From 11f48c567ff2d491f8dd27897befcdaf87d7c989 Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Mon, 16 Sep 2024 20:30:12 +0400 Subject: [PATCH] fix: image reproducibility with finalize See https://github.com/tonistiigi/fsutil/issues/207 The result of this issue is that we can't use `finalize` steps where destination is a directory, so refactor things to pull in such steps into the `install` step. Signed-off-by: Andrey Smirnov --- container-runtime/crun/pkg.yaml | 6 ++++-- container-runtime/gvisor/pkg.yaml | 13 +++++-------- container-runtime/kata-containers/pkg.yaml | 10 ++++++---- container-runtime/spin/pkg.yaml | 5 +++-- container-runtime/stargz-snapshotter/pkg.yaml | 15 +++++++++------ examples/hello-world-service/pkg.yaml | 7 ++++--- guest-agents/qemu-guest-agent/pkg.yaml | 5 +++-- guest-agents/xen-guest-agent/pkg.yaml | 6 ++++-- network/tailscale/pkg.yaml | 5 +++-- nvidia-gpu/nvidia-container-toolkit/lts/pkg.yaml | 6 +++--- .../nvidia-container-runtime/pkg.yaml | 10 ++++++---- .../nvidia-container-toolkit/production/pkg.yaml | 5 ++--- nvidia-gpu/nvidia-fabricmanager/lts/pkg.yaml | 4 ++-- .../nvidia-fabricmanager/production/lts/pkg.yaml | 4 ++-- power/nut-client/pkg.yaml | 5 +++-- storage/iscsi-tools/pkg.yaml | 9 +++++---- storage/zfs/pkg.yaml | 6 ++++-- 17 files changed, 68 insertions(+), 53 deletions(-) diff --git a/container-runtime/crun/pkg.yaml b/container-runtime/crun/pkg.yaml index c463f738..7bc1c803 100644 --- a/container-runtime/crun/pkg.yaml +++ b/container-runtime/crun/pkg.yaml @@ -24,6 +24,10 @@ steps: mkdir -p /rootfs/usr/local/bin cp -av crun /rootfs/usr/local/bin/crun chmod +x /rootfs/usr/local/bin/crun + + - | + mkdir -p /rootfs/etc/cri/conf.d + cp /pkg/crun.part /rootfs/etc/cri/conf.d/crun.part test: - | mkdir -p /extensions-validator-rootfs @@ -36,5 +40,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/crun.part - to: /rootfs/etc/cri/conf.d/crun.part diff --git a/container-runtime/gvisor/pkg.yaml b/container-runtime/gvisor/pkg.yaml index eb527e3a..9763359e 100644 --- a/container-runtime/gvisor/pkg.yaml +++ b/container-runtime/gvisor/pkg.yaml @@ -44,6 +44,11 @@ steps: cp ./bin/containerd-shim-runsc-v1 /rootfs/usr/local/bin/containerd-shim-runsc-v1 chmod +x /rootfs/usr/local/bin/containerd-shim-runsc-v1 + + - | + mkdir -p /rootfs/etc/cri/conf.d + + cp /pkg/gvisor.part /pkg/runsc.toml /pkg/gvisor-kvm.part /pkg/runsc-kvm.toml /rootfs/etc/cri/conf.d/ test: - | mkdir -p /extensions-validator-rootfs @@ -55,11 +60,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/gvisor.part - to: /rootfs/etc/cri/conf.d/gvisor.part - - from: /pkg/runsc.toml - to: /rootfs/etc/cri/conf.d/runsc.toml - - from: /pkg/gvisor-kvm.part - to: /rootfs/etc/cri/conf.d/gvisor-kvm.part - - from: /pkg/runsc-kvm.toml - to: /rootfs/etc/cri/conf.d/runsc-kvm.toml diff --git a/container-runtime/kata-containers/pkg.yaml b/container-runtime/kata-containers/pkg.yaml index 5797dbff..a9a5a106 100644 --- a/container-runtime/kata-containers/pkg.yaml +++ b/container-runtime/kata-containers/pkg.yaml @@ -59,6 +59,12 @@ steps: - | cd ${GOPATH}/src/github.com/kata-containers/src/runtime cp containerd-shim-kata-v2 /rootfs/usr/local/bin/containerd-shim-kata-v2 + - | + mkdir -p /rootfs/etc/cri/conf.d + cp /pkg/kata-containers.part /rootfs/etc/cri/conf.d/kata-containers.part + + mkdir -p /rootfs/usr/local/share/kata-containers + cp /pkg/configuration.toml /rootfs/usr/local/share/kata-containers/configuration.toml test: - | mkdir -p /extensions-validator-rootfs @@ -70,7 +76,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/kata-containers.part - to: /rootfs/etc/cri/conf.d/kata-containers.part - - from: /pkg/configuration.toml - to: /rootfs/usr/local/share/kata-containers/configuration.toml