containers/bootc
1
0
Fork 0
mirror of https://github.com/containers/bootc.git synced 2026-02-05 06:45:13 +01:00
Code Issues Activity
Files
089dedcc1c067bfc7a228809547e82752eb0d9d2
bootc/Dockerfile

79 lines
3.4 KiB
Docker
Raw Normal View History

build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
# Build this project from source and write the updated content
# (i.e. /usr/bin/bootc and systemd units) to a new derived container
# image. See the `Justfile` for an example
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
Rework GHA testing: Use bcvk, cover composefs with tmt Part 1: Use bcvk For local tests, right now testcloud+tmt doesn't support UEFI, see https://github.com/teemtee/tmt/issues/4203 This is a blocker for us doing more testing with UKIs. In this patch we switch to provisioning VMs with bcvk, which fixes this - but beyond that a really compelling thing about this is that bcvk is *also* designed to be ergonomic and efficient beyond just being a test runner, with things like virtiofs mounting of host container storage, etc. In other words, bcvk is the preferred way to run local virt with bootc, and this makes our TMT tests use it. Now a major downside of this though is we're effectively implementing a new "provisioner" for tmt (bypassing the existing `virtual`). In the more medium term I think we want to add `bcvk` as a provisioner option to tmt. Anyways for now, this works by discovers test plans via `tmt plan ls`, spawning a separate VM per test, and then using uses tmt's connect provisioner to run tests targeting these externally provisioned systems. Part 2: Rework the Justfile and Dockerfile This adds `base` and `variant` arguments which are propagated through the system, and we have a new `variant` for sealed composefs. The readonly tests now pass with composefs. Drop the continuous repo tests...as while we could keep that it's actually a whole *other* entry in this matrix. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-04 09:20:56 -05:00
# Note this is usually overridden via Justfile
build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
ARG base=quay.io/centos-bootc/centos-bootc:stream10
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
# This first image captures a snapshot of the source code,
# note all the exclusions in .dockerignore.
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
FROM scratch as src
COPY . /src
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# And this image only captures contrib/packaging separately
# to ensure we have more precise cache hits.
FROM scratch as packaging
COPY contrib/packaging /
ci: Split RPM building into separate job This splits the RPM package building into a separate CI job that runs before the integration tests. The built packages are then downloaded and used by the integration test jobs, avoiding redundant builds. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-26 10:00:33 -05:00
# This image captures pre-built packages from the context.
# By COPYing into a stage, we avoid SELinux issues with context bind mounts.
FROM scratch as packages
COPY target/packages/*.rpm /
Dockerfile: Support pulling in the continuous repo If enabled this pulls in git main of ostree which I want for soft reboot work. Signed-off-by: Colin Walters <walters@verbum.org>
2025-07-24 11:44:22 -04:00
FROM $base as base
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# Mark this as a test image (moved from --label build flag to fix layer caching)
LABEL bootc.testimage="1"
Dockerfile: Support pulling in the continuous repo If enabled this pulls in git main of ostree which I want for soft reboot work. Signed-off-by: Colin Walters <walters@verbum.org>
2025-07-24 11:44:22 -04:00
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
# This image installs build deps, pulls in our source code, and installs updated
# bootc binaries in /out. The intention is that the target rootfs is extracted from /out
build-sys: Use stream10 by default The rationale for having c9s by default was that it's a lower bound (which is still true). But our CI covers that; I'd rather now have the default be c10s be the default as it will be the focus of features going forward. Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-28 22:58:27 +02:00
# back into a final stage (without the build deps etc) below.
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
FROM base as buildroot
Dockerfile: enable initramfs by default As we progress the composefs work along this is becoming more of a general requirement. I think it still makes sense to leave it as optional for now, but I think for the bulk of the cases we'll want to go ahead and build the initramfs support in. Signed-off-by: John Eckersberg <jeckersb@redhat.com>
2025-09-24 14:27:34 -04:00
# Flip this off to disable initramfs code
ARG initramfs=1
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# This installs our buildroot, and we want to cache it independently of the rest.
