildah" \
description="OCI images and artifacts are central to the architecture of Konflux. In order to ensure that we can always take advantage of the latest functionality, this image can be used to reliably build the latest version of the CLI." \
io.k8s.display-name="buildah" \
io.k8s.description="OCI images and artifacts are central to the architecture of Konflux. In order to ensure that we can always take advantage of the latest functionality, this image can be used to reliably build the latest version of the CLI." \
io.openshift.tags="oci" \
vendor="Red Hat, Inc." \
distribution-scope="public" \
release="0" \
url="github.com/konflux-ci/buildah-container"
ARG INSTALL_RPMS="buildah fuse-overlayfs ucpp"
# Don't include container-selinux and remove
# directories used by dnf that are just taking
# up space.
# TODO: rpm --setcaps... needed due to Fedora (base) image builds
# being (maybe still?) affected by
# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
RUN microdnf -y makecache && \
microdnf -y update && \
microdnf -y install shadow-utils && \
rpm --setcaps shadow-utils 2>/dev/null && \
microdnf -y install $INSTALL_RPMS --exclude container-selinux && \
ln -s /usr/bin/ucpp /usr/local/bin/cpp && \
microdnf -y clean all && \
rm -rf /var/cache /var/log/dnf* /var/log/yum.*
COPY --from=builder /go/src/containers/buildah/bin/buildah /usr/bin/buildah
ADD image_build/buildah/containers.conf /etc/containers/
# The source image_build containerfile passes secrets from the host to the internal container.
# We will not do that in Konflux as it results in inconsistent container builds due to
# the fact that the hosts are not entitled for any subscriptions.
# Setup internal Buildah to pass secrets/subscriptions down from host to internal container
# RUN printf '/run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement\n/run/secrets/rhsm:/run/secrets/rhsm\n' > /etc/containers/mounts.conf
# Copy & modify the defaults to provide reference if runtime changes needed.
# Changes here are required for running with fuse-overlay storage inside container.
RUN sed -e 's|^#mount_program|mount_program|g' \
-e '/additionalimage.*/a "/var/lib/shared",' \
-e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
/usr/share/containers/storage.conf \
> /etc/containers/storage.conf && \
chmod 644 /etc/containers/storage.conf && \
chmod 644 /etc/containers/containers.conf
RUN mkdir -p /var/lib/shared/overlay-images \
/var/lib/shared/overlay-layers \
/var/lib/shared/vfs-images \
/var/lib/shared/vfs-layers && \
touch /var/lib/shared/overlay-images/images.lock && \
touch /var/lib/shared/overlay-layers/layers.lock && \
touch /var/lib/shared/vfs-images/images.lock && \
touch /var/lib/shared/vfs-layers/layers.lock
# Define uid/gid ranges for our user https://github.com/containers/buildah/issues/3053
RUN useradd build && \
echo -e "build:1:999\nbuild:1001:64535" > /etc/subuid && \
echo -e "build:1:999\nbuild:1001:64535" > /etc/subgid && \
mkdir -p /home/build/.local/share/containers && \
mkdir -p /home/build/.config/containers && \
chown -R build:build /home/build
# See: https://github.com/containers/buildah/issues/4669
# Copy & modify the config for the `build` user and remove the global
# `runroot` and `graphroot` which current `build` user cannot access,
# in such case storage will choose a runroot in `/var/tmp`.
RUN sed -e 's|^#mount_program|mount_program|g' \
-e 's|^graphroot|#graphroot|g' \
-e 's|^runroot|#runroot|g' \
/etc/containers/storage.conf \
> /home/build/.config/containers/storage.conf && \
chown build:build /home/build/.config/containers/storage.conf
VOLUME /var/lib/containers
VOLUME /home/build/.local/share/containers
# Set an environment variable to default to chroot isolation for RUN
# instructions and "buildah run".
ENV BUILDAH_ISOLATION=chroot