Skip to content
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ RUN --mount=type=cache,target=/go/rhel8/.cache,z \
--mount=type=cache,target=/go/rhel8/pkg/mod,z \
make install DESTDIR=./instroot-rhel8 && tar -C instroot-rhel8 -cf instroot-rhel8.tar .

FROM registry.ci.openshift.org/ocp/builder:rhel-9-enterprise-base-multi-openshift-4.19
FROM registry.ci.openshift.org/ocp/4.20:base-rhel9
ARG TAGS=""
COPY install /manifests
RUN --mount=type=cache,target=/var/cache/dnf,z \
Expand All @@ -41,6 +41,8 @@ RUN --mount=type=cache,target=/var/cache/dnf,z \
if ! rpm -q util-linux; then dnf install --setopt=keepcache=true -y util-linux; fi && \
# We also need to install fuse-overlayfs and cpp for Buildah to work correctly.
if ! rpm -q buildah; then dnf install --setopt=keepcache=true -y buildah fuse-overlayfs cpp --exclude container-selinux; fi && \
# Install the oc binary.
if ! rpm -q openshift-clients; then dnf install --setopt=keepcache=true -y openshift-clients; fi && \
# Create the build user which will be used for doing OS image builds. We
# use the username "build" and the uid 1000 since this matches what is in
# the official Buildah image.
Expand Down
5 changes: 4 additions & 1 deletion Dockerfile.rhel7
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,13 @@ RUN --mount=type=cache,target=/var/cache/dnf,z \
if ! rpm -q util-linux; then dnf install --setopt=keepcache=true -y util-linux; fi && \
# We also need to install fuse-overlayfs and cpp for Buildah to work correctly.
if ! rpm -q buildah; then dnf install --setopt=keepcache=true -y buildah fuse-overlayfs cpp --exclude container-selinux; fi && \
# Install the oc binary.
if ! rpm -q openshift-clients; then dnf install --setopt=keepcache=true -y openshift-clients; fi && \
# Create the build user which will be used for doing OS image builds. We
# use the username "build" and the uid 1000 since this matches what is in
# the official Buildah image.
useradd --uid 1000 build
# Conditional checks if "build" user does not exist before adding user.
if ! id -u "build" >/dev/null 2>&1; then useradd --uid 1000 build; fi
# Copy the binaries *after* we install nmstate so we don't invalidate our cache for local builds.
COPY --from=rhel9-builder /go/src/github.com/openshift/machine-config-operator/instroot-rhel9.tar /tmp/instroot-rhel9.tar
RUN cd / && tar xf /tmp/instroot-rhel9.tar && rm -f /tmp/instroot-rhel9.tar
Expand Down
12 changes: 12 additions & 0 deletions pkg/controller/build/buildrequest/assets/buildah-build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -98,4 +98,16 @@ buildah push \
--authfile="$FINAL_IMAGE_PUSH_CREDS" \
--digestfile="/tmp/done/digestfile" \
--cert-dir /var/run/secrets/kubernetes.io/serviceaccount "$TAG"

# If the oc command is not present, then we must extract it from the base OS
# image which we've already pulled to do the build.
if ! command -v "oc" &> /dev/null; then
# Extract the oc binary from the base OS image and place it into the
# /tmp/done path.
container="$(buildah from --authfile="$BASE_IMAGE_PULL_CREDS" "$BASE_OS_IMAGE_PULLSPEC")"
buildah unshare /bin/bash -c 'cp "$(buildah mount "$container")/usr/bin/oc" "/tmp/done/oc"; buildah umount "$container"'
buildah rm "$container"
echo "Extracted oc command from $BASE_OS_IMAGE_PULLSPEC"
fi

EOF
15 changes: 14 additions & 1 deletion pkg/controller/build/buildrequest/assets/create-digest-cm.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,20 @@

set -xeuo

# Inject the contents of the digestfile into a ConfigMap.
# Check if the oc command is available.
if command -v "oc" &> /dev/null; then
echo "Using built-in oc command"
else
# If the oc command is not available, check under /tmp/done/oc.
if [[ -x /tmp/done/oc ]]; then
# Add this to our PATH if found.
export PATH="$PATH:/tmp/done"
else
# If it cannot be found, return a non-zero exit code.
echo "oc command not found"
exit 1
fi
fi