# Basically we don't want changing a .rs file to blow out the cache of packages.
RUN --mount=type=bind,from=packaging,target=/run/packaging /run/packaging/install-buildroot
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
# Now copy the rest of the source
COPY --from=src /src /src
WORKDIR /src
# See https://www.reddit.com/r/rust/comments/126xeyx/exploring_the_problem_of_faster_cargo_docker/
# We aren't using the full recommendations there, just the simple bits.
build-sys: Run most parts with `--network=none` (#1725) build-sys: Run most parts with `--network=none` Why? It just shows that we have put some thought into our build system and care about reproducibility, hermetic builds etc. And yes of course, `--network=bridge` should probably have been required as an opt-in in Dockerfile, but oh well. It's not too bad to sprinkle `--network=none` in some places. The biggest one is wrapping `make`. Signed-off-by: Colin Walters <walters@verbum.org>
2025-10-31 21:02:39 -04:00
# First we download all of our Rust dependencies
RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome cargo fetch
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
FROM buildroot as build
test: Fix Dockerfile ARG issue Signed-off-by: Xiaofeng Wang <henrywangxf@me.com>
2025-11-27 17:03:36 +08:00
# Version for RPM build (optional, computed from git in Justfile)
ARG pkgversion
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# Build RPM directly from source, using cached target directory
ci: Fix RPM version Signed-off-by: Xiaofeng Wang <henrywangxf@me.com>
2025-11-27 14:48:43 +08:00
RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
Updates to build sys and CONTRIBUTING.md The emphasis here is on trying to have the `Justfile` be the default entrypoint, wrapping other tools. - Replace mentions of podman-bootc with bcvk since I hope the latter supercedes the former - Unify the unit test entrypoint - Set up /var/tmp as a tmpdir to fix the etc merge test (otherwise, selinux failures w/tmp) - Run the unit+container tests in integration.yml - Have `just validate` run in a container Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-22 14:48:13 -04:00
# This "build" includes our unit tests
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
FROM build as units
Updates to build sys and CONTRIBUTING.md The emphasis here is on trying to have the `Justfile` be the default entrypoint, wrapping other tools. - Replace mentions of podman-bootc with bcvk since I hope the latter supercedes the former - Unify the unit test entrypoint - Set up /var/tmp as a tmpdir to fix the etc merge test (otherwise, selinux failures w/tmp) - Run the unit+container tests in integration.yml - Have `just validate` run in a container Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-22 14:48:13 -04:00
# A place that we're more likely to be able to set xattrs
VOLUME /var/tmp
ENV TMPDIR=/var/tmp
build-sys: Run most parts with `--network=none` (#1725) build-sys: Run most parts with `--network=none` Why? It just shows that we have put some thought into our build system and care about reproducibility, hermetic builds etc. And yes of course, `--network=bridge` should probably have been required as an opt-in in Dockerfile, but oh well. It's not too bad to sprinkle `--network=none` in some places. The biggest one is wrapping `make`. Signed-off-by: Colin Walters <walters@verbum.org>
2025-10-31 21:02:39 -04:00
RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none make install-unit-tests
Updates to build sys and CONTRIBUTING.md The emphasis here is on trying to have the `Justfile` be the default entrypoint, wrapping other tools. - Replace mentions of podman-bootc with bcvk since I hope the latter supercedes the former - Unify the unit test entrypoint - Set up /var/tmp as a tmpdir to fix the etc merge test (otherwise, selinux failures w/tmp) - Run the unit+container tests in integration.yml - Have `just validate` run in a container Signed-off-by: Colin Walters <walters@verbum.org>
2025-09-22 14:48:13 -04:00
# This just does syntax checking
FROM build as validate
build-sys: Run most parts with `--network=none` (#1725) build-sys: Run most parts with `--network=none` Why? It just shows that we have put some thought into our build system and care about reproducibility, hermetic builds etc. And yes of course, `--network=bridge` should probably have been required as an opt-in in Dockerfile, but oh well. It's not too bad to sprinkle `--network=none` in some places. The biggest one is wrapping `make`. Signed-off-by: Colin Walters <walters@verbum.org>
2025-10-31 21:02:39 -04:00
RUN --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome --network=none make validate
build-sys: Rework to have toplevel Dockerfile + Justfile This is aligning with what I did in https://github.com/ostreedev/ostree/pull/3439 - What gets invoked in e.g. GHA should ideally most be `just` commands that are easy to run locally too (with sudo in GHA, without sudo locally) - Move the "core build" to the toplevel so that one can just `podman build` directly too (without the Justfile) and have it do something useful - The "always build and test in a container" helps for LLM-assisted coding because what they can do is inherently sandboxed Signed-off-by: Colin Walters <walters@verbum.org>
2025-06-06 11:11:58 -04:00
