fix: image reproducibility with finalize

smira · smira · commit 11f48c567ff2 · 2024-09-16T21:03:24.000+04:00
See tonistiigi/fsutil#207 The result of this issue is that we can't use `finalize` steps where destination is a directory, so refactor things to pull in such steps into the `install` step. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
diff --git a/container-runtime/crun/pkg.yaml b/container-runtime/crun/pkg.yaml
@@ -24,6 +24,10 @@ steps:
         mkdir -p /rootfs/usr/local/bin
         cp -av crun /rootfs/usr/local/bin/crun
         chmod +x /rootfs/usr/local/bin/crun
+
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+        cp /pkg/crun.part /rootfs/etc/cri/conf.d/crun.part
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -36,5 +40,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/crun.part
-    to: /rootfs/etc/cri/conf.d/crun.part
diff --git a/container-runtime/gvisor/pkg.yaml b/container-runtime/gvisor/pkg.yaml
@@ -44,6 +44,11 @@ steps:
 
         cp ./bin/containerd-shim-runsc-v1 /rootfs/usr/local/bin/containerd-shim-runsc-v1
         chmod +x /rootfs/usr/local/bin/containerd-shim-runsc-v1
+
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+
+        cp /pkg/gvisor.part /pkg/runsc.toml /pkg/gvisor-kvm.part /pkg/runsc-kvm.toml /rootfs/etc/cri/conf.d/
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -55,11 +60,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/gvisor.part
-    to: /rootfs/etc/cri/conf.d/gvisor.part
-  - from: /pkg/runsc.toml
-    to: /rootfs/etc/cri/conf.d/runsc.toml
-  - from: /pkg/gvisor-kvm.part
-    to: /rootfs/etc/cri/conf.d/gvisor-kvm.part
-  - from: /pkg/runsc-kvm.toml
-    to: /rootfs/etc/cri/conf.d/runsc-kvm.toml
diff --git a/container-runtime/kata-containers/pkg.yaml b/container-runtime/kata-containers/pkg.yaml
@@ -59,6 +59,12 @@ steps:
       - |
         cd ${GOPATH}/src/github.com/kata-containers/src/runtime
         cp containerd-shim-kata-v2 /rootfs/usr/local/bin/containerd-shim-kata-v2
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+        cp /pkg/kata-containers.part /rootfs/etc/cri/conf.d/kata-containers.part
+
+        mkdir -p /rootfs/usr/local/share/kata-containers
+        cp /pkg/configuration.toml /rootfs/usr/local/share/kata-containers/configuration.toml
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -70,7 +76,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/kata-containers.part
-    to: /rootfs/etc/cri/conf.d/kata-containers.part
-  - from: /pkg/configuration.toml
-    to: /rootfs/usr/local/share/kata-containers/configuration.toml
diff --git a/container-runtime/spin/pkg.yaml b/container-runtime/spin/pkg.yaml
@@ -24,6 +24,9 @@ steps:
         mkdir -p /rootfs/usr/local/bin
 
         tar xf containerd-shim-spin.tar.gz -C /rootfs/usr/local/bin
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+        cp /pkg/spin.part /rootfs/etc/cri/conf.d/spin.part
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -35,5 +38,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/spin.part
-    to: /rootfs/etc/cri/conf.d/spin.part
diff --git a/container-runtime/stargz-snapshotter/pkg.yaml b/container-runtime/stargz-snapshotter/pkg.yaml
@@ -41,6 +41,15 @@ steps:
 
         cp ./out/ctr-remote /rootfs/usr/local/lib/containers/stargz-snapshotter/ctr-remote
         chmod +x /rootfs/usr/local/lib/containers/stargz-snapshotter/ctr-remote
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+        cp /pkg/stargz-snapshotter.part /rootfs/etc/cri/conf.d/stargz-snapshotter.part
+
+        mkdir -p /rootfs/usr/local/etc/containerd-stargz-grpc
+        cp /pkg/config.toml /rootfs/usr/local/etc/containerd-stargz-grpc/config.toml
+
+        mkdir -p /rootfs/usr/local/etc/containers
+        cp /pkg/stargz-snapshotter.yaml /rootfs/usr/local/etc/containers/
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -52,9 +61,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/stargz-snapshotter.part
-    to: /rootfs/etc/cri/conf.d/stargz-snapshotter.part
-  - from: /pkg/config.toml
-    to: /rootfs/usr/local/etc/containerd-stargz-grpc/config.toml
-  - from: /pkg/stargz-snapshotter.yaml
-    to: /rootfs/usr/local/etc/containers/
diff --git a/examples/hello-world-service/pkg.yaml b/examples/hello-world-service/pkg.yaml
@@ -20,10 +20,13 @@ steps:
         CGO_ENABLED=0 go build -o ./hello-world .
     install:
       - |
-        mkdir -p /rootfs/usr/local/etc/containers
         mkdir -p /rootfs/usr/local/lib/containers/hello-world
 