# Create and label the digestfile ConfigMap
if ! oc create configmap \
Expand Down
17 changes: 8 additions & 9 deletions pkg/controller/build/buildrequest/buildrequest.go
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,10 @@ func (br buildRequestImpl) toBuildahPod() *corev1.Pod {
Name: "NO_PROXY",
Value: noProxy,
},
{
Name: "BASE_OS_IMAGE_PULLSPEC",
Value: br.opts.OSImageURLConfig.BaseOSContainerImage,
},
}

securityContext := &corev1.SecurityContext{}
Expand Down Expand Up @@ -560,7 +564,6 @@ func (br buildRequestImpl) toBuildahPod() *corev1.Pod {
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: br.getBasePullSecretName(),
// SecretName: br.opts.MachineOSConfig.Spec.BuildInputs.BaseImagePullSecret.Name,
Items: []corev1.KeyToPath{
{
Key: corev1.DockerConfigJsonKey,
Expand All @@ -575,7 +578,6 @@ func (br buildRequestImpl) toBuildahPod() *corev1.Pod {
Name: "final-image-push-creds",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
// SecretName: br.opts.MachineOSConfig.Spec.BuildInputs.RenderedImagePushSecret.Name,
SecretName: br.getFinalPushSecretName(),
Items: []corev1.KeyToPath{
{
Expand All @@ -587,14 +589,11 @@ func (br buildRequestImpl) toBuildahPod() *corev1.Pod {
},
},
{
// Provides a way for the "image-build" container to signal that it
// finished so that the "wait-for-done" container can retrieve the
// iamge SHA.
// Provides a way for the "image-build" container to pass the digested
// pullspec and oc binary to the "create-digest-configmap" container.
Name: "done",
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{
Medium: corev1.StorageMediumMemory,
},
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
{
Expand Down Expand Up @@ -671,7 +670,7 @@ func (br buildRequestImpl) toBuildahPod() *corev1.Pod {
// us to avoid parsing log files.
Name: "create-digest-configmap",
Command: append(command, digestCMScript),
Image: br.opts.OSImageURLConfig.BaseOSContainerImage,
Image: br.opts.Images.MachineConfigOperator,
Env: env,
ImagePullPolicy: corev1.PullAlways,
SecurityContext: securityContext,
Expand Down
9 changes: 3 additions & 6 deletions pkg/controller/build/buildrequest/buildrequest_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,8 @@ func assertSecretInCorrectFormat(t *testing.T, secret *corev1.Secret) {
}

func assertBuildJobIsCorrect(t *testing.T, buildJob *batchv1.Job, opts BuildRequestOpts) {
t.Helper()

etcRpmGpgKeysOpts := optsForEtcRpmGpgKeys()
assertBuildJobMatchesExpectations(t, opts.HasEtcPkiRpmGpgKeys, buildJob,
etcRpmGpgKeysOpts.envVar(),
Expand All @@ -233,12 +235,7 @@ func assertBuildJobIsCorrect(t *testing.T, buildJob *batchv1.Job, opts BuildRequ
)

assert.Equal(t, buildJob.Spec.Template.Spec.InitContainers[0].Image, mcoImagePullspec)
expectedPullspecs := []string{
"base-os-image-from-machineosconfig",
fixtures.OSImageURLConfig().BaseOSContainerImage,
}

assert.Contains(t, expectedPullspecs, buildJob.Spec.Template.Spec.Containers[0].Image)
assert.Equal(t, buildJob.Spec.Template.Spec.Containers[0].Image, mcoImagePullspec)

assertPodHasVolume(t, buildJob.Spec.Template.Spec, corev1.Volume{
Name: "final-image-push-creds",
Expand Down