get container images closer to fedora-ansible config part 1

Author: nikromen

podman-kube/README.md

@@ -5,19 +5,14 @@ Run COPR infrastructure locally using `podman kube play` with Kubernetes manifes
 ## Quick Start
 
 ```bash
-# Run with dev packages
-just up
-
-# Run with local source code (for development)
-just up-local
+just up        # Start with dev packages
+just up-local  # Start with local source code mounted
 ```
 
 ## Usage
 
-See the manual from just:
-
 ```bash
-just --list
+just help      # Show all commands
 ```
 
 ## Modes
@@ -28,22 +23,16 @@ just --list
 | `release` | `just build release` | Uses Fedora packages only               |
 | `local`   | `just up-local`      | Mounts repo source code for development |
 
-### Local Development Mode
-
-`just up-local` mounts the repository at `/opt/copr` inside containers with appropriate `PYTHONPATH` settings. Edit code locally, then restart the service:
+### Local Development
 
 ```bash
-# Edit frontend code...
-vim ../frontend/coprs_frontend/coprs/views/misc.py
-
-# Restart frontend to pick up changes
-just restart frontend
+just up-local                    # Start with source mounted at /opt/copr
+vim ../frontend/coprs_frontend/  # Edit code
+just restart frontend            # Pick up changes
 ```
 
 ## Access Points
 
-After starting, the following services are available:
-
 | Service         | URL                   |
 | --------------- | --------------------- |
 | Frontend        | http://localhost:5000 |
@@ -54,8 +43,64 @@ After starting, the following services are available:
 
 ## Host Entries (optional)
 
-To make internal URLs work in your browser, add to `/etc/hosts`:
+Add to `/etc/hosts` for internal URL resolution:
 
 ```
 127.0.0.1   frontend backend-httpd distgit keygen resalloc
 ```
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                         localhost                                │
+├──────────┬──────────┬──────────┬──────────┬──────────┬─────────┤
+│  :5000   │  :5001   │  :5002   │  :5005   │  :5009   │         │
+│ Frontend │ DistGit  │ Results  │ Resalloc │ Database │  Redis  │
+└────┬─────┴────┬─────┴────┬─────┴────┬─────┴────┬─────┴────┬────┘
+     │          │          │          │          │          │
+     └──────────┴──────────┴──────────┴──────────┴──────────┘
+                              │
+                    ┌─────────┴─────────┐
+                    │  Backend Workers  │
+                    │  (log/build/action)│
+                    └─────────┬─────────┘
+                              │
+                    ┌─────────┴─────────┐
+                    │     Builder       │
+                    │   (mock builds)   │
+                    └───────────────────┘
+```
+
+## Future Improvements
+
+Potential enhancements for this infrastructure:
+
+### Short-term
+
+- [ ] Kustomize overlays for dev/staging/prod
+- [ ] Resource limits (CPU/memory) in manifests
+- [ ] Readiness/liveness probes for all services
+- [ ] Secrets management (not hardcoded passwords)
+- [ ] Network policies for service isolation
+
+### Medium-term
+
+- [ ] Helm chart for parameterized deployment
+- [ ] CI/CD pipeline to build and push images to registry
+- [ ] OpenShift-compatible manifests (Routes, DeploymentConfigs)
+- [ ] Horizontal pod autoscaling configs
+- [ ] Prometheus metrics endpoints
+
+### Long-term
+
+- [ ] Multi-node deployment support
+- [ ] External database/redis support
+- [ ] S3-compatible storage for results
+- [ ] Pulp integration for content management
+- [ ] GitOps workflow with ArgoCD/Flux
+
+## Requirements
+
+- podman
+- just (`dnf install just`)

podman-kube/containers/backend-httpd/Containerfile

@@ -1,14 +1,22 @@
 FROM registry.fedoraproject.org/fedora:43
-LABEL maintainer="copr-devel@lists.fedorahosted.org"
-LABEL description="COPR Backend HTTPD - serves build results"
 
-RUN dnf install -y nginx && dnf clean all
+LABEL maintainer="copr-devel@lists.fedorahosted.org" \
+      description="COPR Backend HTTPD - serves build results" \
+
+ENV LANG=en_US.UTF-8
+
+RUN --mount=type=cache,target=/var/cache/dnf \
+    dnf -y install nginx && \
+    dnf clean all
 
 COPY files/nginx.conf /etc/nginx/conf.d/default.conf
 
 RUN mkdir -p /var/lib/copr/public_html/results && \
     chown -R nginx:nginx /var/lib/copr
 
