Skip to content

Separate task(s) for build-deps pre-fetching#58

Draft
praiskup wants to merge 1 commit intokonflux-ci:mainfrom
praiskup:praiskup-prepare-for-cachi2
Draft

Separate task(s) for build-deps pre-fetching#58
praiskup wants to merge 1 commit intokonflux-ci:mainfrom
praiskup:praiskup-prepare-for-cachi2

Conversation

@praiskup
Copy link
Member

@praiskup praiskup commented Aug 13, 2025
edited
Loading

This logically separates the part that should be implemented in cachi2 in the future, per:
https://rpm-software-management.github.io/mock/feature-hermetic-builds

Fixe: #48

@praiskup praiskup force-pushed the praiskup-prepare-for-cachi2 branch 3 times, most recently from f8a68b0 to c6494d6 Compare August 13, 2025 04:53
praiskup
praiskup commented Aug 13, 2025
View reviewed changes
task/prefetch-rpmbuild-deps.yaml
test -f "$lockfile" || exit 0
mock-hermetic-repo \
--lockfile /var/workdir/lockfile/buildroot_lock.json \
--output-repo "$outputdir"
Copy link
Member Author

@praiskup praiskup Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, we can't download podman image in Pod:

subprocess.CalledProcessError: Command '['podman', 'pull', '--arch', 'amd64', 'registry.fedoraproject.org/fedora:rawhide@sha256:899da242bd0ae24e94b190de9a19b970af572136801c5a64010e6242cf27933e']' returned non-zero exit status 125.

Copy link

@eskultety eskultety Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, pretty much no podman commands will work inside a pod, that's the current nature of unprivileged nested containerization, you might have a better luck if you select buildah for the base image of the task, don't know exactly why but the implementation is different and so is more isolated, I'm definitely not an expert on what happens underneath, I'm just providing my recent experience.

@praiskup praiskup marked this pull request as draft August 13, 2025 05:01
@praiskup praiskup mentioned this pull request Aug 13, 2025
Open
@praiskup
Separate task(s) for pre-fetching
9393268 
This logically separates the part that should be implemented in cachi2
in the future, per:
https://rpm-software-management.github.io/mock/feature-hermetic-builds

Fixes: konflux-ci#48
@praiskup praiskup force-pushed the praiskup-prepare-for-cachi2 branch from c6494d6 to 9393268 Compare August 13, 2025 05:03
@praiskup
Copy link
Member Author

praiskup commented Aug 13, 2025

@eskultety we have a lockfile that refers to a container image that needs to be prefetched (as tarball so we can upload it to an MPC worker). What can we do to let cachi2 fetch it?

@eskultety
Copy link

eskultety commented Aug 14, 2025

@eskultety we have a lockfile that refers to a container image that needs to be prefetched (as tarball so we can upload it to an MPC worker). What can we do to let cachi2 fetch it?

@praiskup oh, tarballs are easy, you use our generic backend (aka glorified curl): https://hermetoproject.github.io/hermeto/generic/#specifying-artifacts-to-fetch, TL;DR you adopt a new artifacts.lock.yaml file to your repository and then it depends how you plan on interacting with hermeto (formerly cachi2):

  1. if you invoke it directly in your task
    then you follow the doc I linked verbatim
  2. if you depend on the default konflux prefetch task that's already in the catalog
    then you'd add something like {"type": "generic"} to your hermeto command line in your YAML pipeline definition

@eskultety
Copy link

eskultety commented Aug 14, 2025
edited
Loading

@eskultety we have a lockfile that refers to a container image that needs to be prefetched (as tarball so we can upload it to an MPC worker). What can we do to let cachi2 fetch it?

@praiskup oh, tarballs are easy

@praiskup I take it back, sorry! I misread your message - there currently isn't a way how you could point hermeto to a container registry and expect a fetched tarball on the output.

@taylormadore
Copy link

taylormadore commented Aug 14, 2025

@praiskup Can you use something like oras instead of podman to fetch the artifacts from the registry?

@eskultety
Copy link

eskultety commented Aug 14, 2025

@praiskup Can you use something like oras instead of podman to fetch the artifacts from the registry?

There's also a konflux-ci build of it: https://github.com/konflux-ci/oras-container

@praiskup
Copy link
Member Author

praiskup commented Aug 15, 2025

I think I can fetch images with oras. But can I then extract the directory tree out of it? Like here?
https://github.com/rpm-software-management/mock/blob/840c438abba6c3a5adb2f082261561a36619b5eb/mock/py/mockbuild/podman.py#L216-L225

@eskultety
Copy link

eskultety commented Aug 18, 2025

I think I can fetch images with oras. But can I then extract the directory tree out of it? Like here? https://github.com/rpm-software-management/mock/blob/840c438abba6c3a5adb2f082261561a36619b5eb/mock/py/mockbuild/podman.py#L216-L225

Good question. Looks like that's not possible, I just tried to copy a random image from dockerhub, but I only got a bunch of layers, so yeah, not trivially mounted.

@praiskup praiskup mentioned this pull request Sep 4, 2025
Open
@praiskup
Copy link
Member Author

praiskup commented Dec 4, 2025

Somewhat related:
rpm-software-management/mock#1642
containers/podman#27323

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@eskultety eskultety eskultety left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@praiskup @eskultety @taylormadore