Make the images available in ghcr.io #37
Conversation
glehmann
force-pushed
the
gln/build-env-improvements-lzqx
branch
6 times, most recently
from
9e73f03 to
87724c2
Compare
|
It works with docker but not with podman: we can't run with I'll propose something else. |
glehmann
force-pushed
the
gln/build-env-improvements-lzqx
branch
3 times, most recently
from
78407fa to
7998f39
Compare
|
It should be good now. I've used podman's option |
|
I've also added 88d5bec to reduce the image sizes. |
glehmann
force-pushed
the
gln/build-env-improvements-lzqx
branch
from
7998f39 to
88d5bec
Compare
There is an idiom to squash everything into a single layer, but I also see |
| @@ -102,11 +102,13 @@ def main(): | |||
| docker_arch = args.platform or ("linux/amd64/v2" if branch == "9.0" else "linux/amd64") | |||
|
|
|||
| docker_args = [RUNNER, "run", "-i", "-t", | |||
| "-u", "builder", | |||
There was a problem hiding this comment.
I see that with Docker we delegate to the entrypoint the change of user, but I see nothing for the podman case?
There was a problem hiding this comment.
podman, with --userns=keep-id, already starts with the user ids of the user launching the command.
podman does the mapping of the ids in the mounted volumes, so the files are created with the right owner/group.
docker doesn't do that mapping in the mounted volumes, so we have to switch the user in the container to the ids of the users launching the command
There was a problem hiding this comment.
we have to switch the user in the container to the ids of the users launching the command
isn't that only required when docker runs as root (which is both the default because of the daemon, and bad practice to start with, and the essential reason I'm suggesting we just drop its support)?
There was a problem hiding this comment.
Yes it is. But many dev are still using docker, so I don't think it's time yet to drop docker support
| # platforms: | | ||
| # linux/amd64/v2 |
There was a problem hiding this comment.
Explicit platform for 8.x likely does not hurt, if only for documentation purposes
| context: . | ||
| file: ./Dockerfile-8.x | ||
| push: true | ||
| tags: ghcr.io/${{ github.repository }}:8.2 |
There was a problem hiding this comment.
We likely want those official floating tags to be set only when run on master, maybe we set particular tags for PRs?
Also, timestamped tags as is common may be interesting to have.
There was a problem hiding this comment.
The workflow is only configured on master.
Other tags may be useful, as well as building for PRs, but we must consider cleaning up the old images.
There was a problem hiding this comment.
The workflow is only configured on master.
Actually it seems to be configured for main instead :)
There was a problem hiding this comment.
Also, there would be a reason for allowing it to run not just on master: detecting pipeline errors before they reach master
There was a problem hiding this comment.
yes, that would be nice. Maybe push to the registry when on the master branch then.
glehmann
force-pushed
the
gln/build-env-improvements-lzqx
branch
2 times, most recently
from
e6311bc to
248ec8f
Compare
| docker_args += ["--userns=keep-id", "--security-opt", "label=disable"] | ||
| # With podman we use the `--userns` option to map the builder user to | ||
| # the user on the system. | ||
| docker_args += [f"--userns=keep-id:uid=1000,gid=1000", "--security-opt", "label=disable"] |
There was a problem hiding this comment.
The fact the uid is preserved so entrypoint is entered as builder and not as root as in the Docker case is likely useful to document. But is it really a good idea to have such a big difference between the 2 runners? (especially as we want to move more root actions into the entrypoint in the future)
| # With docker, we modify the builder user in the entrypoint to match the | ||
| # uid:gid of the user launching the container, and then continue with | ||
| # the builder user thanks to gosu. | ||
| docker_args += ["-e", f'BUILDER_UID={os.getuid()}', "-e", f'BUILDER_GID={os.getgid()}'] |
There was a problem hiding this comment.
a reader might ask "why gosu and and just su"
There was a problem hiding this comment.
Then he/she will quickly find on the internet why :-)
I usually try to only document what is specific to the project.
Do you think there is something specific about gosu in that context that should be commented?
glehmann
force-pushed
the
gln/build-env-improvements-lzqx
branch
from
248ec8f to
57683dd
Compare
Signed-off-by: Gaëtan Lehmann <[email protected]>
This way the image is usable by everybody, independantly of its ids. With docker, we modify the builder user in the entrypoint to match the uid:gid of the user launching the container, and then continue with the builder user thanks to gosu. With podman we use the `--userns` option to map the builder user to the user on the system. I haven't found a way with podman to use the same mechanism as in docker, and vis versa. Signed-off-by: Gaëtan Lehmann <[email protected]>
The images are always built, but only pushed to the registry when running on the master branch. Signed-off-by: Gaëtan Lehmann <[email protected]>
for a significantly smaller image size. Before: ghcr.io/xcp-ng/xcp-ng-build-env 8.2 e985e704c252 10 minutes ago 1.03 GB ghcr.io/xcp-ng/xcp-ng-build-env 8.3 b557dcb6d541 11 minutes ago 1.14 GB ghcr.io/xcp-ng/xcp-ng-build-env 9.0 c738df7d5577 11 minutes ago 857 MB After: ghcr.io/xcp-ng/xcp-ng-build-env 8.2 a9a91fa03db8 7 seconds ago 491 MB ghcr.io/xcp-ng/xcp-ng-build-env 8.3 a36b1399ac01 About a minute ago 557 MB ghcr.io/xcp-ng/xcp-ng-build-env 9.0 78011dcbd6f3 11 minutes ago 708 MB Signed-off-by: Gaëtan Lehmann <[email protected]>
glehmann
force-pushed
the
gln/build-env-improvements-lzqx
branch
from
57683dd to
e21ff80
Compare
Based on #35
I had to move the user logic to the image entrypoint to make the images usable by any user even if he/she is not using the usual 1000:1000 ids.
The logic for the repository creation was moved to the Dockerfiles to make the images buildable with the standard github action
docker/build-push-action.Hopefully it will help with the issue with the repository selection in #35.