particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge-composer/vendor/github.com/osbuild/images/pkg/manifest/build.go
Achilleas Koutsou deccaf9548 go.mod: update osbuild/images to v0.151.0 
tag v0.149.0
Tagger: imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com>

Changes with 0.149.0

----------------
  * Update dependencies 2025-05-25 (osbuild/images#1560)
    * Author: SchutzBot, Reviewers: Simon de Vlieger, Tomáš Hozza
  * Update osbuild dependency commit ID to latest (osbuild/images#1522)
    * Author: SchutzBot, Reviewers: Simon de Vlieger, Tomáš Hozza
  * Update snapshots to 20250515 (osbuild/images#1524)
    * Author: SchutzBot, Reviewers: Simon de Vlieger, Tomáš Hozza
  * `vagrant-libvirt` implementation (HMS-6116) (osbuild/images#1548)
    * Author: Simon de Vlieger, Reviewers: Achilleas Koutsou, Tomáš Hozza
  * fedora: tweaks after all imageTypes are YAML (osbuild/images#1518)
    * Author: Michael Vogt, Reviewers: Simon de Vlieger, Tomáš Hozza
  * gha: do not break gobump output (osbuild/images#1561)
    * Author: Lukáš Zapletal, Reviewers: Simon de Vlieger, Tomáš Hozza
  * repositories: AlmaLinux 10 (osbuild/images#1567)
    * Author: Simon de Vlieger, Reviewers: Achilleas Koutsou, Lukáš Zapletal, Neal Gompa (ニール・ゴンパ)
  * vagrant: image config for default vagrant user (HMS-6116) (osbuild/images#1565)
    * Author: Simon de Vlieger, Reviewers: Achilleas Koutsou, Michael Vogt

— Somewhere on the Internet, 2025-05-27

---

tag v0.150.0
Tagger: imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com>

Changes with 0.150.0

----------------
  * Replace hardcoded kickstart %post scripts with new stage options and bootc switch with custom kickstart content (HMS-6051) (osbuild/images#1527)
    * Author: Achilleas Koutsou, Reviewers: Simon de Vlieger, Tomáš Hozza
  * test: install yamllint for tests (osbuild/images#1572)
    * Author: Achilleas Koutsou, Reviewers: Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza

— Somewhere on the Internet, 2025-06-02

---

tag v0.151.0
Tagger: imagebuilder-bot <imagebuilder-bots+imagebuilder-bot@redhat.com>

Changes with 0.151.0

----------------
  * Introduce new Azure CVM image type (HMS-5636) (osbuild/images#1318)
    * Author: Achilleas Koutsou, Reviewers: Nobody
  * Many: support using string with unit for byte-sized partitioning fields in YAML distro definitions (osbuild/images#1579)
    * Author: Tomáš Hozza, Reviewers: Achilleas Koutsou, Brian C. Lane
  * Update osbuild dependency commit ID to latest (osbuild/images#1587)
    * Author: SchutzBot, Reviewers: Achilleas Koutsou, Tomáš Hozza
  * Update snapshots to 20250601 (osbuild/images#1573)
    * Author: SchutzBot, Reviewers: Achilleas Koutsou, Lukáš Zapletal
  * bootc: Make installed rootfs configurable (osbuild/images#1555)
    * Author: Mbarak Bujra, Reviewers: Michael Vogt, Tomáš Hozza
  * distro: create new ImageConfig.DNFConfig (osbuild/images#1583)
    * Author: Michael Vogt, Reviewers: Simon de Vlieger, Tomáš Hozza
  * distro: make "fedora" a "generic" distro (osbuild/images#1563)
    * Author: Michael Vogt, Reviewers: Nobody
  * image: If using a separate build container, copy bootc customization to it (osbuild/images#1571)
    * Author: Alexander Larsson, Reviewers: Achilleas Koutsou, Tomáš Hozza
  * manifest/ostree: explicitly include shadow-utils (osbuild/images#1585)
    * Author: Simon de Vlieger, Reviewers: Achilleas Koutsou, Michael Vogt
  * osbuild/tar: explicit compression (HMS-8573, HMS-6116) (osbuild/images#1581)
    * Author: Simon de Vlieger, Reviewers: Achilleas Koutsou, Tomáš Hozza
  * tests: bump fedora versions to 41 (osbuild/images#1438)
    * Author: Lukáš Zapletal, Reviewers: Brian C. Lane, Michael Vogt