diff --git a/container-runtime/spin/pkg.yaml b/container-runtime/spin/pkg.yaml index 970ef162..ec37d7a1 100644 --- a/container-runtime/spin/pkg.yaml +++ b/container-runtime/spin/pkg.yaml @@ -24,6 +24,9 @@ steps: mkdir -p /rootfs/usr/local/bin tar xf containerd-shim-spin.tar.gz -C /rootfs/usr/local/bin + - | + mkdir -p /rootfs/etc/cri/conf.d + cp /pkg/spin.part /rootfs/etc/cri/conf.d/spin.part test: - | mkdir -p /extensions-validator-rootfs @@ -35,5 +38,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/spin.part - to: /rootfs/etc/cri/conf.d/spin.part diff --git a/container-runtime/stargz-snapshotter/pkg.yaml b/container-runtime/stargz-snapshotter/pkg.yaml index 5996a66a..7a512f38 100644 --- a/container-runtime/stargz-snapshotter/pkg.yaml +++ b/container-runtime/stargz-snapshotter/pkg.yaml @@ -41,6 +41,15 @@ steps: cp ./out/ctr-remote /rootfs/usr/local/lib/containers/stargz-snapshotter/ctr-remote chmod +x /rootfs/usr/local/lib/containers/stargz-snapshotter/ctr-remote + - | + mkdir -p /rootfs/etc/cri/conf.d + cp /pkg/stargz-snapshotter.part /rootfs/etc/cri/conf.d/stargz-snapshotter.part + + mkdir -p /rootfs/usr/local/etc/containerd-stargz-grpc + cp /pkg/config.toml /rootfs/usr/local/etc/containerd-stargz-grpc/config.toml + + mkdir -p /rootfs/usr/local/etc/containers + cp /pkg/stargz-snapshotter.yaml /rootfs/usr/local/etc/containers/ test: - | mkdir -p /extensions-validator-rootfs @@ -52,9 +61,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/stargz-snapshotter.part - to: /rootfs/etc/cri/conf.d/stargz-snapshotter.part - - from: /pkg/config.toml - to: /rootfs/usr/local/etc/containerd-stargz-grpc/config.toml - - from: /pkg/stargz-snapshotter.yaml - to: /rootfs/usr/local/etc/containers/ diff --git a/examples/hello-world-service/pkg.yaml b/examples/hello-world-service/pkg.yaml index c0210b5c..4a35379f 100644 --- a/examples/hello-world-service/pkg.yaml +++ b/examples/hello-world-service/pkg.yaml @@ -20,10 +20,13 @@ steps: CGO_ENABLED=0 go build -o ./hello-world . install: - | - mkdir -p /rootfs/usr/local/etc/containers mkdir -p /rootfs/usr/local/lib/containers/hello-world cp -p /pkg/src/hello-world /rootfs/usr/local/lib/containers/hello-world/ + - | + mkdir -p /rootfs/usr/local/etc/containers + + cp /pkg/hello-world.yaml /rootfs/usr/local/etc/containers/ test: - | mkdir -p /extensions-validator-rootfs @@ -35,5 +38,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/hello-world.yaml - to: /rootfs/usr/local/etc/containers/ diff --git a/guest-agents/qemu-guest-agent/pkg.yaml b/guest-agents/qemu-guest-agent/pkg.yaml index 032bdc6c..852390c7 100644 --- a/guest-agents/qemu-guest-agent/pkg.yaml +++ b/guest-agents/qemu-guest-agent/pkg.yaml @@ -63,6 +63,9 @@ steps: rmdir /rootfs/usr/local/share rmdir /rootfs/var/run rmdir /rootfs/var + - | + mkdir -p /rootfs/usr/local/etc/containers + cp /pkg/qemu-guest-agent.yaml /rootfs/usr/local/etc/containers/ test: - | mkdir -p /extensions-validator-rootfs @@ -74,5 +77,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/qemu-guest-agent.yaml - to: /rootfs/usr/local/etc/containers/ diff --git a/guest-agents/xen-guest-agent/pkg.yaml b/guest-agents/xen-guest-agent/pkg.yaml index d12497f3..5f6bc048 100644 --- a/guest-agents/xen-guest-agent/pkg.yaml +++ b/guest-agents/xen-guest-agent/pkg.yaml @@ -32,6 +32,10 @@ steps: containerRoot=/rootfs/usr/local/lib/containers/xen-guest-agent mkdir -p "$containerRoot" mv target/{{ .ARCH }}-alpine-linux-musl/release/xen-guest-agent "$containerRoot/xen-guest-agent" + - | + mkdir -p /rootfs/usr/local/etc/containers + + cp /pkg/xen-guest-agent.yaml /rootfs/usr/local/etc/containers/ test: - | mkdir -p /extensions-validator-rootfs @@ -43,5 +47,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/xen-guest-agent.yaml - to: /rootfs/usr/local/etc/containers/ diff --git a/network/tailscale/pkg.yaml b/network/tailscale/pkg.yaml index 3f6f8821..a5cbf2ce 100644 --- a/network/tailscale/pkg.yaml +++ b/network/tailscale/pkg.yaml @@ -37,6 +37,9 @@ steps: cp -pr dist/tailscale /rootfs/usr/local/lib/containers/tailscale/usr/local/bin cp -pr dist/tailscaled /rootfs/usr/local/lib/containers/tailscale/usr/local/bin cp -pr dist/containerboot /rootfs/usr/local/lib/containers/tailscale/usr/local/bin + - | + mkdir -p /rootfs/usr/local/etc/containers + cp /pkg/tailscale.yaml /rootfs/usr/local/etc/containers/ test: - | mkdir -p /extensions-validator-rootfs @@ -48,5 +51,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/tailscale.yaml - to: /rootfs/usr/local/etc/containers/ diff --git a/nvidia-gpu/nvidia-container-toolkit/lts/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/lts/pkg.yaml index 7734674e..4215aa5f 100644 --- a/nvidia-gpu/nvidia-container-toolkit/lts/pkg.yaml +++ b/nvidia-gpu/nvidia-container-toolkit/lts/pkg.yaml @@ -18,7 +18,9 @@ steps: sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml install: - | - mkdir -p /rootfs + mkdir -p /rootfs/usr/local/etc/containers + + cp /pkg/nvidia-persistenced.yaml /rootfs/usr/local/etc/containers/nvidia-persistenced.yaml test: - | mkdir -p /extensions-validator-rootfs @@ -28,7 +30,5 @@ steps: finalize: - from: /rootfs to: /rootfs - - from: /pkg/nvidia-persistenced.yaml - to: /rootfs/usr/local/etc/containers/nvidia-persistenced.yaml - from: /pkg/manifest.yaml to: / diff --git a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime/pkg.yaml index 3b238243..325a6572 100644 --- a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime/pkg.yaml +++ b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime/pkg.yaml @@ -49,10 +49,12 @@ steps: ln -sv nvidia-container-runtime-wrapper /rootfs/usr/local/bin/$(basename $clean_file) cp $clean_file /rootfs/usr/local/bin/$(basename $clean_file).real done + - | + mkdir -p /rootfs/etc/cri/conf.d + cp /pkg/nvidia-container-runtime.part /rootfs/etc/cri/conf.d/nvidia-container-runtime.part + + mkdir -p /rootfs/usr/local/etc/nvidia-container-runtime + cp /pkg/nvidia-container-runtime.toml /rootfs/usr/local/etc/nvidia-container-runtime/config.toml finalize: - from: /rootfs to: /rootfs - - from: /pkg/nvidia-container-runtime.part - to: /rootfs/etc/cri/conf.d/nvidia-container-runtime.part - - from: /pkg/nvidia-container-runtime.toml - to: /rootfs/usr/local/etc/nvidia-container-runtime/config.toml diff --git a/nvidia-gpu/nvidia-container-toolkit/production/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/production/pkg.yaml index d672eb60..022f4d14 100644 --- a/nvidia-gpu/nvidia-container-toolkit/production/pkg.yaml +++ b/nvidia-gpu/nvidia-container-toolkit/production/pkg.yaml @@ -18,7 +18,8 @@ steps: sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml install: - | - mkdir -p /rootfs + mkdir -p /rootfs/usr/local/etc/containers + cp /pkg/nvidia-persistenced.yaml /rootfs/usr/local/etc/containers/nvidia-persistenced.yaml test: - | mkdir -p /extensions-validator-rootfs @@ -28,7 +29,5 @@ steps: finalize: - from: /rootfs to: /rootfs - - from: /pkg/nvidia-persistenced.yaml - to: /rootfs/usr/local/etc/containers/nvidia-persistenced.yaml - from: /pkg/manifest.yaml to: / diff --git a/nvidia-gpu/nvidia-fabricmanager/lts/pkg.yaml b/nvidia-gpu/nvidia-fabricmanager/lts/pkg.yaml index 81732f2d..9cb7a877 100644 --- a/nvidia-gpu/nvidia-fabricmanager/lts/pkg.yaml +++ b/nvidia-gpu/nvidia-fabricmanager/lts/pkg.yaml @@ -40,6 +40,8 @@ steps: cp etc/fabricmanager.cfg /rootfs/usr/local/share/nvidia/nvswitch/ + cp /pkg/nvidia-fabricmanager.yaml /rootfs/usr/local/etc/containers/nvidia-fabricmanager.yaml + sed -i 's/DAEMONIZE=.