diff --git a/Containerfile b/Containerfile index 978c651..310ffc3 100644 --- a/Containerfile +++ b/Containerfile @@ -37,16 +37,20 @@ ARG EXCLUDE_PACKAGES="\ # Base-image runs as user 'podman', temporarily switch to root # for installation/setup. USER root -# Not a real build-arg. Avoiding addition of an env. layer -# only to help prevent some extra typing. -ARG dnfcmd="dnf --setopt=tsflags=nodocs -y" +# Helper for comparison in future RUN operations (DO NOT USE) +ARG _DNFCMD="dnf --setopt=tsflags=nodocs -y" +# Set this instead, if (for example) you want to volume-mount in /var/cache/dnf +ARG DNFCMD="${_DNFCMD}" +# Avoid installing any documentation to keep image small # During install, excluding packages is meaningless if already installed RUN set -x && \ rm -f /etc/dnf/protected.d/sudo.conf && \ rm -f /etc/dnf/protected.d/yum.conf && \ - $dnfcmd remove ${EXCLUDE_PACKAGES} && \ - dnf clean all && \ - rm -rf /var/cache/dnf + $DNFCMD remove ${EXCLUDE_PACKAGES} && \ + if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then + dnf clean all && \ + rm -rf /var/cache/dnf; \ + fi # Enable callers to customize the runner version as needed, otherwise # assume this image will be version-tagged, so it's fine to grab the latest. @@ -56,11 +60,13 @@ ARG TARGETARCH="amd64" ENV RUNNER_RPM_URL=https://gitlab-runner-downloads.s3.amazonaws.com/${RUNNER_VERSION}/rpm/gitlab-runner_${TARGETARCH}.rpm RUN for rpm in ${EXCLUDE_PACKAGES}; do x+="--exclude=$rpm "; done && \ set -x && \ - $dnfcmd update && \ - $dnfcmd install $x $RUNNER_RPM_URL && \ - $dnfcmd upgrade && \ - dnf clean all && \ - rm -rf /var/cache/dnf + $DNFCMD update && \ + $DNFCMD install $x $RUNNER_RPM_URL && \ + $DNFCMD upgrade && \ + if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then + dnf clean all && \ + rm -rf /var/cache/dnf; \ + fi # In case of a runner escape, prevent easy installation of packages. RUN rm -f /etc/dnf/protected.d/* && \ diff --git a/README.md b/README.md index 3706045..c759b5a 100644 --- a/README.md +++ b/README.md @@ -64,18 +64,19 @@ $ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.run) This image may be built simply with: -`podman build -t runner .` +`podman build -t registry.gitlab.com/qontainers/pipglr:latest .` This will utilize the latest stable version of podman and the latest stable version of the gitlab runner. -### Multi-arch +### Notes -Assuming the host supports foreign-architecture emulation. The -`Containerfile` may be used to produce a multi-arch manifest-list. -For example: +* If you wish to use the `testing` or `upstream` flavors of the podman base image, + simply build with `--build-arg FLAVOR=testing` (or `upstream`). -`podman build --jobs 4 --platform linux/s390x,linux/ppc64le,linux/amd64 --manifest runner .` +* Additionally or alternatively, you may specify a specific podman base image tag + with `--build-arg BASE_TAG=`. Where `` is either `latest`, the + podman image version (e.g. `v4`, `v4.2`, `v4.2.0`, etc.) ### Build-args @@ -90,13 +91,18 @@ Several build arguments are available to control the output image: and `vX.Y.Z` (where, `X`, `Y`, and `Z` represent the podman semantic version numbers). It's also possible to specify an image SHA. * `EXCLUDE_PACKAGES` - A space-separated list of RPM packages to prevent - their existance in the final image. This is intended as a security measure + their existence in the final image. This is intended as a security measure to limit the attack-surface should a gitlab-runner process escape it's inner-container. * `RUNNER_VERSION` - Allows specifying an exact gitlab runner version. By default the `latest` is used, assuming the user is building a tagged image anyway. Valid versions may be found on the [runner release page](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). +* `DNFCMD` - By default this is set to `dnf --setopt=tsflags=nodocs -y`. + However, if you'd like to volume-mount in `/var/cache/dnf` then you'll + need to use + `--build-arg DNFCMD="dnf --setopt=tsflags=nodocs -y --setopt keepcache=true`" + Note: Changing `DNFCMD` will cause build-time cache cleanup to be disabled. * `TARGETARCH` - Supports inclusion of non-x86_64 gitlab runners. This value is assumed to match the image's architecture. If using the `--platform` build argument, it will be set automatically.