Run install commands within image container

[travisbcotton]

Currently every repo, package, and package group install happens outside the container. This forces you to use the same package manager as the build container (i.e. if you want to use dnf then you must use dnf in the build container).

This change should make it possible to build images with zypper or dnf (and make it easier to add other package managers) regardless of the build container's package manager. The only restriction is that when the parent is "scratch". This will call the scratch based installs which will use the build containers package manager to bootstrap the image.

[njones-lanl]

lgtm

[davidallendj]

Do you have a way to test this?

[travisbcotton]

Sure...
clone it:

git clone -b trcotton/layer-refactor https://github.com/OpenCHAMI/image-builder.git

change to image-builder:

cd image-builder/

build it:

podman build -t image-builder:test -f dockerfiles/dnf/Dockerfile .

create a test folder:

mkdir test

Make a test config in ./test called suse.yaml that looks like:

options:
  layer_type: 'base'
  name: 'suse-base'
  publish_tags:
    - '15.7'
  pkg_manager: 'zypper'
  parent: 'registry.suse.com/bci/bci-base:15.7'
  publish_local: true

packages:
  - cloud-init
  - python3
  - vim
  - chrony

Run it:

podman run \
  --device /dev/fuse \
  -it \
  --name image-builder \
  --rm -v $PWD/tests:/data image-builder:test \
  image-build --log-level INFO --config /data/suse.yaml

[alexlovelltroy]

Not working for me.

Error:

ERROR - Error installing packages: Command '['dnf', '--setopt=reposdir=/home/builder/.local/share/containers/storage/overlay/af5c17cb3072571c3a62c5968fa673310d3341295d81c5b8dd635437183420ab/merged/etc/yum.repos.d', '--setopt=logdir=/var/tmp/image-build-_l3abmur/dnf/log', '--setopt=cachedir=/var/tmp/image-build-_l3abmur/dnf/cache', 'groupinstall', '-y', '--nogpgcheck', '--installroot', '/home/builder/.local/share/containers/storage/overlay/af5c17cb3072571c3a62c5968fa673310d3341295d81c5b8dd635437183420ab/merged', 'Minimal Install', 'Development Tools']' returned non-zero exit status 1.
INFO - 4059a424d071151a5369f3dd6d9aef0aef1d6ec986c9bcd02e9f4caccf339e4b

Image definition:

options:
  layer_type: 'base'
  name: 'rocky-base'
  publish_tags: '9.5'
  pkg_manager: 'dnf'
  parent: 'scratch'
  publish_registry: 'demo.openchami.cluster:5000/demo'
  registry_opts_push:
    - '--tls-verify=false'

repos:
  - alias: 'Rocky_9_BaseOS'
    url: 'https://dl.rockylinux.org/pub/rocky/9/BaseOS/x86_64/os/'
    gpg: 'https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-9'
  - alias: 'Rocky_9_AppStream'
    url: 'https://dl.rockylinux.org/pub/rocky/9/AppStream/x86_64/os/'
    gpg: 'https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-9'

package_groups:
  - 'Minimal Install'
  - 'Development Tools'

packages:
  - kernel
  - wget
  - dracut-live

cmds:
  - cmd: 'dracut --add "dmsquash-live livenet network-manager" --kver $(basename /lib/modules/*) -N -f --logfile /tmp/dracut.log 2>/dev/null'
    loglevel: INFO
  - cmd: 'echo DRACUT LOG:; cat /tmp/dracut.log'
    loglevel: INFO

[davidallendj]

I think got a different error running...

podman run \
  --device /dev/fuse \
  -it \
  --name image-builder \
  --rm -v $PWD/test:/data image-builder:test \
  image-build --log-level INFO --config /data/suse.yaml

The error:

-------------------BUILD LAYER--------------------
ERROR - Trying to pull registry.suse.com/bci/bci-base:15.7...
ERROR - Getting image source signatures
ERROR - Copying blob sha256:974449b21a84067bddbf51f286c6ba10084622e04303a6933c31d6af3f7eb475
ERROR - Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:974449b21a84067bddbf51f286c6ba10084622e04303a6933c31d6af3f7eb475": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:15 for /etc/shadow): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /etc/shadow: invalid argument): exit status 1
Error building layer: Command '['buildah', 'from', '--name', 'suse-base20250522222318', 'registry.suse.com/bci/bci-base:15.7']' returned non-zero exit status 1.

[alexlovelltroy]

Testing fails for me with ghcr.io/openchami/image-build:pr-17

chown: changing ownership of '/home/builder/config.yaml': Permission denied
Error: the file 'config.yaml' does not exist.

Confirmed working with ghcr.io/openchami/image-build:latest

[travisbcotton]

How are you running it?

[travisbcotton]

This commit: ae53d30
Is not going to work. You need a subuid/subgid range for the builder user in the container

[treydock]

Suggested change

	--userns=keep-id \
	--userns=keep-id:uid=1000,gid=1000 \

I've been using this to ensure my outside UID is mapped to builder so that builder can access things like 0600 files.