— Somewhere on the Internet, 2025-06-09

---
2025-06-23 14:37:30 +01:00

369 lines
11 KiB
Go
Raw Blame History

package manifest
import (
"fmt"
"github.com/osbuild/images/pkg/container"
"github.com/osbuild/images/pkg/customizations/fsnode"
"github.com/osbuild/images/pkg/osbuild"
"github.com/osbuild/images/pkg/rpmmd"
"github.com/osbuild/images/pkg/runner"
)
// A Build represents the build environment for other pipelines. As a
// general rule, tools required to build pipelines are used from the build
// environment, rather than from the pipeline itself. Without a specified
// build environment, the build host's root filesystem would be used, which
// is not predictable nor reproducible. For the purposes of building the
// build pipeline, we do use the build host's filesystem, this means we should
// make minimal assumptions about what's available there.
type Build interface {
Name() string
Checkpoint()
Manifest() *Manifest
addDependent(dep Pipeline)
}
type BuildrootFromPackages struct {
Base
runner runner.Runner
dependents []Pipeline
repos []rpmmd.RepoConfig
packageSpecs []rpmmd.PackageSpec
containerBuildable bool
// XXX: disableSelinux controlls if selinux should be disabled
// for the given buildroot. This is currently needed for
// bootstraped buildroot containers because most of the
// boostrap containers do not include setfiles(8). A
// reasonable fix is to teach osbuild to chroot into the
// buildroot itself when running setfiles. Once osbuild has
// this then this option would become "useChrootSetfiles"
disableSelinux bool
selinuxPolicy string
}
type BuildOptions struct {
// ContainerBuildable tweaks the buildroot to be container friendly,
// i.e. to not rely on an installed osbuild-selinux
ContainerBuildable bool
// DisableSELinux disables SELinux, this is not advised, but is
// currently needed when using (experimental) cross-arch building.
DisableSELinux bool
// The SELinux policy to use in the buildroot, defaults to 'targeted' if not specified
SELinuxPolicy string
// BootstrapPipeline add the given bootstrap pipeline to the
// build pipeline. This is only needed when doing cross-arch
// building
BootstrapPipeline Build
// In some cases we have multiple build pipelines
PipelineName string
// Copy in files from other pipeline
CopyFilesFrom map[string][]string
// Ensure directories exist
EnsureDirs []*fsnode.Directory
}
// policy or default returns the selinuxPolicy or (if unset) the
// default policy
func policyOrDefault(selinuxPolicy string) string {
if selinuxPolicy != "" {
return selinuxPolicy
}
return "targeted"
}
// NewBuild creates a new build pipeline from the repositories in repos
// and the specified packages.
func NewBuild(m *Manifest, runner runner.Runner, repos []rpmmd.RepoConfig, opts *BuildOptions) Build {
if opts == nil {
opts = &BuildOptions{}
}
name := "build"
if opts.PipelineName != "" {
name = opts.PipelineName
}
pipeline := &BuildrootFromPackages{
Base: NewBase(name, opts.BootstrapPipeline),
runner: runner,
dependents: make([]Pipeline, 0),
repos: filterRepos(repos, name),
containerBuildable: opts.ContainerBuildable,
disableSelinux: opts.DisableSELinux,
selinuxPolicy: policyOrDefault(opts.SELinuxPolicy),
}
m.addPipeline(pipeline)
return pipeline
}
func (p *BuildrootFromPackages) addDependent(dep Pipeline) {
p.dependents = append(p.dependents, dep)
man := p.Manifest()
if man == nil {
panic("cannot add build dependent without a manifest")
}
man.addPipeline(dep)
}
