ROX-24040: Set Podman instead of Docker to fix RHEL8 builders

Author: ebensh

Dockerfile

@@ -8,9 +8,15 @@ WORKDIR /src
 RUN go env -w GOCACHE=/go/.cache; \
     go env -w GOMODCACHE=/go/pkg/mod
 
+# We previously used --mount=type=bind in the next RUN command
+# (see https://docs.docker.com/build/guide/mounts/#add-bind-mounts)
+# but this did not work with SELinux volumes and Docker, as only
+# Podman supports the relabel=shared option
+# (see https://docs.podman.io/en/v4.4/markdown/options/mount.html).
+# This adds a layer but works with Docker and Podman.
+COPY go.mod go.sum ./
+
 RUN --mount=type=cache,target=/go/pkg/mod/ \
-     --mount=type=bind,source=go.sum,target=go.sum \
-     --mount=type=bind,source=go.mod,target=go.mod \
       go mod download -x
 
 COPY . ./

Makefile

@@ -497,12 +497,12 @@ docker/login: docker/login/fleet-manager
 .PHONY: docker/login
 
 docker/login/fleet-manager:
-	@docker logout quay.io
+	$(DOCKER) logout quay.io || true  # Swallog podman error if not logged in
 	@DOCKER_CONFIG=${DOCKER_CONFIG} $(DOCKER) login -u "${QUAY_USER}" --password-stdin <<< "${QUAY_TOKEN}" quay.io
 .PHONY: docker/login/fleet-manager
 
 docker/login/probe:
-	@docker logout quay.io
+	$(DOCKER) logout quay.io || true  # Swallow podman error if not logged in
 	@DOCKER_CONFIG=${DOCKER_CONFIG} $(DOCKER) login -u "${QUAY_PROBE_USER}" --password-stdin <<< "${QUAY_PROBE_TOKEN}" quay.io
 .PHONY: docker/login/probe
 
@@ -563,7 +563,7 @@ image/push: image/push/fleet-manager image/push/probe
 
 image/push/fleet-manager: IMAGE_REF="$(external_image_registry)/$(image_repository):$(image_tag)"
 image/push/fleet-manager:
-	DOCKER_CONFIG=${DOCKER_CONFIG} $(DOCKER) buildx build -t $(IMAGE_REF) --platform $(IMAGE_PLATFORM) --push .
+	DOCKER_CONFIG=${DOCKER_CONFIG} $(DOCKER) buildx build -t $(IMAGE_REF) --platform $(IMAGE_PLATFORM) --output=type=registry .
 	@echo
 	@echo "Image was pushed as $(IMAGE_REF). You might want to"
 	@echo "export FLEET_MANAGER_IMAGE=$(IMAGE_REF)"
@@ -579,7 +579,7 @@ image/push/probe: image/build/probe
 # push the image to the OpenShift internal registry
 image/push/internal: IMAGE_TAG ?= $(image_tag)
 image/push/internal: docker/login/internal
-	$(DOCKER) buildx build -t "$(shell oc get route default-route -n openshift-image-registry -o jsonpath="{.spec.host}")/$(NAMESPACE)/$(IMAGE_NAME):$(IMAGE_TAG)" --platform linux/amd64 --push .
+	$(DOCKER) buildx build -t "$(shell oc get route default-route -n openshift-image-registry -o jsonpath="{.spec.host}")/$(NAMESPACE)/$(IMAGE_NAME):$(IMAGE_TAG)" --platform linux/amd64 --output=type=registry .
 .PHONY: image/push/internal
 
 image/build/fleetshard-operator: IMAGE_REF="$(external_image_registry)/fleetshard-operator:$(image_tag)"

build_push_app_interface.sh

@@ -1,4 +1,4 @@
-#!/bin/bash -e
+#!/bin/bash -ex
 #
 # Copyright (c) 2024 Red Hat, Inc.
 #
@@ -36,6 +36,9 @@ IMAGE_REPOSITORY="${QUAY_IMAGE_REPOSITORY:-app-sre/acs-fleet-manager}"
 PROBE_IMAGE_REPOSITORY="${PROBE_QUAY_IMAGE_REPOSITORY:-app-sre/acscs-probe}"
 EMAILSENDER_IMAGE_REPOSITORY="${PROBE_QUAY_IMAGE_REPOSITORY:-app-sre/acscs-emailsender}"
 
+# Support RHEL8 build images for App-Interface ci-ext
+# export DOCKER=podman
+
 source ./scripts/build_setup.sh
 
