airship/images
Code Issues Proposed changes

Preserve sticky bit during image build

Browse Source 
Enable docker buildkit so that sticky bits (for sudo, etc) are preserved
in the container image. They are dropped otherwise. This also requires
docker-ce, which the script will now alert you of if missing in your
environment.

Also remove override placeholders so they don't show up as patchset
changes after running image-builder in a local environment.

Change-Id: I80dfeb12ad6e8ebef71d1f7cf44ad39579ce0d6d
This commit is contained in:
Anderson, Craig (ca846m) 2021-03-03 09:15:24 -08:00 committed by Andrii Ostapenko
parent 95af063c35
commit f6dfe38820
8 changed files with 24 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -11,3 +11,5 @@ image-builder/config/*.iso
image-builder/config/*.qcow2 image-builder/config/*.qcow2
image-builder/config/*.md5sum image-builder/config/*.md5sum
image-builder/assets/playbooks/roles/multistrap/vars/main.yaml image-builder/assets/playbooks/roles/multistrap/vars/main.yaml
image-builder/assets/playbooks/roles/livecdcontent/vars/main.yaml
image-builder/assets/playbooks/roles/osconfig/vars/main.yaml

27
image-builder/Makefile
View File

@ -52,15 +52,9 @@ images: build generate_iso package_qcow
build: build:
set -ex set -ex
# Apply any user-defined rootfs overrides to playbooks # Apply any user-defined rootfs overrides to playbooks
if [ -f $(WORKDIR)/rootfs/multistrap-vars.yaml ]; then cp $(WORKDIR)/rootfs/multistrap-vars.yaml assets/playbooks/roles/multistrap/vars/main.yaml
cp $(WORKDIR)/rootfs/multistrap-vars.yaml assets/playbooks/roles/multistrap/vars/main.yaml cp $(WORKDIR)/rootfs/osconfig-vars.yaml assets/playbooks/roles/osconfig/vars/main.yaml
fi cp $(WORKDIR)/rootfs/livecdcontent-vars.yaml assets/playbooks/roles/livecdcontent/vars/main.yaml
if [ -f $(WORKDIR)/rootfs/osconfig-vars.yaml ]; then
cp $(WORKDIR)/rootfs/osconfig-vars.yaml assets/playbooks/roles/osconfig/vars/main.yaml
fi
if [ -f $(WORKDIR)/rootfs/livecdcontent-vars.yaml ]; then
cp $(WORKDIR)/rootfs/livecdcontent-vars.yaml assets/playbooks/roles/livecdcontent/vars/main.yaml
fi
ifneq ($(PROXY), ) ifneq ($(PROXY), )
sudo -E ./tools/docker_proxy.sh $(PROXY) $(NO_PROXY) sudo -E ./tools/docker_proxy.sh $(PROXY) $(NO_PROXY)
export http_proxy=$(PROXY) export http_proxy=$(PROXY)
@ -72,7 +66,7 @@ ifneq ($(PROXY), )
ifneq ($(SKIP_MULTISTRAP), true) ifneq ($(SKIP_MULTISTRAP), true)
sudo -E ./tools/multistrap.sh $(WORKDIR) sudo -E ./tools/multistrap.sh $(WORKDIR)
endif endif
sudo -E docker -D -l debug build --tag $(IMAGE) -f Dockerfile.$(DISTRO) . \ sudo -E DOCKER_BUILDKIT=1 docker -D -l debug build --tag $(IMAGE) -f Dockerfile.$(DISTRO) . \
--label $(LABEL) \ --label $(LABEL) \
--label "org.opencontainers.image.revision=$(COMMIT)" \ --label "org.opencontainers.image.revision=$(COMMIT)" \
--label "org.opencontainers.image.created=\ --label "org.opencontainers.image.created=\
@ -88,15 +82,20 @@ else
ifneq ($(SKIP_MULTISTRAP), true) ifneq ($(SKIP_MULTISTRAP), true)
sudo -E ./tools/multistrap.sh $(WORKDIR) sudo -E ./tools/multistrap.sh $(WORKDIR)
endif endif
sudo -E docker -D -l debug build --tag $(IMAGE) -f Dockerfile.$(DISTRO) . \ sudo -E DOCKER_BUILDKIT=1 docker -D -l debug build --tag $(IMAGE) -f Dockerfile.$(DISTRO) . \
--label $(LABEL) \ --label $(LABEL) \
--label "org.opencontainers.image.revision=$(COMMIT)" \ --label "org.opencontainers.image.revision=$(COMMIT)" \
--label "org.opencontainers.image.created=\ --label "org.opencontainers.image.created=\
$(shell date --rfc-3339=seconds --utc)" \ $(shell date --rfc-3339=seconds --utc)" \
--label "org.opencontainers.image.title=$(IMAGE_NAME)" --label "org.opencontainers.image.title=$(IMAGE_NAME)"
endif endif
imgId=`sudo docker images | grep 'image-builder ' | awk '{print $$3}'`
sudo -E DOCKER_BUILDKIT=1 docker run $$imgId ls -ltra /build/usr/bin/sudo > /tmp/sticky_result
sudo grep '^-rws' /tmp/sticky_result >& /dev/null || \
(echo Could not find sticky bit set on target image sudo binary. Are you using buildkit? && \
sudo cat /tmp/sticky_result && exit 1)
ifeq ($(PUSH_IMAGE), true) ifeq ($(PUSH_IMAGE), true)
sudo -E docker push $(IMAGE) sudo -E DOCKER_BUILDKIT=1 docker push $(IMAGE)
endif endif
cut_image: cut_image:
@ -138,14 +137,14 @@ package_qcow:
export IMAGE_TYPE=qcow export IMAGE_TYPE=qcow
export EXPLICIT_DIRS=$(QCOW_CONF_DIRS) export EXPLICIT_DIRS=$(QCOW_CONF_DIRS)
sudo -E make cut_image sudo -E make cut_image
sudo -E docker -D -l debug build --tag $(QCOW_IMAGE) -f Dockerfile-qcow.$(DISTRO) $(WORKDIR) \ sudo -E DOCKER_BUILDKIT=1 docker -D -l debug build --tag $(QCOW_IMAGE) -f Dockerfile-qcow.$(DISTRO) $(WORKDIR) \
--label $(LABEL) \ --label $(LABEL) \
--label "org.opencontainers.image.revision=$(COMMIT)" \ --label "org.opencontainers.image.revision=$(COMMIT)" \
--label "org.opencontainers.image.created=\ --label "org.opencontainers.image.created=\
$(shell date --rfc-3339=seconds --utc)" \ $(shell date --rfc-3339=seconds --utc)" \
--label "org.opencontainers.image.title=$(QCOW_IMAGE_NAME)" --label "org.opencontainers.image.title=$(QCOW_IMAGE_NAME)"
ifeq ($(PUSH_IMAGE), true) ifeq ($(PUSH_IMAGE), true)
sudo -E docker push $(QCOW_IMAGE) sudo -E DOCKER_BUILDKIT=1 docker push $(QCOW_IMAGE)
endif endif
tests: tests:

0
image-builder/assets/playbooks/roles/livecdcontent/vars/README.md Normal file
View File

1
image-builder/assets/playbooks/roles/livecdcontent/vars/main.yaml
View File

@ -1 +0,0 @@
# This file will be overwritten by the container entrypoint with user-provided vars, if any are defined.

1
image-builder/assets/playbooks/roles/osconfig/vars/README.md Normal file
View File

@ -0,0 +1 @@

1
image-builder/assets/playbooks/roles/osconfig/vars/main.yaml
View File

@ -1 +0,0 @@
# NOTE: This file will be *overwritten* by the container entrypoint with user-provided vars, if any are defined.

5
image-builder/tools/cut_image.sh
View File

@ -56,7 +56,10 @@ install_pkg libvirt-daemon-system
install_pkg libvirt-clients install_pkg libvirt-clients
install_pkg cloud-image-utils install_pkg cloud-image-utils
install_pkg ovmf install_pkg ovmf
type docker >& /dev/null || install_pkg docker.io type docker >& /dev/null || (echo "Error: You do not have docker installed in your environment." && exit 1)
sudo docker version | grep Community >& /dev/null || (echo "Error: Could not find Community version of docker" && \
echo "You must uninstall docker.io and install docker-ce. For instructions, see https://docs.docker.com/engine/install/ubuntu/" && \
exit 1)
if [ -d /sys/firmware/efi ]; then if [ -d /sys/firmware/efi ]; then
uefi_mount='--volume /sys/firmware/efi:/sys/firmware/efi:rw' uefi_mount='--volume /sys/firmware/efi:/sys/firmware/efi:rw'

5
image-builder/tools/multistrap.sh
View File

@ -63,7 +63,10 @@ fi
install_pkg efivar install_pkg efivar
# required for building UEFI image # required for building UEFI image
sudo -E modprobe efivars sudo -E modprobe efivars
type docker >& /dev/null || install_pkg docker.io type docker >& /dev/null || (echo "Error: You do not have docker installed in your environment." && exit 1)
sudo docker version | grep Community >& /dev/null || (echo "Error: Could not find Community version of docker" && \
echo "You must uninstall docker.io and install docker-ce. For instructions, see https://docs.docker.com/engine/install/ubuntu/" && \
exit 1)
install_pkg equivs install_pkg equivs
install_pkg ca-certificates install_pkg ca-certificates
install_pkg build-essential install_pkg build-essential