Oraclelinux docker build #275
Conversation
The build system presently uses Ubuntu docker containers. But in some cases, Ubuntu docker containers aren't available. Moving Ubuntu container files into a separate directory allows other containers to be used for the build. Signed-off-by: Jagannathan Raman <[email protected]> Acked-by: Liam Merwick <[email protected]>
- Add docker files to build & deploy Veraison using Oracle Linux containers - Makefile for docker build/deployment updated to switch between Linux & Oracle containers based on the OS distribution Signed-off-by: Jagannathan Raman <[email protected]> Acked-by: Liam Merwick <[email protected]>
We have yet to define the SELinux policy for the containers. Some containers, such as Oracle Linux, have the SELinux driver enabled by default, but we haven't defined the policies yet. Until we define SELinux policies, disarm it. Signed-off-by: Jagannathan Raman <[email protected]>
Docker volumes mount as the root user by default. As such, in some instances, the docker user doesn't have permission to create logs in the volume. Changing the ownership of the docker volumes to $USER also don't stick, as shown below: [veraison@vts-service veraison]$ ls -lZ total 42680 -rw-r--r--. 1 veraison nobody system_u:object_r:container_file_t:s0:c23,c53 1119 Oct 15 17:52 config.yaml drwxr-xr-x. 2 1000 root system_u:object_r:container_file_t:s0 6 Oct 15 17:52 logs drwxr-xr-x. 2 veraison nobody system_u:object_r:container_file_t:s0:c23,c53 182 Oct 15 17:54 plugins -rwxr-xr-x. 1 veraison nobody system_u:object_r:container_file_t:s0:c23,c53 127 Oct 15 17:52 service-entrypoint -rw-r--r--. 1 veraison nobody system_u:object_r:container_file_t:s0:c23,c53 198 Oct 15 17:52 skey.jwk drwxr-xr-x. 3 veraison veraison system_u:object_r:container_file_t:s0 17 Oct 15 17:54 stores -rwxr-xr-x. 1 veraison nobody system_u:object_r:container_file_t:s0:c23,c53 43682136 Oct 15 17:52 vts-service -rw-r--r--. 1 veraison nobody system_u:object_r:container_file_t:s0:c23,c53 656 Oct 15 17:52 vts.crt -rw-r--r--. 1 veraison nobody system_u:object_r:container_file_t:s0:c23,c53 227 Oct 15 17:52 vts.key As such, we create a sub-directory with correct ownership for logs. Signed-off-by: Jagannathan Raman <[email protected]>
jraman567
requested review from
thomas-fossati,
yogeshbdeshpande and
setrofim
|
I can see some CI failures; I'm taking a look at it. |
There was a problem hiding this comment.
Could you update the first commit message to elaborate on
But in some cases, Ubuntu docker containers aren't available.
The Ubuntu images are part of the public Docker registry, and should always be available. Adding a parallel set of dockerfiles would introduce a significant maintenance burden going forward, and I'd rather avoid that if at all possible.
When attempting to build the "ol" configuration locally, I get
[+] Building 1.3s (12/25) docker:default
=> [internal] load build definition from builder.docker 0.0s
=> => transferring dockerfile: 2.40kB 0.0s
=> WARN: FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 1) 0.0s
=> [internal] load metadata for container-registry.oracle.com/os/oraclelinux:9 1.1s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 285.21kB 0.0s
=> [ 1/21] FROM container-registry.oracle.com/os/oraclelinux:9@sha256:a6296b68f10b71197d1bb273424444e31f45525bc2531ddcfd23bd82fe17dfe3 0.0s
=> CACHED [ 2/21] RUN cat /etc/redhat-release 0.0s
=> CACHED [ 3/21] RUN dnf config-manager --set-enabled ol9_codeready_builder 0.0s
=> CACHED [ 4/21] RUN dnf install -y git 0.0s
=> CACHED [ 5/21] RUN dnf install -y make 0.0s
=> CACHED [ 6/21] RUN dnf update -y && dnf install -y protobuf* sqlite uuid gettext vim jq iputils nmap wget sudo ca-certificates gcc && uuidgen | tr -d - > /etc/machine-id && rm -rf /var/tmp/* /tmp/* 0.0s
=> CACHED [ 7/21] RUN groupadd -g 1001 builder && groupadd -g 616 veraison && useradd -m -u 1000 -g builder -G root,veraison,wheel -p paxyJoB0NZsNU -s /bin/bash builder 0.0s
=> ERROR [ 8/21] RUN groupadd -g 1001 opc 0.2s
------
> [ 8/21] RUN groupadd -g 1001 opc:
0.150 groupadd: GID '1001' already exists
------
1 warning found (use docker --debug to expand):
- FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 1)
builder.docker:39
--------------------
37 | useradd -m -u ${BUILDER_UID} -g builder -G root,veraison,wheel -p paxyJoB0NZsNU -s /bin/bash builder
38 |
39 | >>> RUN groupadd -g 1001 opc
40 | RUN useradd -m -u 1001 -g opc -G root,veraison,wheel -p paxyJoB0NZsNU -s /bin/bash opc
41 |
--------------------
ERROR: failed to solve: process "/bin/bash -c groupadd -g 1001 opc" did not complete successfully: exit code: 4
Regarding the logs volume subdirectory -- is this something specific to oraclelinux, or to a particular Docker version? This does not seem to be necessary on main.