 # Push the image:

type=registry/root/.bash_logout

@@ -0,0 +1,2 @@
+# ~/.bash_logout
+

type=registry/root/.bash_profile

@@ -0,0 +1,12 @@
+# .bash_profile
+
+# Get the aliases and functions
+if [ -f ~/.bashrc ]; then
+	. ~/.bashrc
+fi
+
+# User specific environment and startup programs
+
+PATH=$PATH:$HOME/bin
+
+export PATH

type=registry/root/.bashrc

@@ -0,0 +1,12 @@
+# .bashrc
+
+# User specific aliases and functions
+
+alias rm='rm -i'
+alias cp='cp -i'
+alias mv='mv -i'
+
+# Source global definitions
+if [ -f /etc/bashrc ]; then
+	. /etc/bashrc
+fi

type=registry/root/.cshrc

@@ -0,0 +1,7 @@
+# .cshrc
+
+# User specific aliases and functions
+
+alias rm 'rm -i'
+alias cp 'cp -i'
+alias mv 'mv -i'

type=registry/root/.tcshrc

@@ -0,0 +1,10 @@
+# .tcshrc
+
+# User specific aliases and functions
+
+alias rm 'rm -i'
+alias cp 'cp -i'
+alias mv 'mv -i'
+
+set prompt='[%n@%m %c]# '
+