[treydock]

Tried testing and got this:

Error: crun: the path `/entrypoint.sh` exists but it is not executable: Operation not permitted: OCI permission denied
make: *** [Makefile:43: rhel-9-base] Error 126

This was my command:

podman run --rm --device /dev/fuse --network host --userns keep-id:uid=1000,gid=1000 \
-v /home/tdockendorf/image-builder-images:/data -v /var/tmp:/var/tmp -v ~/.config/containers/auth.json:/auth.json \
ghcr.io/openchami/image-build:pr-17 image-build --config /data/rhel-9-base.yaml --log-level DEBUG

[synackd]

I built this with:

buildah bud -f dockerfiles/dnf/Dockerfile.el9 -t ghcr.io/openchami/image-build:pr17 .

and it builds. But there's a Python import error when I try running the container:

$ podman run --rm --device /dev/fuse -e S3_ACCESS=<user> -e S3_SECRET=<pass> -v ./rocky-base-9.5.yaml:/home/builder/config.yaml:Z ghcr.io/openchami/image-build:pr17 image-build --config config.yaml --log-level DEBUG
Traceback (most recent call last):
  File "/usr/local/bin/image-build", line 8, in <module>
    from layer import Layer
  File "/usr/local/bin/layer.py", line 6, in <module>
    from utils import cmd, run_playbook
  File "/usr/local/bin/utils.py", line 9, in <module>
    from ansible.config.manager import ConfigManager, Setting
ImportError: cannot import name 'Setting' from 'ansible.config.manager' (/usr/local/lib/python3.11/site-packages/ansible/config/manager.py)

[synackd]

Tests

✅ Building Rocky 9 image from scratch

options:
  layer_type: 'base'
  name: 'rocky-base'
  publish_tags: '9.5'
  pkg_manager: 'dnf'
  parent: 'scratch'
  publish_registry: '172.16.0.254:5050/test'
  registry_opts_push:
    - '--tls-verify=false'

repos:
  - alias: 'Rocky_9_BaseOS'
    url: 'http://<dist_server>/repo/pub/rocky/9/BaseOS/x86_64/os'
    gpg: 'http://<dist_server>/gpg/RPM-GPG-KEY-Rocky-9'
  - alias: 'Rocky_9_AppStream'
    url: 'http://<dist_server>/repo/pub/rocky/9/AppStream/x86_64/os'
    gpg: 'http://<dist_server>/gpg/RPM-GPG-KEY-Rocky-9'
  - alias: 'Rocky_9_CRB'
    url: 'http://<dist_server>/repo/pub/rocky/9/CRB/x86_64/os'
    gpg: 'http://<dist_server>/gpg/RPM-GPG-KEY-Rocky-9'
  - alias: 'Epel'
    url: 'http://<dist_server>/repo/pub/rocky/epel/9/Everything/x86_64'
    gpg: 'http://<dist_server>/gpg/RPM-GPG-KEY-EPEL-9'

package_groups:
  - 'Minimal Install'
  - 'Development Tools'

packages:
  - kernel
  - wget
  - dracut-live
  - kitty-terminfo

cmds:
  - cmd: 'dracut --add "dmsquash-live livenet network-manager" --kver $(basename /lib/modules/*) -N -f --logfile /tmp/dracut.log 2>/dev/null'
  - cmd: 'echo DRACUT LOG:; cat /tmp/dracut.log'

❌ Building from parent image

options:
  layer_type: 'base'
  name: 'compute-base'
  publish_tags:
    - '9.5'
  pkg_manager: 'dnf'
  parent: '172.16.0.254:5050/test/rocky-base:9.5'
  registry_opts_pull:
    - '--tls-verify=false'

  # Publish to local S3
  publish_s3: 'http://172.16.0.254:9090'
  s3_prefix: 'compute/base/'
  s3_bucket: 'boot-images'

  # Publish to SI registry
  publish_registry: '172.16.0.254:5050/test'
  registry_opts_push:
    - '--tls-verify=false'

packages:
  - cloud-init
  - python3
  - vim
  - nfs-utils
  - chrony
  - cmake3
  - dmidecode
  - dnf
  - efibootmgr
  - golang
  - ipmitool
  - jq
  - make
  - perf
  - rsyslog
  - sqlite
  - sudo
  - tcpdump
  - traceroute
  - nss_db
  - lua-posix
  - tcl
  - git
  - fortune-mod

Error:

ERROR - Error installing packages: Installer.install_package_groups() takes 2 positional arguments but 4 were given

[synackd]

The call to install_package_groups here:

image-builder/src/layer.py

Line 97 in 982d6e7

inst.install_package_groups(package_groups, repo_dest, proxy)

includes repo_dest and proxy as arguments. Does the definition here:

image-builder/src/installer.py

Line 260 in 982d6e7

def install_package_groups(self, package_groups):

need to be updated with those?

[synackd]

Tests above pass for DNF. LGTM.