         cp -p /pkg/src/hello-world /rootfs/usr/local/lib/containers/hello-world/
+      - |
+        mkdir -p /rootfs/usr/local/etc/containers
+
+        cp /pkg/hello-world.yaml /rootfs/usr/local/etc/containers/
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -35,5 +38,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/hello-world.yaml
-    to: /rootfs/usr/local/etc/containers/
diff --git a/guest-agents/qemu-guest-agent/pkg.yaml b/guest-agents/qemu-guest-agent/pkg.yaml
@@ -63,6 +63,9 @@ steps:
         rmdir /rootfs/usr/local/share
         rmdir /rootfs/var/run
         rmdir /rootfs/var
+      - |
+        mkdir -p /rootfs/usr/local/etc/containers
+        cp /pkg/qemu-guest-agent.yaml /rootfs/usr/local/etc/containers/
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -74,5 +77,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/qemu-guest-agent.yaml
-    to: /rootfs/usr/local/etc/containers/
diff --git a/guest-agents/xen-guest-agent/pkg.yaml b/guest-agents/xen-guest-agent/pkg.yaml
@@ -32,6 +32,10 @@ steps:
         containerRoot=/rootfs/usr/local/lib/containers/xen-guest-agent
         mkdir -p "$containerRoot"
         mv target/{{ .ARCH }}-alpine-linux-musl/release/xen-guest-agent "$containerRoot/xen-guest-agent"
+      - |
+        mkdir -p /rootfs/usr/local/etc/containers
+
+        cp /pkg/xen-guest-agent.yaml /rootfs/usr/local/etc/containers/
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -43,5 +47,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/xen-guest-agent.yaml
-    to: /rootfs/usr/local/etc/containers/
diff --git a/network/tailscale/pkg.yaml b/network/tailscale/pkg.yaml
@@ -37,6 +37,9 @@ steps:
         cp -pr dist/tailscale /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
         cp -pr dist/tailscaled /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
         cp -pr dist/containerboot /rootfs/usr/local/lib/containers/tailscale/usr/local/bin
+      - |
+        mkdir -p /rootfs/usr/local/etc/containers
+        cp /pkg/tailscale.yaml /rootfs/usr/local/etc/containers/
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -48,5 +51,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/tailscale.yaml
-    to: /rootfs/usr/local/etc/containers/
diff --git a/nvidia-gpu/nvidia-container-toolkit/lts/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/lts/pkg.yaml
@@ -18,7 +18,9 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
     install:
       - |
-        mkdir -p /rootfs
+        mkdir -p /rootfs/usr/local/etc/containers
+
+        cp /pkg/nvidia-persistenced.yaml /rootfs/usr/local/etc/containers/nvidia-persistenced.yaml
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -28,7 +30,5 @@ steps:
 finalize:
   - from: /rootfs
     to: /rootfs
-  - from: /pkg/nvidia-persistenced.yaml
-    to: /rootfs/usr/local/etc/containers/nvidia-persistenced.yaml
   - from: /pkg/manifest.yaml
     to: /
diff --git a/nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/nvidia-container-runtime/pkg.yaml
@@ -49,10 +49,12 @@ steps:
           ln -sv nvidia-container-runtime-wrapper /rootfs/usr/local/bin/$(basename $clean_file)
           cp $clean_file /rootfs/usr/local/bin/$(basename $clean_file).real
         done
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+        cp /pkg/nvidia-container-runtime.part /rootfs/etc/cri/conf.d/nvidia-container-runtime.part
+
+        mkdir -p /rootfs/usr/local/etc/nvidia-container-runtime
+        cp /pkg/nvidia-container-runtime.toml /rootfs/usr/local/etc/nvidia-container-runtime/config.toml
 finalize:
   - from: /rootfs
     to: /rootfs
-  - from: /pkg/nvidia-container-runtime.part
-    to: /rootfs/etc/cri/conf.d/nvidia-container-runtime.part
-  - from: /pkg/nvidia-container-runtime.toml
-    to: /rootfs/usr/local/etc/nvidia-container-runtime/config.toml
diff --git a/nvidia-gpu/nvidia-container-toolkit/production/pkg.yaml b/nvidia-gpu/nvidia-container-toolkit/production/pkg.yaml
@@ -18,7 +18,8 @@ steps:
         sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
     install:
       - |
-        mkdir -p /rootfs
+        mkdir -p /rootfs/usr/local/etc/containers
+        cp /pkg/nvidia-persistenced.yaml /rootfs/usr/local/etc/containers/nvidia-persistenced.yaml
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -28,7 +29,5 @@ steps:
 finalize:
   - from: /rootfs
     to: /rootfs
-  - from: /pkg/nvidia-persistenced.yaml
-    to: /rootfs/usr/local/etc/containers/nvidia-persistenced.yaml
   - from: /pkg/manifest.yaml
     to: /
diff --git a/nvidia-gpu/nvidia-fabricmanager/lts/pkg.yaml b/nvidia-gpu/nvidia-fabricmanager/lts/pkg.yaml
@@ -40,6 +40,8 @@ steps:
 
