Update buildah, but ensure flatpak and bootc builds continue working #134
Comments
|
@cgwalters @owtaylor what do you think, would the suggested workaround/solution be acceptable? |
|
Thinking about the Task param a bit more, it should probably look like this: - name: BUILD_CONTEXT_MOUNTS
value:
- ".:/buildcontext"
- "export:/export"i.e. it would be an array of arguments for |
|
Thanks, this is a very obvious-in-retrospect solution indeed. I have verified that my trivial reproducer works with modifications to do this: However...there is one downside of this, which is that it doesn't work with podman-remote aka podman-machine, whereas the other approach does. But...that's not fatal for Konflux, just logistically annoying for those of us using that (e.g. on MacOS, or even on Linux as a way to handle privileges for disk image building, ref containers/podman-bootc#9 etc). |
Actually, we don't need the context directory at all - we just need an empty, writable temporary directory on the host, scoped to the lifetime of the build. There's basically zero security concerns with that. It's the equivalent of Kubernetes emptydir. So this could be like or so? (Tekton has some builtin support for things like this but I don't think that applies to the buildah-oci-remote-ta type thing) |
|
Yeah an empty dir would be even better. Though it may be un-ergonomic, because as the Containerfile author, you'll need to know the path on the host: FROM registry.access.redhat.com/ubi9/ubi:latest as builder
# this /buildcontext is the path mounted in the container
RUN dnf -y install skopeo && skopeo copy docker://busybox oci:/buildcontext/out.oci
# this /tmp/buildcontext is the path on the host (the buildah Pod)
FROM oci:/tmp/buildcontext/out.ociSome ways we could make it better:
Or stick to mounting the context directory, since that one can be accessed with |
|
Although actually...sorry, it is messier than that. The problem is the And the complexity here is that at the time of doing the ...EDIT, I see you're saying the same thing. |
Yeah this is by far the simplest thing that will work in a straightforward way both in or so? There's no need to support mounting anything else than |
Yeah, that sounds reasonable 👍 |
|
We'll add the option to the buildah task ASAP. Afterwards, we'll need to make sure all the bootc and flatpak builds are updated to use that, and then we should finally be able to update buildah. |
Allows to mount the current working directory into the build using
--volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context
directory for the build, because we set the workdir to the context dir
before calling 'buildah build'.
The primary use case for this parameter is for builds that need to write
some outputs into a shared directory and reference the output in a later
FROM instruction, e.g.
FROM oci-archive:./out.ociarchive
See konflux-ci/buildah-container#134 for more
details.
Signed-off-by: Adam Cmiel <[email protected]>
Allows to mount the current working directory into the build using
--volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context
directory for the build, because we set the workdir to the context dir
before calling 'buildah build'.
The primary use case for this parameter is for builds that need to write
some outputs into a shared directory and reference the output in a later
FROM instruction, e.g.
FROM oci-archive:./out.ociarchive
See konflux-ci/buildah-container#134 for more
details.
Signed-off-by: Adam Cmiel <[email protected]>
Allows to mount the current working directory into the build using
--volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context
directory for the build, because we set the workdir to the context dir
before calling 'buildah build'.
The primary use case for this parameter is for builds that need to write
some outputs into a shared directory and reference the output in a later
FROM instruction, e.g.
FROM oci-archive:./out.ociarchive
See konflux-ci/buildah-container#134 for more
details.
Signed-off-by: Adam Cmiel <[email protected]>
Allows to mount the current working directory into the build using
--volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context
directory for the build, because we set the workdir to the context dir
before calling 'buildah build'.
The primary use case for this parameter is for builds that need to write
some outputs into a shared directory and reference the output in a later
FROM instruction, e.g.
FROM oci-archive:./out.ociarchive
See konflux-ci/buildah-container#134 for more
details.
Signed-off-by: Adam Cmiel <[email protected]>
Allows to mount the current working directory into the build using
--volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context
directory for the build, because we set the workdir to the context dir
before calling 'buildah build'.
The primary use case for this parameter is for builds that need to write
some outputs into a shared directory and reference the output in a later
FROM instruction, e.g.
FROM oci-archive:./out.ociarchive
See konflux-ci/buildah-container#134 for more
details.
Signed-off-by: Adam Cmiel <[email protected]>
After merging #121, users that build Flatpaks reported (internally) that their builds stopped working. We reverted the update in #126 to undo the regression until we could investigate more. In #126 (comment), @cgwalters pointed out that bootc builds likewise depend on the older version of buildah and linked the relevant issues.
After going through containers/buildah#5952 and containers/buildah#5988, this is my current understanding of the situation:
buildah build: use the same overlay for the context directory for the whole build containers/buildah#5975Even without waiting for the PR on the buildah side, maybe we could make flatpak and bootc builds work like this:
MOUNT_BUILD_CONTEXTparameter. When enabled, add--volume $context_dir:/buildcontextto thebuildah buildinvocation. The mount destination path can be configurable. The source can be configurable too, as long as it's within the context dir.--mount=...from RUN instructions and instead write to the pre-mounted context directory.The text was updated successfully, but these errors were encountered: