Merge pull request #1358 from cgwalters/buildsys-rework

build-sys: Rework to have toplevel Dockerfile + Justfile

Author: henrywang

.dockerignore

@@ -7,5 +7,7 @@ target
 docs/
 # TMT interprets these, not the container build
 plans/
-# Avoid changes to this blowing out all layer caches
+# These only affect flow outside of the container
+Dockerfile
+Justfile
 hack/Containerfile

.github/workflows/ci.yml

@@ -52,11 +52,11 @@ jobs:
           echo 'deb [trusted=yes] https://ftp.debian.org/debian/ testing main' | sudo tee /etc/apt/sources.list.d/testing.list
           sudo apt update
           sudo apt install -y crun/testing podman/testing skopeo/testing
+      - name: Installdeps
+        run: sudo apt update && sudo apt install just
       - uses: actions/checkout@v4
-      - name: Build container (fedora)
-        run: sudo podman build --build-arg=base=quay.io/fedora/fedora-bootc:41 -t localhost/bootc -f hack/Containerfile . 
-      - name: Container integration
-        run: sudo podman run --rm localhost/bootc bootc-integration-tests container
+      - name: Build and run container integration tests
+        run: sudo just run-container-integration
   cargo-deny:
     runs-on: ubuntu-latest
     steps:
@@ -84,15 +84,16 @@ jobs:
       - name: Enable fsverity for /
         run: sudo tune2fs -O verity $(findmnt -vno SOURCE /)
       - name: Install utils
-        run: sudo apt -y install fsverity
+        run: sudo apt -y install fsverity just
       - name: Integration tests
         run: |
           set -xeu
           # Build images to test; TODO investigate doing single container builds
           # via GHA and pushing to a temporary registry to share among workflows?
-          sudo podman build -t localhost/bootc -f hack/Containerfile .
+          sudo just build-integration-test-image
           sudo podman build -t localhost/bootc-fsverity -f ci/Containerfile.install-fsverity
 
+          # TODO move into a container, and then have this tool run other containers
           export CARGO_INCREMENTAL=0  # because we aren't caching the test runner bits
           cargo build --release -p tests-integration
 
@@ -104,9 +105,9 @@ jobs:
           sudo podman run --privileged --pid=host -v /:/run/host -v $(pwd):/src:ro -v /var/tmp:/var/tmp \
             -v /run/dbus:/run/dbus -v /run/systemd:/run/systemd localhost/bootc /src/ostree-ext/ci/priv-integration.sh
           # Nondestructive but privileged tests
-          sudo bootc-integration-tests host-privileged localhost/bootc
+          sudo bootc-integration-tests host-privileged localhost/bootc-integration
           # Install tests
-          sudo bootc-integration-tests install-alongside localhost/bootc
+          sudo bootc-integration-tests install-alongside localhost/bootc-integration
 
           # system-reinstall-bootc tests
           cargo build --release -p system-reinstall-bootc
@@ -116,7 +117,7 @@ jobs:
 
           sudo install -m 0755 target/release/system-reinstall-bootc /usr/bin/system-reinstall-bootc
           # These tests may mutate the system live so we can't run in parallel
-          sudo bootc-integration-tests system-reinstall localhost/bootc --test-threads=1
+          sudo bootc-integration-tests system-reinstall localhost/bootc-integration --test-threads=1
 
           # And the fsverity case
           sudo podman run --privileged --pid=host localhost/bootc-fsverity bootc install to-existing-root --stateroot=other \

Dockerfile

@@ -0,0 +1,56 @@
+# Build this project from source and drop the updated content on to
+# a bootc container image. By default we use CentOS Stream 9 as a base;
+# use e.g. --build-arg=base=quay.io/fedora/fedora-bootc:41 to target
+# Fedora instead.
+
+ARG base=quay.io/centos-bootc/centos-bootc:stream9
+
+FROM scratch as src
+COPY . /src
+
+# This image installs build deps, pulls in our source code, and installs updated
+# bootc binaries in /out. The intention is that the target rootfs is extracted from /out
+# back into a final stae (without the build deps etc) below.
+FROM $base as build
+# This installs our package dependencies, and we want to cache it independently of the rest.
+# Basically we don't want changing a .rs file to blow out the cache of packages. So we only
+# copy files necessary
+COPY contrib/packaging/bootc.spec /tmp/bootc.spec
+RUN <<EORUN
+set -xeuo pipefail
+. /usr/lib/os-release
+case $ID in
+  centos|rhel) dnf config-manager --set-enabled crb;;
+  fedora) dnf -y install dnf-utils 'dnf5-command(builddep)';;
+esac
+dnf -y builddep /tmp/bootc.spec
+# Extra dependencies
+dnf -y install git-core
+EORUN
+# Now copy the rest of the source
+COPY --from=src /src /src
+WORKDIR /src
+# See https://www.reddit.com/r/rust/comments/126xeyx/exploring_the_problem_of_faster_cargo_docker/
+# We aren't using the full recommendations there, just the simple bits.
+RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome \
+    make && make install-all DESTDIR=/out
+
+# This "build" just runs our unit tests
+FROM build as units
+ARG unitargs
+RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome \
+    cargo test --locked $unitargs
+
+# The final image that derives from the original base and adds the release binaries
+FROM $base
+# First, create a layer that is our new binaries.
+COPY --from=build /out/ /
+RUN <<EORUN
+set -xeuo pipefail
+# Only in this containerfile, inject a file which signifies
+# this comes from this development image. This can be used in
+# tests to know we're doing upstream CI.
+touch /usr/lib/.bootc-dev-stamp
+# And test our own linting
+bootc container lint --fatal-warnings
+EORUN

Justfile

@@ -0,0 +1,14 @@
+# Build the container image from current sources
+build *ARGS:
+    podman build --jobs=4 -t localhost/bootc {{ARGS}} .
+
+# This container image has additional testing content and utilities
+build-integration-test-image *ARGS: build
+    podman build --jobs=4 -t localhost/bootc-integration -f hack/Containerfile {{ARGS}} .
+
+# Run container integration tests
+run-container-integration: build-integration-test-image
+    podman run --rm localhost/bootc-integration bootc-integration-tests container
+
+unittest *ARGS:
+    podman build --jobs=4 --target units -t localhost/bootc-units --build-arg=unitargs={{ARGS}} .

Makefile

@@ -6,7 +6,7 @@ TAR_REPRODUCIBLE = tar --mtime="@${SOURCE_DATE_EPOCH}" --sort=name --owner=0 --g
 
 all:
 	cargo build --release
-    
+
 install:
 	install -D -m 0755 -t $(DESTDIR)$(prefix)/bin target/release/bootc
 	install -D -m 0755 -t $(DESTDIR)$(prefix)/bin target/release/system-reinstall-bootc

hack/Containerfile

@@ -1,35 +1,13 @@
-# Build bootc from the current git into a c9s-bootc container image.
-# Use e.g. --build-arg=base=quay.io/fedora/fedora-bootc:41 to target
-# Fedora instead.
-#
-# You can also generate an image with cloud-init and other dependencies
-# with `--build-arg=tmt` which is intended for use particularly via
-# https://tmt.readthedocs.io/en/stable/
-
-ARG base=quay.io/centos-bootc/centos-bootc:stream9
+# This injects some extra testing stuff into our image
 
 FROM scratch as context
 # We only need this stuff in the initial context
 COPY hack /hack
 COPY contrib /contrib
 