func (p *BuildrootFromPackages) getPackageSetChain(distro Distro) []rpmmd.PackageSet {
// TODO: make the /usr/bin/cp dependency conditional
// TODO: make the /usr/bin/xz dependency conditional
policyPackage := fmt.Sprintf("selinux-policy-%s", p.selinuxPolicy)
packages := []string{
policyPackage, // needed to build the build pipeline
"coreutils", // /usr/bin/cp - used all over
"xz", // usage unclear
}
packages = append(packages, p.runner.GetBuildPackages()...)
for _, pipeline := range p.dependents {
packages = append(packages, pipeline.getBuildPackages(distro)...)
}
return []rpmmd.PackageSet{
{
Include: packages,
Repositories: p.repos,
InstallWeakDeps: true,
},
}
}
func (p *BuildrootFromPackages) getPackageSpecs() []rpmmd.PackageSpec {
return p.packageSpecs
}
func (p *BuildrootFromPackages) serializeStart(inputs Inputs) {
if len(p.packageSpecs) > 0 {
panic("double call to serializeStart()")
}
p.packageSpecs = inputs.Depsolved.Packages
p.repos = append(p.repos, inputs.Depsolved.Repos...)
}
func (p *BuildrootFromPackages) serializeEnd() {
if len(p.packageSpecs) == 0 {
panic("serializeEnd() call when serialization not in progress")
}
p.packageSpecs = nil
}
func (p *BuildrootFromPackages) serialize() osbuild.Pipeline {
if len(p.packageSpecs) == 0 {
panic("serialization not started")
}
pipeline := p.Base.serialize()
pipeline.Runner = p.runner.String()
pipeline.AddStage(osbuild.NewRPMStage(osbuild.NewRPMStageOptions(p.repos), osbuild.NewRpmStageSourceFilesInputs(p.packageSpecs)))
if !p.disableSelinux {
pipeline.AddStage(osbuild.NewSELinuxStage(&osbuild.SELinuxStageOptions{
FileContexts: fmt.Sprintf("etc/selinux/%s/contexts/files/file_contexts", p.selinuxPolicy),
Labels: p.getSELinuxLabels(),
},
))
}
return pipeline
}
// Returns a map of paths to labels for the SELinux stage based on specific
// packages found in the pipeline.
func (p *BuildrootFromPackages) getSELinuxLabels() map[string]string {
labels := make(map[string]string)
for _, pkg := range p.getPackageSpecs() {
switch pkg.Name {
case "coreutils":
labels["/usr/bin/cp"] = "system_u:object_r:install_exec_t:s0"
if p.containerBuildable {
labels["/usr/bin/mount"] = "system_u:object_r:install_exec_t:s0"
labels["/usr/bin/umount"] = "system_u:object_r:install_exec_t:s0"
}
case "tar":
labels["/usr/bin/tar"] = "system_u:object_r:install_exec_t:s0"
}
}
return labels
}
type BuildrootFromContainer struct {
Base
runner runner.Runner
dependents []Pipeline
containers []container.SourceSpec
containerSpecs []container.Spec
containerBuildable bool
disableSelinux bool
selinuxPolicy string
copyFilesFrom map[string][]string
ensureDirs []*fsnode.Directory
}
// NewBuildFromContainer creates a new build pipeline from the given
// containers specs
func NewBuildFromContainer(m *Manifest, runner runner.Runner, containerSources []container.SourceSpec, opts *BuildOptions) Build {
if opts == nil {
opts = &BuildOptions{}
}
name := "build"
if opts.PipelineName != "" {
name = opts.PipelineName
}
pipeline := &BuildrootFromContainer{
Base: NewBase(name, opts.BootstrapPipeline),
runner: runner,
dependents: make([]Pipeline, 0),
containers: containerSources,
containerBuildable: opts.ContainerBuildable,
disableSelinux: opts.DisableSELinux,
selinuxPolicy: policyOrDefault(opts.SELinuxPolicy),
copyFilesFrom: opts.CopyFilesFrom,
ensureDirs: opts.EnsureDirs,
}
m.addPipeline(pipeline)
return pipeline
}
func (p *BuildrootFromContainer) addDependent(dep Pipeline) {
p.dependents = append(p.dependents, dep)
man := p.Manifest()
if man == nil {
