From e18598f80dfe0dc1633ba6db86a22a1e2f392cde Mon Sep 17 00:00:00 2001 From: lubiana Date: Thu, 25 Jul 2024 17:59:40 +0200 Subject: [PATCH] add containerfile --- .gitignore | 1 + Containerfile | 103 +++++++++++++++++++++++++++++++++++++++++ README.md | 1 + buildandpush.sh | 12 +++++ containers.conf | 12 +++++ podman-containers.conf | 5 ++ 6 files changed, 134 insertions(+) create mode 100644 .gitignore create mode 100644 Containerfile create mode 100755 buildandpush.sh create mode 100644 containers.conf create mode 100644 podman-containers.conf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..62c8935 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea/ \ No newline at end of file diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..922d427 --- /dev/null +++ b/Containerfile @@ -0,0 +1,103 @@ +# podman/Containerfile +# +# Build a Podman container image from the latest +# stable version of Podman on the Fedoras Updates System. +# https://bodhi.fedoraproject.org/updates/?search=podman +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# +# FLAVOR defaults to stable if unset +# +# FLAVOR=stable acquires a stable version of Podman +# from the Fedoras Updates System. +# FLAVOR=testing acquires a testing version of Podman +# from the Fedoras Updates System. +# FLAVOR=upstream acquires a testing version of Podman +# from the Fedora Copr Buildsystem. +# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/ +# +# https://bodhi.fedoraproject.org/updates/?search=podman + +FROM registry.fedoraproject.org/fedora:latest +ARG FLAVOR=stable + +# When building for multiple-architectures in parallel using emulation +# it's really easy for one/more dnf processes to timeout or mis-count +# the minimum download rates. Bump both to be extremely forgiving of +# an overworked host. +RUN echo -e "\n\n# Added during image build" >> /etc/dnf/dnf.conf && \ + echo -e "minrate=100\ntimeout=60\n" >> /etc/dnf/dnf.conf + +ARG INSTALL_RPMS="podman fuse-overlayfs openssh-clients ucpp git nodejs" + +# Don't include container-selinux and remove +# directories used by dnf that are just taking +# up space. +# TODO: rpm --setcaps... needed due to Fedora (base) image builds +# being (maybe still?) affected by +# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3 +RUN dnf -y makecache && \ + dnf -y update && \ + rpm --setcaps shadow-utils 2>/dev/null && \ + case "${FLAVOR}" in \ + stable) \ + dnf -y install $INSTALL_RPMS --exclude container-selinux \ + ;; \ + testing) \ + dnf -y install $INSTALL_RPMS --exclude container-selinux \ + --enablerepo updates-testing \ + ;; \ + upstream) \ + dnf -y install 'dnf-command(copr)' --enablerepo=updates-testing && \ + dnf -y copr enable rhcontainerbot/podman-next && \ + dnf -y install $INSTALL_RPMS \ + --exclude container-selinux \ + --enablerepo=updates-testing \ + ;; \ + *) \ + printf "\\nFLAVOR argument must be set and valid, currently: '${FLAVOR}'\\n\\n" 1>&2 && \ + exit 1 \ + ;; \ + esac && \ + ln -s /usr/bin/ucpp /usr/local/bin/cpp && \ + dnf clean all && \ + rm -rf /var/cache /var/log/dnf* /var/log/yum.* + +RUN useradd podman && \ + echo -e "podman:1:999\npodman:1001:64535" > /etc/subuid && \ + echo -e "podman:1:999\npodman:1001:64535" > /etc/subgid + +ADD /containers.conf /etc/containers/containers.conf +ADD /podman-containers.conf /home/podman/.config/containers/containers.conf + +RUN mkdir -p /home/podman/.local/share/containers && \ + chown podman:podman -R /home/podman && \ + chmod 644 /etc/containers/containers.conf + +# Copy & modify the defaults to provide reference if runtime changes needed. +# Changes here are required for running with fuse-overlay storage inside container. +RUN sed -e 's|^#mount_program|mount_program|g' \ + -e '/additionalimage.*/a "/var/lib/shared",' \ + -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \ + /usr/share/containers/storage.conf \ + > /etc/containers/storage.conf + +# Setup internal Podman to pass subscriptions down from host to internal container +RUN printf '/run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement\n/run/secrets/rhsm:/run/secrets/rhsm\n' > /etc/containers/mounts.conf + +# Note VOLUME options must always happen after the chown call above +# RUN commands can not modify existing volumes +VOLUME /var/lib/containers +VOLUME /home/podman/.local/share/containers + +RUN mkdir -p /var/lib/shared/overlay-images \ + /var/lib/shared/overlay-layers \ + /var/lib/shared/vfs-images \ + /var/lib/shared/vfs-layers && \ + touch /var/lib/shared/overlay-images/images.lock && \ + touch /var/lib/shared/overlay-layers/layers.lock && \ + touch /var/lib/shared/vfs-images/images.lock && \ + touch /var/lib/shared/vfs-layers/layers.lock + +ENV _CONTAINERS_USERNS_CONFIGURED="" \ + BUILDAH_ISOLATION=chroot \ No newline at end of file diff --git a/README.md b/README.md index e69de29..e3dfd83 100644 --- a/README.md +++ b/README.md @@ -0,0 +1 @@ +Contains the Containerfile of the image used in our actions runner so that podman in podman works \ No newline at end of file diff --git a/buildandpush.sh b/buildandpush.sh new file mode 100755 index 0000000..d321ef8 --- /dev/null +++ b/buildandpush.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# Variables +REGISTRY="git.hannover.ccc.de/c3h/leitstelle-forgejo-actions/runner" +PLATTARCH="linux/amd64,linux/arm64" + +# Build and push the first image +echo "Building and pushing PHP Podman image..." + +if ! podman manifest exists ${REGISTRY}; then podman manifest create ${REGISTRY}; fi +podman build --platform ${PLATTARCH} --manifest ${REGISTRY} -f Containerfile . +podman manifest push ${REGISTRY} diff --git a/containers.conf b/containers.conf new file mode 100644 index 0000000..f1f3732 --- /dev/null +++ b/containers.conf @@ -0,0 +1,12 @@ +[containers] +netns="host" +userns="host" +ipcns="host" +utsns="host" +cgroupns="host" +cgroups="disabled" +log_driver = "k8s-file" +[engine] +cgroup_manager = "cgroupfs" +events_logger="file" +runtime="crun" \ No newline at end of file diff --git a/podman-containers.conf b/podman-containers.conf new file mode 100644 index 0000000..4634964 --- /dev/null +++ b/podman-containers.conf @@ -0,0 +1,5 @@ +[containers] +volumes = [ + "/proc:/proc", +] +default_sysctls = [] \ No newline at end of file