4cf748381d
Along with the buildkit buildx image we rely on the multiarch/qemu-user-static image to execute code on an emulated target architecture for image builds. This image is hosted on docker hub which has strict rate limits in place so we've mirrored it to quay.io/opendevmirror. Consume the image from there to reduce impact of rate limits. Change-Id: Ie646f0e50cdc23da6ca82568e48f1fa416c35e1d
97 lines
4.4 KiB
YAML
97 lines
4.4 KiB
YAML
- name: Update qemu-static container settings
|
|
command: docker run --rm --privileged quay.io/opendevmirror/qemu-user-static --reset -p yes
|
|
when: ansible_architecture == 'x86_64'
|
|
|
|
# TODO(clarkb) Use buildkitd.toml configuration to add certifications. That
|
|
# may allow us to drop the ca-certificates install and update-ca-certificates
|
|
# step below. More info here:
|
|
# https://docs.docker.com/reference/cli/docker/buildx/create/#buildkitd-config
|
|
- name: Create builder
|
|
command: "docker buildx create --name mybuilder --node {{ inventory_hostname | replace('-', '_') }} --driver=docker-container --driver-opt image=quay.io/opendevmirror/buildkit:buildx-stable-1 --driver-opt network=host{% if buildset_registry is defined %} --config /etc/buildkit/buildkitd.toml {% endif %}"
|
|
when: inventory_hostname == ansible_play_hosts[0]
|
|
|
|
- name: Add host key to known_hosts
|
|
shell: "ssh-keyscan -H {{ ansible_host }} >> ~/.ssh/known_hosts"
|
|
when: inventory_hostname != ansible_play_hosts[0]
|
|
delegate_to: "{{ ansible_play_hosts[0] }}"
|
|
|
|
- name: Append builders from other nodes
|
|
command: "docker buildx create --append --name mybuilder --node {{ inventory_hostname | replace('-', '_') }} --driver-opt image=quay.io/opendevmirror/buildkit:buildx-stable-1 --driver-opt network=host{% if buildset_registry is defined %} --config /etc/buildkit/buildkitd.toml {% endif %} ssh://{{ ansible_user }}@{{ ansible_host }}"
|
|
when: inventory_hostname != ansible_play_hosts[0]
|
|
delegate_to: "{{ ansible_play_hosts[0] }}"
|
|
|
|
- name: Use builder
|
|
command: docker buildx use mybuilder
|
|
when: inventory_hostname == ansible_play_hosts[0]
|
|
|
|
- name: Bootstrap builder
|
|
command: docker buildx inspect --bootstrap
|
|
when: inventory_hostname == ansible_play_hosts[0]
|
|
|
|
- name: Make tempfile for registry TLS certificate
|
|
tempfile:
|
|
state: file
|
|
register: buildkit_cert_tmp
|
|
|
|
- name: Write buildset registry TLS certificate
|
|
become: true
|
|
copy:
|
|
content: "{{ buildset_registry.cert }}"
|
|
dest: "{{ buildkit_cert_tmp.path }}"
|
|
mode: preserve
|
|
when: buildset_registry is defined and buildset_registry.cert
|
|
|
|
- name: Install CA certs in worker container
|
|
command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} apk add --no-cache ca-certificates"
|
|
when: buildset_registry is defined and buildset_registry.cert
|
|
|
|
- name: Copy buildset registry TLS cert into worker container
|
|
command: "docker cp {{ buildkit_cert_tmp.path }} buildx_buildkit_{{ inventory_hostname | replace('-', '_') }}:/usr/local/share/ca-certificates"
|
|
when: buildset_registry is defined and buildset_registry.cert
|
|
|
|
- name: Update CA certs in worker container
|
|
command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} update-ca-certificates"
|
|
when: buildset_registry is defined and buildset_registry.cert
|
|
|
|
- name: Remove TLS cert tempfile
|
|
file:
|
|
state: absent
|
|
path: '{{ buildkit_cert_tmp.path }}'
|
|
when: buildset_registry is defined and buildset_registry.cert
|
|
|
|
- name: Make tempfile for /etc/hosts
|
|
tempfile:
|
|
state: file
|
|
register: etc_hosts_tmp
|
|
|
|
- name: Copy /etc/hosts for editing
|
|
command: "docker cp buildx_buildkit_{{ inventory_hostname | replace('-', '_') }}:/etc/hosts {{ etc_hosts_tmp.path }}"
|
|
|
|
# Docker buildx has its own /etc/hosts in the builder image.
|
|
- name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
|
|
become: yes
|
|
lineinfile:
|
|
path: '{{ etc_hosts_tmp.path }}'
|
|
state: present
|
|
regex: "^{{ buildset_registry.host }}\tzuul-jobs.buildset-registry$"
|
|
line: "{{ buildset_registry.host }}\tzuul-jobs.buildset-registry"
|
|
insertafter: EOF
|
|
when: buildset_registry is defined and buildset_registry.host | ipaddr
|
|
|
|
- name: Unmount the /etc/hosts mount
|
|
command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} umount /etc/hosts"
|
|
|
|
# NOTE(mordred) This is done in two steps. Even though we've unmounted /etc/hosts
|
|
# in the previous step, when we try to copy the file back directly, we get:
|
|
# unlinkat /etc/hosts: device or resource busy
|
|
- name: Copy modified hosts file back in
|
|
command: "docker cp {{ etc_hosts_tmp.path }} buildx_buildkit_{{ inventory_hostname | replace('-', '_') }}:/etc/new-hosts"
|
|
|
|
- name: Copy modified hosts file into place
|
|
command: "docker exec buildx_buildkit_{{ inventory_hostname | replace('-', '_') }} cp /etc/new-hosts /etc/hosts"
|
|
|
|
- name: Remove tempfile for /etc/hosts
|
|
file:
|
|
state: absent
|
|
path: '{{ etc_hosts_tmp.path }}'
|