From d0e1b7c8d17d784567ca6560237731d6e58ec7c5 Mon Sep 17 00:00:00 2001
From: Gerald Pinder <gmpinder@gmail.com>
Date: Sun, 24 Mar 2024 02:27:54 -0400
Subject: [PATCH] fix: Copy bins and keys with mounts for ostree commit (#132)

I've been investigating more into how ostree works and how it relates to
running `ostree container commit` for each layer. I've decided to move
our pre-installed bins and public keys into their own stages and then
bind mount them into a `RUN` instruction so that we can just use `cp` to
get the files into the image and then call `ostree container commit`.
Now all of our layers in the image (after the base image) will be in the
ostree commit tree.
---
 integration-tests/test-repo/config/recipe.yml |  3 +-
 template/src/lib.rs                           |  7 +++
 template/templates/Containerfile.j2           | 44 +---------------
 template/templates/modules/modules.j2         | 11 ++++
 template/templates/stages.j2                  | 52 +++++++++++++++++++
 5 files changed, 73 insertions(+), 44 deletions(-)
 create mode 100644 template/templates/stages.j2

diff --git a/integration-tests/test-repo/config/recipe.yml b/integration-tests/test-repo/config/recipe.yml
index 7422214..51bdf6b 100644
--- a/integration-tests/test-repo/config/recipe.yml
+++ b/integration-tests/test-repo/config/recipe.yml
@@ -33,8 +33,7 @@ modules:
       remove:
         - org.gnome.eog
 
-  # Needs a bug to be fixed to allow / in image name
-  # - type: signing
+  - type: signing
 
   - type: test-module
 
diff --git a/template/src/lib.rs b/template/src/lib.rs
index 57e76f3..ae163f2 100644
--- a/template/src/lib.rs
+++ b/template/src/lib.rs
@@ -154,3 +154,10 @@ fn modules_exists() -> bool {
     let mod_path = Path::new("modules");
     mod_path.exists() && mod_path.is_dir()
 }
+
+mod filters {
+    #[allow(clippy::unnecessary_wraps)]
+    pub fn replace<T: std::fmt::Display>(input: T, from: char, to: &str) -> askama::Result<String> {
+        Ok(format!("{input}").replace(from, to))
+    }
+}
diff --git a/template/templates/Containerfile.j2 b/template/templates/Containerfile.j2
index e333b4f..b7c90dc 100644
--- a/template/templates/Containerfile.j2
+++ b/template/templates/Containerfile.j2
@@ -1,27 +1,4 @@
-# This stage is responsible for holding onto
-# your config without copying it directly into
-# the final image
-FROM scratch as stage-config
-COPY ./config /config
-
-# Copy modules
-# The default modules are inside blue-build/modules
-# Custom modules overwrite defaults
-FROM scratch as stage-modules
-COPY --from=ghcr.io/blue-build/modules:latest /modules /modules
-{%- if self::modules_exists() %}
-COPY ./modules /modules
-{%- endif %}
-
-{%- include "modules/akmods/akmods.j2" %}
-
-# This stage is responsible for holding onto
-# exports like the exports.sh
-FROM docker.io/alpine as stage-exports
-COPY <<EOF /exports.sh
-{{ self::print_export_script() }}
-EOF
-RUN chmod +x /exports.sh
+{%- include "stages.j2" %}
 
 FROM {{ recipe.base_image }}:{{ recipe.image_version }}
 
@@ -43,27 +20,10 @@ ARG IMAGE_REGISTRY={{ registry }}
 ARG IMAGE_REGISTRY=localhost
 {%- endif %}
 
-{%- if self::has_cosign_file() %}
-COPY cosign.pub /usr/share/ublue-os/cosign.pub
-{%- endif %}
-
 ARG CONFIG_DIRECTORY="/tmp/config"
 ARG IMAGE_NAME="{{ recipe.name }}"
 ARG BASE_IMAGE="{{ recipe.base_image }}"
 
-COPY --from=gcr.io/projectsigstore/cosign /ko-app/cosign /usr/bin/cosign
-COPY --from=docker.io/mikefarah/yq /usr/bin/yq /usr/bin/yq
-COPY --from=ghcr.io/blue-build/cli:
-{%- if let Some(tag) = recipe.blue_build_tag -%}
-{{ tag }}
-{%- else -%}
-latest-installer
-{%- endif %} /out/bluebuild /usr/bin/bluebuild
-
 SHELL ["bash", "-c"]
 
-{%- include "modules/modules.j2" %}
-
-# Added in case a user adds something else using the
-# 'containerfile' module
-RUN rm -fr /tmp/* /var/* && ostree container commit
+{% include "modules/modules.j2" %}
diff --git a/template/templates/modules/modules.j2 b/template/templates/modules/modules.j2
index 9eb3bcc..a9eac95 100644
--- a/template/templates/modules/modules.j2
+++ b/template/templates/modules/modules.j2
@@ -1,3 +1,14 @@
+# Key RUN
+RUN --mount=type=bind,from=stage-keys,src=/keys,dst=/tmp/keys \
+  cp /tmp/keys/* /usr/etc/pki/containers/ \
+  && ostree container commit
+
+# Bin RUN
+RUN --mount=type=bind,from=stage-bins,src=/bins,dst=/tmp/bins \
+  cp /tmp/bins/* /usr/bin/ \
+  && ostree container commit
+
+# Module RUNs
 {%- for module in recipe.modules_ext.modules %}
   {%- if let Some(type) = module.module_type %}
     {%- if type == "containerfile" %}
diff --git a/template/templates/stages.j2 b/template/templates/stages.j2
new file mode 100644
index 0000000..db9fbc6
--- /dev/null
+++ b/template/templates/stages.j2
@@ -0,0 +1,52 @@
+# This stage is responsible for holding onto
+# your config without copying it directly into
+# the final image
+FROM scratch as stage-config
+COPY ./config /config
+
+# Copy modules
+# The default modules are inside blue-build/modules
+# Custom modules overwrite defaults
+FROM scratch as stage-modules
+COPY --from=ghcr.io/blue-build/modules:latest /modules /modules
+{%- if self::modules_exists() %}
+COPY ./modules /modules
+{%- endif %}
+
+# Bins to install
+# These are basic tools that are added to all images.
+# Generally used for the build process. We use a multi
+# stage process so that adding the bins into the image
+# can be added to the ostree commits.
+FROM scratch as stage-bins
+
+COPY --from=gcr.io/projectsigstore/cosign /ko-app/cosign /bins/cosign
+COPY --from=docker.io/mikefarah/yq /usr/bin/yq /bins/yq
+COPY --from=ghcr.io/blue-build/cli:
+{%- if let Some(tag) = recipe.blue_build_tag -%}
+{{ tag }}
+{%- else -%}
+latest-installer
+{%- endif %} /out/bluebuild /bins/bluebuild
+
+# Keys for pre-verified images
+# Used to copy the keys into the final image
+# and perform an ostree commit.
+#
+# Currently only holds the current image's
+# public key.
+FROM scratch as stage-keys
+
+{%- if self::has_cosign_file() %}
+COPY cosign.pub /keys/{{ recipe.name|replace('/', "_") }}.pub
+{%- endif %}
+
+{%- include "modules/akmods/akmods.j2" %}
+
+# This stage is responsible for holding onto
+# exports like the exports.sh
+FROM docker.io/alpine as stage-exports
+COPY <<EOF /exports.sh
+{{ self::print_export_script() }}
+EOF
+RUN chmod +x /exports.sh