*/DAEMONIZE=0/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg sed -i 's/STATE_FILE_NAME=.*/STATE_FILE_NAME=\/var\/run\/nvidia-fabricmanager\/fabricmanager.state/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg sed -i 's/TOPOLOGY_FILE_PATH=.*/TOPOLOGY_FILE_PATH=\/usr\/local\/share\/nvidia\/nvswitch/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg @@ -53,7 +55,5 @@ steps: finalize: - from: /rootfs to: /rootfs - - from: /pkg/nvidia-fabricmanager.yaml - to: /rootfs/usr/local/etc/containers/nvidia-fabricmanager.yaml - from: /pkg/manifest.yaml to: / diff --git a/nvidia-gpu/nvidia-fabricmanager/production/lts/pkg.yaml b/nvidia-gpu/nvidia-fabricmanager/production/lts/pkg.yaml index 9a7ac4ba..61ec0753 100644 --- a/nvidia-gpu/nvidia-fabricmanager/production/lts/pkg.yaml +++ b/nvidia-gpu/nvidia-fabricmanager/production/lts/pkg.yaml @@ -40,6 +40,8 @@ steps: cp etc/fabricmanager.cfg /rootfs/usr/local/share/nvidia/nvswitch/ + cp /pkg/nvidia-fabricmanager.yaml /rootfs/usr/local/etc/containers/nvidia-fabricmanager.yaml + sed -i 's/DAEMONIZE=.*/DAEMONIZE=0/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg sed -i 's/STATE_FILE_NAME=.*/STATE_FILE_NAME=\/var\/run\/nvidia-fabricmanager\/fabricmanager.state/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg sed -i 's/TOPOLOGY_FILE_PATH=.*/TOPOLOGY_FILE_PATH=\/usr\/local\/share\/nvidia\/nvswitch/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg @@ -53,7 +55,5 @@ steps: finalize: - from: /rootfs to: /rootfs - - from: /pkg/nvidia-fabricmanager.yaml - to: /rootfs/usr/local/etc/containers/nvidia-fabricmanager.yaml - from: /pkg/manifest.yaml to: / diff --git a/power/nut-client/pkg.yaml b/power/nut-client/pkg.yaml index 6123bcd9..a4d46431 100644 --- a/power/nut-client/pkg.yaml +++ b/power/nut-client/pkg.yaml @@ -80,6 +80,9 @@ steps: rm -rf /rootfs/usr/local/etc rm -rf /rootfs/usr/local/lib/nut rm -rf /rootfs/usr/local/sbin + - | + mkdir -p /rootfs/usr/local/etc/containers + cp /pkg/nut-client.yaml /rootfs/usr/local/etc/containers/ test: - | mkdir -p /extensions-validator-rootfs @@ -91,5 +94,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/nut-client.yaml - to: /rootfs/usr/local/etc/containers/ diff --git a/storage/iscsi-tools/pkg.yaml b/storage/iscsi-tools/pkg.yaml index 4376bf8a..a4b8b1aa 100644 --- a/storage/iscsi-tools/pkg.yaml +++ b/storage/iscsi-tools/pkg.yaml @@ -19,6 +19,11 @@ steps: # cleanup rm -rf /rootfs/usr/local/include rm -rf /rootfs/usr/share + - | + mkdir -p /rootfs/usr/local/etc/containers + + cp /pkg/iscsid.yaml /rootfs/usr/local/etc/containers/iscsid.yaml + cp /pkg/tgtd.yaml /rootfs/usr/local/etc/containers/tgtd.yaml test: - | mkdir -p /extensions-validator-rootfs @@ -26,10 +31,6 @@ steps: cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}" finalize: - - from: /pkg/iscsid.yaml - to: /rootfs/usr/local/etc/containers/iscsid.yaml - - from: /pkg/tgtd.yaml - to: /rootfs/usr/local/etc/containers/tgtd.yaml - from: /rootfs to: /rootfs - from: /pkg/manifest.yaml diff --git a/storage/zfs/pkg.yaml b/storage/zfs/pkg.yaml index 40b4e648..d3f335c7 100644 --- a/storage/zfs/pkg.yaml +++ b/storage/zfs/pkg.yaml @@ -18,6 +18,10 @@ steps: mkdir -p /rootfs/lib/modules /rootfs/usr/local/lib/containers/zpool-importer cp -R /lib/modules/* /rootfs/lib/modules + - | + mkdir -p /rootfs/usr/local/lib/containers + + cp /pkg/zpool-importer.yaml /rootfs/usr/local/lib/containers/zpool-importer.yaml test: - | mkdir -p /extensions-validator-rootfs @@ -29,5 +33,3 @@ finalize: to: /rootfs - from: /pkg/manifest.yaml to: / - - from: /pkg/zpool-importer.yaml - to: /rootfs/usr/local/etc/containers/zpool-importer.yaml