+USER nginx
 EXPOSE 5002
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s \
+    CMD curl -sf http://localhost:5002/ || exit 1
 
 CMD ["nginx", "-g", "daemon off;"]

podman-kube/containers/backend/Containerfile

@@ -1,76 +1,67 @@
 FROM registry.fedoraproject.org/fedora:43
-LABEL maintainer="copr-devel@lists.fedorahosted.org"
-LABEL description="COPR Backend services"
+
+LABEL maintainer="copr-devel@lists.fedorahosted.org" \
+      description="COPR Backend services" \
 
 ARG ADDITIONAL_COPR_REPOSITORIES="@copr/copr-dev"
 
-ENV LANG=en_US.UTF-8
-ENV PYTHONPATH="/usr/share/copr/"
-ENV TERM=linux
+ENV LANG=en_US.UTF-8 \
+    PYTHONPATH=/usr/share/copr/ \
+    TERM=linux
 
-RUN set -ex ; \
-    test -z "${ADDITIONAL_COPR_REPOSITORIES}" \
-        || dnf -y install dnf-plugins-core \
-        && for repo in $ADDITIONAL_COPR_REPOSITORIES ; do dnf -y copr enable $repo; done ; \
+RUN --mount=type=cache,target=/var/cache/dnf \
+    set -ex && \
+    if [ -n "${ADDITIONAL_COPR_REPOSITORIES}" ]; then \
+        dnf -y install dnf-plugins-core && \
+        for repo in $ADDITIONAL_COPR_REPOSITORIES; do dnf -y copr enable $repo; done; \
+    fi && \
     dnf -y update && \
-    dnf -y install htop \
-                   make \
-                   wget \
-                   net-tools \
-                   iputils \
-                   vim \
-                   git \
-                   sudo \
-                   openssh-server \
-                   resalloc \
-                   psmisc \
-                   nginx \
-                   findutils \
-                   tini \
-                   pulp-cli \
-                   rng-tools \
-                   expect \
-    && dnf -y install copr-backend \
+    dnf -y install \
+        copr-backend \
+        expect \
+        findutils \
+        git \
+        iputils \
+        openssh-server \
+        psmisc \
+        pulp-cli \
+        resalloc \
+        rng-tools \
+        sudo \
+        tini \
     && dnf clean all
 
-RUN setcap cap_net_raw,cap_net_admin+p /usr/bin/ping
-
-RUN ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -q
-
-RUN echo 'root:passwd' | chpasswd && chmod 700 /root /root/.ssh
-
-RUN set -x ; \
+RUN set -ex && \
+    setcap cap_net_raw,cap_net_admin+p /usr/bin/ping && \
+    ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -q && \
+    echo 'root:passwd' | chpasswd && \
+    chmod 700 /root /root/.ssh && \
     echo 'copr:passwd' | chpasswd && \
     echo 'copr ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers && \
-    mkdir -p /home/copr/.ssh && chmod 700 /home/copr /home/copr/.ssh && \
+    mkdir -p /home/copr/.ssh && \
+    chmod 700 /home/copr /home/copr/.ssh && \
     ssh-keygen -f /home/copr/.ssh/id_rsa -N '' -q -C copr@localhost && \
-    touch /home/copr/.ssh/authorized_keys && chmod 600 /home/copr/.ssh/authorized_keys && \
+    touch /home/copr/.ssh/authorized_keys && \
+    chmod 600 /home/copr/.ssh/authorized_keys && \
     cat /home/copr/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys && \
     cat /home/copr/.ssh/id_rsa.pub >> /home/copr/.ssh/authorized_keys && \
-    chown copr:copr -R /home/copr
-
-RUN usermod -a -G mock copr
+    chown -R copr:copr /home/copr && \
+    usermod -a -G mock copr && \
+    mkdir -p /var/lock/copr-backend && \
+    chown copr:copr /var/lock/copr-backend && \
+    rngd -r /dev/urandom || true
 
 COPY files/ /
 
-RUN chmod 700 /root && \
-    chmod 700 /home/copr && \
+RUN set -ex && \
+    chmod 700 /root /home/copr && \
     chmod 400 /home/copr/.ssh/id_rsa && \
     chmod 600 /home/copr/.ssh/id_rsa.pub && \
-    chown -R copr:copr /home/copr
-
-RUN chmod 0755 /usr/bin/sign
-
-RUN chown copr:root /etc/sign.conf && \
+    chown -R copr:copr /home/copr && \
+    chmod 0755 /usr/bin/sign && \
+    chown copr:root /etc/sign.conf && \
     chmod 0660 /etc/sign.conf
 
-RUN mkdir -p /var/lock/copr-backend && \
-    chown copr:copr /var/lock/copr-backend
-
-# Entropy for GPG key generation
-RUN rngd -r /dev/urandom || true
-
 USER copr
-
 ENTRYPOINT ["/usr/bin/tini", "--"]
 CMD ["/run-backend"]

podman-kube/containers/builder/Containerfile

@@ -1,46 +1,42 @@
 FROM registry.fedoraproject.org/fedora:43
-LABEL maintainer="copr-devel@lists.fedorahosted.org"
-LABEL description="COPR Builder - RPM build worker"
+
+LABEL maintainer="copr-devel@lists.fedorahosted.org" \
+      description="COPR Builder - RPM build worker" \
 
 ARG ADDITIONAL_COPR_REPOSITORIES="@copr/copr-dev"
 
-ENV TERM=linux
+ENV LANG=en_US.UTF-8 \
+    TERM=linux
 
-RUN set -ex ; \
-    test -z "${ADDITIONAL_COPR_REPOSITORIES}" \
-        || dnf -y install dnf-plugins-core \
-        && for repo in $ADDITIONAL_COPR_REPOSITORIES ; do dnf -y copr enable $repo; done ; \
+RUN --mount=type=cache,target=/var/cache/dnf \
+    set -ex && \
+    if [ -n "${ADDITIONAL_COPR_REPOSITORIES}" ]; then \
+        dnf -y install dnf-plugins-core && \
+        for repo in $ADDITIONAL_COPR_REPOSITORIES; do dnf -y copr enable $repo; done; \
+    fi && \
     dnf -y update && \
-    dnf -y install htop \
-                   which \
-                   wget \
-                   vim \
-                   openssh-server \
-                   fedora-packager \
-                   mock \
-                   mock-lvm \
-                   createrepo \
-                   yum-utils \
-                   rsync \
-                   openssh-clients \
-                   rpm \
-                   glib2 \
-                   ca-certificates \
-                   scl-utils-build \
-                   ethtool \
-    && dnf -y install copr-builder \
+    dnf -y install \
+        ca-certificates \
+        copr-builder \
+        createrepo \
+        fedora-packager \
+        mock \
+        mock-lvm \
+        openssh-clients \
+        openssh-server \
+        rsync \
+        yum-utils \
     && dnf clean all
 
 COPY files/ /
 
-RUN ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -q
-
-RUN echo 'root:passwd' | chpasswd && \
+RUN set -ex && \
+    ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -q && \
+    echo 'root:passwd' | chpasswd && \
     chmod 700 /root /root/.ssh && \
-    touch /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys
-
-RUN echo 'config_opts["use_nspawn"] = False' >> /etc/mock/site-defaults.cfg
+    touch /root/.ssh/authorized_keys && \
+    chmod 600 /root/.ssh/authorized_keys && \
+    echo 'config_opts["use_nspawn"] = False' >> /etc/mock/site-defaults.cfg
 
 EXPOSE 22
-
 CMD ["/usr/sbin/sshd", "-D"]

podman-kube/containers/database/Containerfile

@@ -1,16 +1,23 @@
 FROM registry.fedoraproject.org/fedora:43
-LABEL maintainer="copr-devel@lists.fedorahosted.org"
-LABEL description="PostgreSQL database for COPR"
 
-RUN dnf install -y postgresql-server postgresql && dnf clean all
+LABEL maintainer="copr-devel@lists.fedorahosted.org" \
+      description="PostgreSQL database for COPR" \
+
+ENV LANG=en_US.UTF-8
+
+RUN --mount=type=cache,target=/var/cache/dnf \
+    dnf -y install postgresql-server postgresql && \
+    dnf clean all
 
 RUN mkdir -p /var/lib/pgsql/data /var/run/postgresql && \
     chown -R postgres:postgres /var/lib/pgsql /var/run/postgresql
 
 COPY files/init-db.sh /usr/local/bin/init-db.sh
 RUN chmod +x /usr/local/bin/init-db.sh
 
+USER postgres
 EXPOSE 5432
+HEALTHCHECK --interval=10s --timeout=5s --start-period=30s \
+    CMD pg_isready -U postgres || exit 1
 
-USER postgres
 CMD ["/usr/local/bin/init-db.sh"]