-FROM $base as build
-# This installs our package dependencies, and we want to cache it independently of the rest.
-# Basically we don't want changing a .rs file to blow out the cache of packages.
-RUN --mount=type=bind,from=context,target=/run/context /run/context/hack/build.sh
-# Now copy the rest of the source
-COPY . /build
-WORKDIR /build
-# See https://www.reddit.com/r/rust/comments/126xeyx/exploring_the_problem_of_faster_cargo_docker/
-# We aren't using the full recommendations there, just the simple bits.
-RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome \
-    make && make install-all DESTDIR=/out
-
-FROM $base
+FROM localhost/bootc
 # We support e.g. adding cloud-init
 ARG variant=
-# First, create a layer that is our new binaries.
-COPY --from=build /out/ /
 # And this layer has additional stuff for testing, such as nushell etc.
 RUN --mount=type=bind,from=context,target=/run/context <<EORUN
 set -xeuo pipefail
@@ -38,9 +16,6 @@ set -xeuo pipefail
 install -D -t /usr/lib/bootc/kargs.d /run/context/hack/test-kargs/*
 # Also copy in some default install configs we use for testing
 install -D -t /usr/lib/bootc/install/ /run/context/hack/install-test-configs/*
-# Finally only in this containerfile, inject a file which signifies
-# this comes from this development image.
-touch /usr/lib/.bootc-dev-stamp
 # Finally, test our own linting
 bootc container lint --fatal-warnings
 EORUN

hack/build.sh

@@ -1,6 +1,11 @@
 #!/bin/bash
 set -exuo pipefail
 
+# This script basically builds bootc from source using the provided base image,
+# then runs the target tests. We need to do this because at the moment
+# packit/tmt/testing-farm effectively only support RPMs, not container images.
+# https://issues.redhat.com/browse/TFT-2751
+
 BOOTC_TEMPDIR=$(mktemp -d)
 trap 'rm -rf -- "$BOOTC_TEMPDIR"' EXIT
 
@@ -102,11 +107,22 @@ $(cat "$COMMON_CONTAINERFILE")
 REALEOF
     else
         BOOTC_CI_CONTAINERFILE="${BOOTC_TEMPDIR}/bootc_ci_containerfile"
-        tee "$BOOTC_CI_CONTAINERFILE" > /dev/null << BOOTCCIEOF
+        # TODO use the default Dockerfile here instead of a copy of it
+        tee "$BOOTC_CI_CONTAINERFILE" > /dev/null <<BOOTCCIEOF
 FROM $TIER1_IMAGE_URL as build
 
 WORKDIR /code
-RUN hack/build.sh
+RUN <<EORUN
+set -xeuo pipefail
+. /usr/lib/os-release
+case $ID in
+  centos|rhel) dnf config-manager --set-enabled crb;;
+  fedora) dnf -y install dnf-utils 'dnf5-command(builddep)';;
+esac
+dnf -y builddep contrib/packaging/bootc.spec
+# Extra dependencies
+dnf -y install git-core
+EORUN
 
 RUN mkdir -p /build/target/dev-rootfs
 RUN --mount=type=cache,target=/build/target --mount=type=cache,target=/var/roothome make test-bin-archive && mkdir -p /out && cp target/bootc.tar.zst /out
@@ -116,17 +132,13 @@ FROM $TIER1_IMAGE_URL
 # Inject our built code
 COPY --from=build /out/bootc.tar.zst /tmp
 RUN tar -C / --zstd -xvf /tmp/bootc.tar.zst && rm -vrf /tmp/*
-# Also copy over arbitrary bits from the target root
-COPY --from=build /build/target/dev-rootfs/ /
-
 BOOTCCIEOF
         cat >"$CONTAINERFILE" <<REALEOF
 $(cat "$BOOTC_CI_CONTAINERFILE")
 $(cat "$COMMON_CONTAINERFILE")
 REALEOF
     fi
 
-
     if [[ -d "/var/ARTIFACTS" ]]; then
         # In Testing Farm, TMT work dir /var/ARTIFACTS should be reserved
         echo "COPY ARTIFACTS /var/ARTIFACTS" >> "$CONTAINERFILE"