If the subdirectory is unavoidable, please rename to something less confusing, e.g. "logs/services/", rather than "logs/logs/".
Additionally, please:
- move the distro-specific subdirs under src/ (use
SRC_DIRrather thanTHIS_DIRas base) - rename "ol" directory to something more obvious, e.g. "oraclelinux"; or alternatively, group it and "ubuntu" under an additional sub-directory (e.g. "dockerfiles" or "distros").
- squash the fix-up commits (if a commit only changes things introduced in a previous commit in the same pull, it should not be a separate commit).
- fix the FromAsCase warnings (capitalize "AS" in the dockerfiles)
| @@ -34,21 +34,31 @@ ifneq ($(DEBUG_PORT),) | |||
| DEBUG_PORT_FLAG := -p $(DEBUG_PORT):$(DEBUG_PORT) | |||
| endif | |||
|
|
|||
| # Determine OS distribution | |||
| DISTRO := $(shell cat /etc/os-release | grep -w ID | cut -d '=' -f2 | cut -d '"' -f2) | |||
There was a problem hiding this comment.
Why is the container distro determined by the host distro? The two should be independent. Just set it to "ubuntu", and allow overriding form the enviroment
CONTAINER_DISTRO ?= ubuntu
(and this should probably go into the .cfg file along with other deployment configs.
There was a problem hiding this comment.
Could you update the first commit message to elaborate on
But in some cases, Ubuntu docker containers aren't available.
Hi Sergei, Docker Ubuntu container images are not available within the Oracle network, so we cannot perform Veraison Docker builds with Ubuntu. Therefore, we have decided to add support for building Veraison using Oracle Linux containers.
Regarding the logs volume subdirectory -- is this something specific to oraclelinux, or to a particular Docker version? This does not seem to be necessary on main.
If the subdirectory is unavoidable, please rename to something less confusing, e.g. "logs/services/", rather than "logs/logs/"
I cannot reproduce the issue with the "logs" subdirectory on fresh Oracle Linux images, so I assume it is specific to my setup. We do not need this fix, and I will submit a new pull request without it.
I saw a similar workaround for the "stores" volume in "vts.docker". So, I wouldn't be surprised if it reproduces for someone in the future. We don't need these fixes for now, and we can stash it for later.
When attempting to build the "ol" configuration locally, I get
I'll try to reproduce this. I assume your host is running Ubuntu. @setrofim Is that correct?
Additionally, please:
ACK
Why is the container distro determined by the host distro? The two should be independent. Just set it to "ubuntu", and allow overriding form the enviroment
OK
There was a problem hiding this comment.
I'll try to reproduce this. I assume your host is running Ubuntu. @setrofim Is that correct?
Arch
Docker version 27.3.1, build ce1223035a
|
@setrofim and I discussed this. We concluded that docker isn't the official build process. Maintaining two sets of dockerfiles, one for docker and another for podman, is cumbersome. For these reasons, we decided to shelve this PR. Closing. |
Add support to build Veraison with Oracle Linux container