Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

experimental: Add build-chunked-oci #5222

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

cgwalters
Copy link
Member

Closes: #5221

Signed-off-by: Colin Walters [email protected]

Copy link

openshift-ci bot commented Jan 14, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@cgwalters
Copy link
Member Author

cgwalters commented Jan 14, 2025

OK I've been testing this out with this; the demo here is to make a smaller base image from our larger one, removing python and linux-firmware but even removing rpm-ostree and dnf.

(We can't yet remove rpm because paast-selinux depends on it for bad reasons))

# see below for artifacts
FROM quay.io/examplecorp/someartifacts:latest as artifacts
FROM quay.io/fedora/fedora-bootc:41 as rootfs
RUN <<EORUN
set -xeuo pipefail
# Needed by some scripts
mkdir -p /var/lib/rpm-state
# Remove various things with dnf
dnf -y remove python3 linux-firmware rpm-ostree
# And drop out dnf (TODO: teach dnf to be able to do this)
rpm -e dnf5 libdnf5 libdnf5-cli libsolv librepo libmodulemd
rm /var/lib/rpm-state -rf
EORUN
# Inject non-rpm content from other container
COPY --from=artifacts /usr /usr

FROM quay.io/fedora/fedora-bootc:rawhide as builder
RUN --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
    --mount=from=rootfs,dst=/rootfs <<EORUN
set -xeuo pipefail
rm /buildcontext/out.oci -rf
rpm-ostree [experimental] compose build-chunked-oci --ostree --rootfs=/rootfs --output /buildcontext/out.oci
EORUN

FROM oci:./out.oci
LABEL containers.bootc 1
# Need to reference builder here to force ordering. But since we have to run
# something anyway, we might as well cleanup after ourselves.
RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.oci -rf

Anyways, this builds and starts to install, but what I get trying to do an install is:

Fetched layers: 292.75 MiB in 2 seconds (177.98 MiB/s)                          ERROR Installing to disk: Creating ostree deployment: Pulling: Importing: Unencapsulating base: Layer sha256:949f37ee3505878a579f04ca66d2c8822b38baf5c08a59e8fd5bffa2638aa42b: Importing objects: Importing object 95/d8ef49e5756bdbc9c82e196252796f115982a290ee1aca5be8457203fca953.file: Processing content object 95d8ef49e5756bdbc9c82e196252796f115982a290ee1aca5be8457203fca953: Importing regfile small: Writing content object: Corrupted file object; checksum expected='95d8ef49e5756bdbc9c82e196252796f115982a290ee1aca5be8457203fca953' actual='0e7f2e7de0309b3fc67fbeab4f5957c1a4b09a80d8ab3bff6763adb2579f81f3'
Error: unable to install bootc image: failed to create disk image: failed to run bootc install

And that's the only corrupt file - it turns out to be the rpmdb.sqlite-wal file which is clearly special in some way (maybe it's sparse? Digging)
This of course relates to rpm-software-management/rpm#2219

@cgwalters
Copy link
Member Author

And that's the only corrupt file - it turns out to be the rpmdb.sqlite-wal file which is clearly special in some way (maybe it's sparse? Digging)

➡️ #5225

Holy cow was that painful to debug.

I'm working on doing container reencapsulation and using
a user-mode repo and got burned by the hardlinking here
and rpm always *writing* to the repo even when reading it.

Most systems we care about have reflinks so it's cheap. And in practice
most usage of this before was actually checking out from bare
(not bare-user) repos, so we were copying anyways.

Signed-off-by: Colin Walters <[email protected]>
Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/bootc that referenced this pull request Jan 15, 2025
We really want this for coreos/rpm-ostree#5222
to be able to rebuild images from their container-synthesized rootfs.

Really, the only xattr we don't want to emit in to the tar stream
is security.selinux for now.

Eventually we should try to switch to putting that into the tar
stream too, but it needs more validation.

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/bootc that referenced this pull request Jan 15, 2025
We really want this for coreos/rpm-ostree#5222
to be able to rebuild images from their container-synthesized rootfs.

Really, the only xattr we don't want to emit in to the tar stream
is security.selinux for now.

Eventually we should try to switch to putting that into the tar
stream too, but it needs more validation.

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/bootc that referenced this pull request Jan 16, 2025
We really want this for coreos/rpm-ostree#5222
to be able to rebuild images from their container-synthesized rootfs.

Really, the only xattr we don't want to emit in to the tar stream
is security.selinux for now.

Eventually we should try to switch to putting that into the tar
stream too, but it needs more validation.

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/bootc that referenced this pull request Jan 16, 2025
We really want this for coreos/rpm-ostree#5222
to be able to rebuild images from their container-synthesized rootfs.

Really, the only xattr we don't want to emit in to the tar stream
is security.selinux for now.

Eventually we should try to switch to putting that into the tar
stream too, but it needs more validation.

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/bootc that referenced this pull request Jan 16, 2025
We really want this for coreos/rpm-ostree#5222
to be able to rebuild images from their container-synthesized rootfs.

Really, the only xattr we don't want to emit in to the tar stream
is security.selinux for now.

Eventually we should try to switch to putting that into the tar
stream too, but it needs more validation.

Signed-off-by: Colin Walters <[email protected]>
cgwalters added a commit to cgwalters/bootc that referenced this pull request Jan 16, 2025
We really want this for coreos/rpm-ostree#5222
to be able to rebuild images from their container-synthesized rootfs.

Really, the only xattr we don't want to emit in to the tar stream
is security.selinux for now.

Eventually we should try to switch to putting that into the tar
stream too, but it needs more validation.

Signed-off-by: Colin Walters <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add rpm-ostree compose build-chunked-oci
1 participant