         cp etc/fabricmanager.cfg  /rootfs/usr/local/share/nvidia/nvswitch/
 
+        cp /pkg/nvidia-fabricmanager.yaml /rootfs/usr/local/etc/containers/nvidia-fabricmanager.yaml
+
         sed -i 's/DAEMONIZE=.*/DAEMONIZE=0/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg
         sed -i 's/STATE_FILE_NAME=.*/STATE_FILE_NAME=\/var\/run\/nvidia-fabricmanager\/fabricmanager.state/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg
         sed -i 's/TOPOLOGY_FILE_PATH=.*/TOPOLOGY_FILE_PATH=\/usr\/local\/share\/nvidia\/nvswitch/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg
@@ -53,7 +55,5 @@ steps:
 finalize:
   - from: /rootfs
     to: /rootfs
-  - from: /pkg/nvidia-fabricmanager.yaml
-    to: /rootfs/usr/local/etc/containers/nvidia-fabricmanager.yaml
   - from: /pkg/manifest.yaml
     to: /
diff --git a/nvidia-gpu/nvidia-fabricmanager/production/lts/pkg.yaml b/nvidia-gpu/nvidia-fabricmanager/production/lts/pkg.yaml
@@ -40,6 +40,8 @@ steps:
 
         cp etc/fabricmanager.cfg  /rootfs/usr/local/share/nvidia/nvswitch/
 
+        cp /pkg/nvidia-fabricmanager.yaml /rootfs/usr/local/etc/containers/nvidia-fabricmanager.yaml
+
         sed -i 's/DAEMONIZE=.*/DAEMONIZE=0/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg
         sed -i 's/STATE_FILE_NAME=.*/STATE_FILE_NAME=\/var\/run\/nvidia-fabricmanager\/fabricmanager.state/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg
         sed -i 's/TOPOLOGY_FILE_PATH=.*/TOPOLOGY_FILE_PATH=\/usr\/local\/share\/nvidia\/nvswitch/g' /rootfs/usr/local/share/nvidia/nvswitch/fabricmanager.cfg
@@ -53,7 +55,5 @@ steps:
 finalize:
   - from: /rootfs
     to: /rootfs
-  - from: /pkg/nvidia-fabricmanager.yaml
-    to: /rootfs/usr/local/etc/containers/nvidia-fabricmanager.yaml
   - from: /pkg/manifest.yaml
     to: /
diff --git a/power/nut-client/pkg.yaml b/power/nut-client/pkg.yaml
@@ -80,6 +80,9 @@ steps:
         rm -rf /rootfs/usr/local/etc
         rm -rf /rootfs/usr/local/lib/nut
         rm -rf /rootfs/usr/local/sbin
+      - |
+        mkdir -p /rootfs/usr/local/etc/containers
+        cp /pkg/nut-client.yaml /rootfs/usr/local/etc/containers/
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -91,5 +94,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/nut-client.yaml
-    to: /rootfs/usr/local/etc/containers/
diff --git a/storage/iscsi-tools/pkg.yaml b/storage/iscsi-tools/pkg.yaml
@@ -19,17 +19,18 @@ steps:
       # cleanup
       rm -rf /rootfs/usr/local/include
       rm -rf /rootfs/usr/share
+    - |
+      mkdir -p /rootfs/usr/local/etc/containers
+
+      cp /pkg/iscsid.yaml /rootfs/usr/local/etc/containers/iscsid.yaml
+      cp /pkg/tgtd.yaml /rootfs/usr/local/etc/containers/tgtd.yaml
     test:
       - |
         mkdir -p /extensions-validator-rootfs
         cp -r /rootfs/ /extensions-validator-rootfs/rootfs
         cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
         /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
 finalize:
-  - from: /pkg/iscsid.yaml
-    to: /rootfs/usr/local/etc/containers/iscsid.yaml
-  - from: /pkg/tgtd.yaml
-    to: /rootfs/usr/local/etc/containers/tgtd.yaml
   - from: /rootfs
     to: /rootfs
   - from: /pkg/manifest.yaml
diff --git a/storage/zfs/pkg.yaml b/storage/zfs/pkg.yaml
@@ -18,6 +18,10 @@ steps:
         mkdir -p /rootfs/lib/modules /rootfs/usr/local/lib/containers/zpool-importer
 
         cp -R /lib/modules/* /rootfs/lib/modules
+      - |
+        mkdir -p /rootfs/usr/local/lib/containers
+
+        cp /pkg/zpool-importer.yaml /rootfs/usr/local/lib/containers/zpool-importer.yaml
     test:
       - |
         mkdir -p /extensions-validator-rootfs
@@ -29,5 +33,3 @@ finalize:
     to: /rootfs
   - from: /pkg/manifest.yaml
     to: /
-  - from: /pkg/zpool-importer.yaml
-    to: /rootfs/usr/local/etc/containers/zpool-importer.yaml