panic("cannot add build dependent without a manifest")
}
man.addPipeline(dep)
}
func (p *BuildrootFromContainer) getContainerSources() []container.SourceSpec {
return p.containers
}
func (p *BuildrootFromContainer) getContainerSpecs() []container.Spec {
return p.containerSpecs
}
func (p *BuildrootFromContainer) serializeStart(inputs Inputs) {
if len(p.containerSpecs) > 0 {
panic("double call to serializeStart()")
}
p.containerSpecs = inputs.Containers
}
func (p *BuildrootFromContainer) serializeEnd() {
if len(p.containerSpecs) == 0 {
panic("serializeEnd() call when serialization not in progress")
}
p.containerSpecs = nil
}
func (p *BuildrootFromContainer) getSELinuxLabels() map[string]string {
if p.disableSelinux {
return nil
}
labels := map[string]string{
"/usr/bin/ostree": "system_u:object_r:install_exec_t:s0",
}
if p.containerBuildable {
labels["/usr/bin/mount"] = "system_u:object_r:install_exec_t:s0"
labels["/usr/bin/umount"] = "system_u:object_r:install_exec_t:s0"
}
return labels
}
func (p *BuildrootFromContainer) serialize() osbuild.Pipeline {
if len(p.containerSpecs) == 0 {
panic("serialization not started")
}
if len(p.containerSpecs) != 1 {
panic(fmt.Sprintf("BuildrootFromContainer expectes exactly one container input, got: %v", p.containerSpecs))
}
pipeline := p.Base.serialize()
pipeline.Runner = p.runner.String()
image := osbuild.NewContainersInputForSingleSource(p.containerSpecs[0])
// Make skopeo copy to remove the signatures of signed containers by default to workaround
// build failures until https://github.com/containers/image/issues/2599 is implemented
stage, err := osbuild.NewContainerDeployStage(image, &osbuild.ContainerDeployOptions{RemoveSignatures: true})
if err != nil {
panic(err)
}
pipeline.AddStage(stage)
for _, stage := range osbuild.GenDirectoryNodesStages(p.ensureDirs) {
pipeline.AddStage(stage)
}
for copyFilesFrom, copyFiles := range p.copyFilesFrom {
inputName := "copy-tree"
paths := []osbuild.CopyStagePath{}
for _, copyPath := range copyFiles {
paths = append(paths, osbuild.CopyStagePath{
From: fmt.Sprintf("input://%s%s", inputName, copyPath),
To: fmt.Sprintf("tree://%s", copyPath),
})
}
pipeline.AddStage(osbuild.NewCopyStageSimple(
&osbuild.CopyStageOptions{Paths: paths},
osbuild.NewPipelineTreeInputs(inputName, copyFilesFrom),
))
}
if !p.disableSelinux {
pipeline.AddStage(osbuild.NewSELinuxStage(
&osbuild.SELinuxStageOptions{
FileContexts: fmt.Sprintf("etc/selinux/%s/contexts/files/file_contexts", p.selinuxPolicy),
ExcludePaths: []string{"/sysroot"},
Labels: p.getSELinuxLabels(),
},
))
}
return pipeline
}
// NewBootstrap creates a new bootstrap build pipeline from the given
// containers specs
func NewBootstrap(m *Manifest, containerSources []container.SourceSpec) Build {
name := "bootstrap-buildroot"
pipeline := &BuildrootFromContainer{
Base: NewBase(name, nil),
// use the most minimal runner as we cannot make assumption
// about our environment
runner: &runner.Linux{},
dependents: make([]Pipeline, 0),
containers: containerSources,
containerBuildable: true,
// XXX: we only disable selinux currently in the buildroot
// because selinux requies the bootstrap container to have the
// "setfiles" binary. this is typcially not shiped in a
// container so we disable it. the easiest fix is to make
// osbuld support running setfiles inside the buildroot chroot
// (which has setfiles installed)
disableSelinux: true,
}
m.addPipeline(pipeline)
return pipeline
}
Reference in a new issue View git blame Copy permalink