type=registry/root/anaconda-ks.cfg

@@ -0,0 +1,248 @@
+#version=RHEL8
+# Reboot after installation
+reboot
+# Use text mode install
+text
+
+repo --name="koji-override-0" --baseurl=http://download.devel.redhat.com/released/rhel-8/RHEL-8/8.10.0/BaseOS/x86_64/os/ --noverifyssl
+repo --name="koji-override-1" --baseurl=https://rhsm-pulp.corp.redhat.com/content/dist/rhel8/8/x86_64/appstream/os --noverifyssl
+repo --name="koji-override-2" --baseurl=https://rhsm-pulp.corp.redhat.com/content/dist/rhel8/8/x86_64/baseos/os --noverifyssl
+repo --name="koji-override-3" --baseurl=http://download.devel.redhat.com/released/rhel-8/RHEL-8/8.10.0/AppStream/x86_64/os/ --noverifyssl
+
+%post --logfile=/root/anaconda-post.log --erroronfail
+set -eux
+
+# Support for subscription-manager secrets
+ln -s /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
+ln -s /run/secrets/rhsm /etc/rhsm-host
+
+#https://bugzilla.redhat.com/show_bug.cgi?id=1201663
+rm -f /etc/systemd/system/multi-user.target.wants/rhsmcertd.service
+
+#fips mode
+# secrets patch creates /run/secrets/system-fips if /etc/system-fips exists on the host
+#in turn, openssl in the container checks /etc/system-fips but dangling symlink counts as nonexistent
+ln -s /run/secrets/system-fips /etc/system-fips
+
+# Set install langs macro so that new rpms that get installed will
+# only install langs that we limit it to.
+LANG="C.utf8"
+echo "%_install_langs $LANG" > /etc/rpm/macros.image-language-conf
+echo "LANG=C.utf8" > /etc/locale.conf
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1400682
+# https://bugzilla.redhat.com/show_bug.cgi?id=1672230
+echo "Import RPM GPG key"
+rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+
+#echo "# fstab intentionally empty for containers" > /etc/fstab
+#this is not possible, guestmount needs fstab => brew build crashes without it
+#fstab is removed in TDL when tar-ing files
+
+# Remove network configuration files leftover from anaconda installation
+# https://bugzilla.redhat.com/show_bug.cgi?id=1713089
+rm -f /etc/sysconfig/network-scripts/ifcfg-*
+
+# Remove machine-id on pre generated images
+rm -f /etc/machine-id
+touch /etc/machine-id
+# Keep permissions the same as the systemd RPM so rpm --verify works
+chmod 0444 /etc/machine-id
+
+%end
+
+%post --logfile=/root/anaconda-post.log --erroronfail
+# remove some random help txt files
+rm -fv usr/share/gnupg/help*.txt
+
+# Pruning random things
+rm usr/lib/rpm/rpm.daily
+rm -rfv usr/lib64/nss/unsupported-tools/  # unsupported
+
+# Statically linked crap
+rm -fv usr/sbin/{glibc_post_upgrade.x86_64,sln}
+ln usr/bin/ln usr/sbin/sln
+
+# Remove some dnf info
+rm -rfv /var/lib/dnf
+
+# don't need icons
+rm -rfv /usr/share/icons/*
+
+#some random not-that-useful binaries
+rm -fv /usr/bin/pinky
+
+# we lose presets by removing /usr/lib/systemd but we do not care
+rm -rfv /usr/lib/systemd
+
+# if you want to change the timezone, bind-mount it from the host or reinstall tzdata
+rm -fv /etc/localtime
+mv /usr/share/zoneinfo/UTC /etc/localtime
+rm -rfv  /usr/share/zoneinfo
+
+# Final pruning
+rm -rfv /var/cache/* /var/log/* /tmp/*
+
+# remove the original RHEL8 EULA
+# TODO: This affects the integrity of the installed rpm. Find a better way.
+rm -f /usr/share/redhat-release/EULA
+
+# install the repofile
+cat > /etc/yum.repos.d/ubi.repo <<EOF
+[ubi-8-baseos-rpms]
+name = Red Hat Universal Base Image 8 (RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/baseos/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-8-baseos-debug-rpms]
+name = Red Hat Universal Base Image 8 (Debug RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/baseos/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-8-baseos-source]
+name = Red Hat Universal Base Image 8 (Source RPMs) - BaseOS
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/baseos/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-8-appstream-rpms]
+name = Red Hat Universal Base Image 8 (RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/appstream/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-8-appstream-debug-rpms]
+name = Red Hat Universal Base Image 8 (Debug RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/appstream/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-8-appstream-source]
+name = Red Hat Universal Base Image 8 (Source RPMs) - AppStream
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/appstream/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-8-codeready-builder-rpms]
+name = Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/codeready-builder/os
+enabled = 1
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-8-codeready-builder]
+name = Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/codeready-builder/os
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+
+[ubi-8-codeready-builder-debug-rpms]
+name = Red Hat Universal Base Image 8 (Debug RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/codeready-builder/debug
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+
+[ubi-8-codeready-builder-source]
+name = Red Hat Universal Base Image 8 (Source RPMs) - CodeReady Builder
+baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/codeready-builder/source/SRPMS
+enabled = 0
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+gpgcheck = 1
+EOF
+
+%end
+
+%post --nochroot --logfile=/mnt/sysimage/root/anaconda-post-nochroot.log --erroronfail
+set -eux
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1343138
+# Fix /run/lock breakage since it's not tmpfs in docker
+# This unmounts /run (tmpfs) and then recreates the files
+# in the /run directory on the root filesystem of the container
+# NOTE: run this in nochroot because "umount" does not exist in chroot
+umount /mnt/sysimage/run
+# The file that specifies the /run/lock tmpfile is
+# /usr/lib/tmpfiles.d/legacy.conf, which is part of the systemd
+# rpm that isn't included in this image. We'll create the /run/lock
+# file here manually with the settings from legacy.conf
+# NOTE: chroot to run "install" because it is not in anaconda env
+chroot /mnt/sysimage install -d /run/lock -m 0755 -o root -g root
+
+
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816
+# NOTE: run this in nochroot because "find" does not exist in chroot
+KEEPLANG=en_US
+for dir in locale i18n; do
+    find /mnt/sysimage/usr/share/${dir} -mindepth  1 -maxdepth 1 -type d -not \( -name "${KEEPLANG}" -o -name POSIX \) -exec rm -rfv {} +
+done
+
+%end
+
+%packages --excludedocs --nocore --instLangs=en --excludeWeakdeps
+bash
+coreutils-single
+glibc-minimal-langpack
+libusbx
+microdnf
+redhat-release
+rootfiles
+-crypto-policies-scripts
+-dosfstools
+-e2fsprogs
+-fuse-libs
+-gnupg2-smime
+-kernel
+-libss
+-pinentry
+-qemu-guest-agent
+-shared-mime-info
+-trousers
+-xfsprogs
+-xkeyboard-config
+
+%end
+
+# Keyboard layouts
+keyboard --vckeymap=us --xlayouts='us'
+# System language
+lang en_US.UTF-8
+
+# Network information
+network  --bootproto=dhcp --device=link --activate
+network  --hostname=localhost.localdomain
+
+# Use network installation
+url --url="http://download.devel.redhat.com/released/rhel-8/RHEL-8/8.10.0/BaseOS/x86_64/os/" --noverifyssl
+
+# Do not configure the X Window System
+skipx
+
+ignoredisk --only-use=vda
+# System bootloader configuration
+bootloader --disabled
+autopart --type=plain --fstype=ext4 --nohome --noboot --noswap
+# Clear the Master Boot Record
+zerombr
+# Partition clearing information
+clearpart --all
+
+# System timezone
+timezone Etc/UTC --isUtc --nontp
+
+# Root password
+rootpw --iscrypted --lock locked
+
+%addon com_redhat_kdump --disable --reserve-mb='auto'
+
+%end