# The final image that derives from the original base and adds the release binaries
Dockerfile: Support pulling in the continuous repo If enabled this pulls in git main of ostree which I want for soft reboot work. Signed-off-by: Colin Walters <walters@verbum.org>
2025-07-24 11:44:22 -04:00
FROM base
Rework GHA testing: Use bcvk, cover composefs with tmt Part 1: Use bcvk For local tests, right now testcloud+tmt doesn't support UEFI, see https://github.com/teemtee/tmt/issues/4203 This is a blocker for us doing more testing with UKIs. In this patch we switch to provisioning VMs with bcvk, which fixes this - but beyond that a really compelling thing about this is that bcvk is *also* designed to be ergonomic and efficient beyond just being a test runner, with things like virtiofs mounting of host container storage, etc. In other words, bcvk is the preferred way to run local virt with bootc, and this makes our TMT tests use it. Now a major downside of this though is we're effectively implementing a new "provisioner" for tmt (bypassing the existing `virtual`). In the more medium term I think we want to add `bcvk` as a provisioner option to tmt. Anyways for now, this works by discovers test plans via `tmt plan ls`, spawning a separate VM per test, and then using uses tmt's connect provisioner to run tests targeting these externally provisioned systems. Part 2: Rework the Justfile and Dockerfile This adds `base` and `variant` arguments which are propagated through the system, and we have a new `variant` for sealed composefs. The readonly tests now pass with composefs. Drop the continuous repo tests...as while we could keep that it's actually a whole *other* entry in this matrix. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-04 09:20:56 -05:00
# See the Justfile for possible variants
ARG variant
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
RUN --mount=type=bind,from=packaging,target=/run/packaging /run/packaging/configure-variant "${variant}"
Rework GHA testing: Use bcvk, cover composefs with tmt Part 1: Use bcvk For local tests, right now testcloud+tmt doesn't support UEFI, see https://github.com/teemtee/tmt/issues/4203 This is a blocker for us doing more testing with UKIs. In this patch we switch to provisioning VMs with bcvk, which fixes this - but beyond that a really compelling thing about this is that bcvk is *also* designed to be ergonomic and efficient beyond just being a test runner, with things like virtiofs mounting of host container storage, etc. In other words, bcvk is the preferred way to run local virt with bootc, and this makes our TMT tests use it. Now a major downside of this though is we're effectively implementing a new "provisioner" for tmt (bypassing the existing `virtual`). In the more medium term I think we want to add `bcvk` as a provisioner option to tmt. Anyways for now, this works by discovers test plans via `tmt plan ls`, spawning a separate VM per test, and then using uses tmt's connect provisioner to run tests targeting these externally provisioned systems. Part 2: Rework the Justfile and Dockerfile This adds `base` and `variant` arguments which are propagated through the system, and we have a new `variant` for sealed composefs. The readonly tests now pass with composefs. Drop the continuous repo tests...as while we could keep that it's actually a whole *other* entry in this matrix. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-04 09:20:56 -05:00
# Support overriding the rootfs at build time conveniently
test: Fix Dockerfile ARG issue Signed-off-by: Xiaofeng Wang <henrywangxf@me.com>
2025-11-27 17:03:36 +08:00
ARG rootfs
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
RUN --mount=type=bind,from=packaging,target=/run/packaging /run/packaging/configure-rootfs "${variant}" "${rootfs}"
build-sys: Inject hvc0 by default In order to debug failures more reliably we really always want a virtual console. It turns out the Fedora kernel configs for a while have done https://gitlab.com/cki-project/kernel-ark/-/commit/9a0d7ce2af11ef7b9a3bc3073e13dc9983b7e245 which means hvc0 is available from very early boot. I am probably going to argue to do this in all Fedora derivatives by default soon but let's start here. Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-18 22:06:44 -05:00
# Inject additional content
COPY --from=packaging /usr-extras/ /usr/
ci: Split RPM building into separate job This splits the RPM package building into a separate CI job that runs before the integration tests. The built packages are then downloaded and used by the integration test jobs, avoiding redundant builds. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-26 10:00:33 -05:00
# Install packages from the packages stage
# Using bind from a stage avoids SELinux issues with context bind mounts
RUN --mount=type=bind,from=packaging,target=/run/packaging \
--mount=type=bind,from=packages,target=/build-packages \
--network=none \
/run/packaging/install-rpm-and-setup /build-packages
Dockerfile: Use rpmbuild We were bit before by just doing a `COPY` of our binaries overtop of the base image because that doens't remove old files. Replace the pre-build approach with rpmbuild, and then change to do an rpm-based upgrade so that we fix that problem. Note that we still preserve incremental rebuilds by overriding some of the RPM build process. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
2025-11-16 11:48:43 -05:00
# Finally, testour own linting
RUN bootc container lint --fatal-warnings
Copy Permalink