particle-os/particle-os-cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: Copy bins and keys with mounts for ostree commit (#132)

Browse source 
I've been investigating more into how ostree works and how it relates to
running `ostree container commit` for each layer. I've decided to move
our pre-installed bins and public keys into their own stages and then
bind mount them into a `RUN` instruction so that we can just use `cp` to
get the files into the image and then call `ostree container commit`.
Now all of our layers in the image (after the base image) will be in the
ostree commit tree.
This commit is contained in:
Gerald Pinder 2024-03-24 02:27:54 -04:00 committed by GitHub
parent 783ac2c3fb
commit d0e1b7c8d1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 73 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

3
integration-tests/test-repo/config/recipe.yml
View file

@ -33,8 +33,7 @@ modules:
remove: remove:
- org.gnome.eog - org.gnome.eog
# Needs a bug to be fixed to allow / in image name - type: signing
# - type: signing
- type: test-module - type: test-module

7
template/src/lib.rs
View file

@ -154,3 +154,10 @@ fn modules_exists() -> bool {
let mod_path = Path::new("modules"); let mod_path = Path::new("modules");
mod_path.exists() && mod_path.is_dir() mod_path.exists() && mod_path.is_dir()
} }
mod filters {
#[allow(clippy::unnecessary_wraps)]
pub fn replace<T: std::fmt::Display>(input: T, from: char, to: &str) -> askama::Result<String> {
Ok(format!("{input}").replace(from, to))
}
}

44
template/templates/Containerfile.j2
View file

@ -1,27 +1,4 @@
# This stage is responsible for holding onto {%- include "stages.j2" %}
# your config without copying it directly into
# the final image
FROM scratch as stage-config
COPY ./config /config
# Copy modules
# The default modules are inside blue-build/modules
# Custom modules overwrite defaults
FROM scratch as stage-modules
COPY --from=ghcr.io/blue-build/modules:latest /modules /modules
{%- if self::modules_exists() %}
COPY ./modules /modules
{%- endif %}
{%- include "modules/akmods/akmods.j2" %}
# This stage is responsible for holding onto
# exports like the exports.sh
FROM docker.io/alpine as stage-exports
COPY <<EOF /exports.sh
{{ self::print_export_script() }}
EOF
RUN chmod +x /exports.sh
FROM {{ recipe.base_image }}:{{ recipe.image_version }} FROM {{ recipe.base_image }}:{{ recipe.image_version }}
@ -43,27 +20,10 @@ ARG IMAGE_REGISTRY={{ registry }}
ARG IMAGE_REGISTRY=localhost ARG IMAGE_REGISTRY=localhost
{%- endif %} {%- endif %}
{%- if self::has_cosign_file() %}
COPY cosign.pub /usr/share/ublue-os/cosign.pub
{%- endif %}
ARG CONFIG_DIRECTORY="/tmp/config" ARG CONFIG_DIRECTORY="/tmp/config"
ARG IMAGE_NAME="{{ recipe.name }}" ARG IMAGE_NAME="{{ recipe.name }}"
ARG BASE_IMAGE="{{ recipe.base_image }}" ARG BASE_IMAGE="{{ recipe.base_image }}"
COPY --from=gcr.io/projectsigstore/cosign /ko-app/cosign /usr/bin/cosign
COPY --from=docker.io/mikefarah/yq /usr/bin/yq /usr/bin/yq
COPY --from=ghcr.io/blue-build/cli:
{%- if let Some(tag) = recipe.blue_build_tag -%}
{{ tag }}
{%- else -%}
latest-installer
{%- endif %} /out/bluebuild /usr/bin/bluebuild
SHELL ["bash", "-c"] SHELL ["bash", "-c"]
{%- include "modules/modules.j2" %} {% include "modules/modules.j2" %}
# Added in case a user adds something else using the
# 'containerfile' module
RUN rm -fr /tmp/* /var/* && ostree container commit

11
template/templates/modules/modules.j2
View file

@ -1,3 +1,14 @@
# Key RUN
RUN --mount=type=bind,from=stage-keys,src=/keys,dst=/tmp/keys \
cp /tmp/keys/* /usr/etc/pki/containers/ \
&& ostree container commit
# Bin RUN
RUN --mount=type=bind,from=stage-bins,src=/bins,dst=/tmp/bins \
cp /tmp/bins/* /usr/bin/ \
&& ostree container commit
# Module RUNs
{%- for module in recipe.modules_ext.modules %} {%- for module in recipe.modules_ext.modules %}
{%- if let Some(type) = module.module_type %} {%- if let Some(type) = module.module_type %}
{%- if type == "containerfile" %} {%- if type == "containerfile" %}

52
template/templates/stages.j2 Normal file
View file

@ -0,0 +1,52 @@
# This stage is responsible for holding onto
# your config without copying it directly into
# the final image
FROM scratch as stage-config
COPY ./config /config
# Copy modules
# The default modules are inside blue-build/modules
# Custom modules overwrite defaults
FROM scratch as stage-modules
COPY --from=ghcr.io/blue-build/modules:latest /modules /modules
{%- if self::modules_exists() %}
COPY ./modules /modules
{%- endif %}
# Bins to install
# These are basic tools that are added to all images.
# Generally used for the build process. We use a multi
# stage process so that adding the bins into the image
# can be added to the ostree commits.
FROM scratch as stage-bins
COPY --from=gcr.io/projectsigstore/cosign /ko-app/cosign /bins/cosign
COPY --from=docker.io/mikefarah/yq /usr/bin/yq /bins/yq
COPY --from=ghcr.io/blue-build/cli:
{%- if let Some(tag) = recipe.blue_build_tag -%}
{{ tag }}
{%- else -%}
latest-installer
{%- endif %} /out/bluebuild /bins/bluebuild
# Keys for pre-verified images
# Used to copy the keys into the final image
# and perform an ostree commit.
#
# Currently only holds the current image's
# public key.
FROM scratch as stage-keys
{%- if self::has_cosign_file() %}
COPY cosign.pub /keys/{{ recipe.name|replace('/', "_") }}.pub
{%- endif %}
{%- include "modules/akmods/akmods.j2" %}
# This stage is responsible for holding onto
# exports like the exports.sh
FROM docker.io/alpine as stage-exports
COPY <<EOF /exports.sh
{{ self::print_export_script() }}
EOF
RUN chmod +x /exports.sh