public/pipglr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support externally maintained DNF cache

Browse Source 
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
This commit is contained in:
Chris Evich
2022-11-18 21:50:34 -05:00
parent b4dd3c667c
commit 0e51bfdf8e
2 changed files with 30 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
Containerfile
View File

@@ -37,16 +37,20 @@ ARG EXCLUDE_PACKAGES="\
# Base-image runs as user 'podman', temporarily switch to root # Base-image runs as user 'podman', temporarily switch to root
# for installation/setup. # for installation/setup.
USER root USER root
# Not a real build-arg. Avoiding addition of an env. layer # Helper for comparison in future RUN operations (DO NOT USE)
# only to help prevent some extra typing. ARG _DNFCMD="dnf --setopt=tsflags=nodocs -y"
ARG dnfcmd="dnf --setopt=tsflags=nodocs -y" # Set this instead, if (for example) you want to volume-mount in /var/cache/dnf
ARG DNFCMD="${_DNFCMD}"
# Avoid installing any documentation to keep image small
# During install, excluding packages is meaningless if already installed # During install, excluding packages is meaningless if already installed
RUN set -x && \ RUN set -x && \
rm -f /etc/dnf/protected.d/sudo.conf && \ rm -f /etc/dnf/protected.d/sudo.conf && \
rm -f /etc/dnf/protected.d/yum.conf && \ rm -f /etc/dnf/protected.d/yum.conf && \
$dnfcmd remove ${EXCLUDE_PACKAGES} && \ $DNFCMD remove ${EXCLUDE_PACKAGES} && \
dnf clean all && \ if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then
rm -rf /var/cache/dnf dnf clean all && \
rm -rf /var/cache/dnf; \
fi
# Enable callers to customize the runner version as needed, otherwise # Enable callers to customize the runner version as needed, otherwise
# assume this image will be version-tagged, so it's fine to grab the latest. # assume this image will be version-tagged, so it's fine to grab the latest.
@@ -56,11 +60,13 @@ ARG TARGETARCH="amd64"
ENV RUNNER_RPM_URL=https://gitlab-runner-downloads.s3.amazonaws.com/${RUNNER_VERSION}/rpm/gitlab-runner_${TARGETARCH}.rpm ENV RUNNER_RPM_URL=https://gitlab-runner-downloads.s3.amazonaws.com/${RUNNER_VERSION}/rpm/gitlab-runner_${TARGETARCH}.rpm
RUN for rpm in ${EXCLUDE_PACKAGES}; do x+="--exclude=$rpm "; done && \ RUN for rpm in ${EXCLUDE_PACKAGES}; do x+="--exclude=$rpm "; done && \
set -x && \ set -x && \
$dnfcmd update && \ $DNFCMD update && \
$dnfcmd install $x $RUNNER_RPM_URL && \ $DNFCMD install $x $RUNNER_RPM_URL && \
$dnfcmd upgrade && \ $DNFCMD upgrade && \
dnf clean all && \ if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then
rm -rf /var/cache/dnf dnf clean all && \
rm -rf /var/cache/dnf; \
fi
# In case of a runner escape, prevent easy installation of packages. # In case of a runner escape, prevent easy installation of packages.
RUN rm -f /etc/dnf/protected.d/* && \ RUN rm -f /etc/dnf/protected.d/* && \

20
README.md
View File

@@ -64,18 +64,19 @@ $ eval $(podman inspect --format=json $IMAGE | jq -r .[].Labels.run)
This image may be built simply with: This image may be built simply with:
`podman build -t runner .` `podman build -t registry.gitlab.com/qontainers/pipglr:latest .`
This will utilize the latest stable version of podman and the latest This will utilize the latest stable version of podman and the latest
stable version of the gitlab runner. stable version of the gitlab runner.
### Multi-arch ### Notes
Assuming the host supports foreign-architecture emulation. The * If you wish to use the `testing` or `upstream` flavors of the podman base image,
`Containerfile` may be used to produce a multi-arch manifest-list. simply build with `--build-arg FLAVOR=testing` (or `upstream`).
For example:
`podman build --jobs 4 --platform linux/s390x,linux/ppc64le,linux/amd64 --manifest runner .` * Additionally or alternatively, you may specify a specific podman base image tag
with `--build-arg BASE_TAG=<value>`. Where `<value>` is either `latest`, the
podman image version (e.g. `v4`, `v4.2`, `v4.2.0`, etc.)
### Build-args ### Build-args
@@ -90,13 +91,18 @@ Several build arguments are available to control the output image:
and `vX.Y.Z` (where, `X`, `Y`, and `Z` represent the podman semantic and `vX.Y.Z` (where, `X`, `Y`, and `Z` represent the podman semantic
version numbers). It's also possible to specify an image SHA. version numbers). It's also possible to specify an image SHA.
* `EXCLUDE_PACKAGES` - A space-separated list of RPM packages to prevent * `EXCLUDE_PACKAGES` - A space-separated list of RPM packages to prevent
their existance in the final image. This is intended as a security measure their existence in the final image. This is intended as a security measure
to limit the attack-surface should a gitlab-runner process escape it's to limit the attack-surface should a gitlab-runner process escape it's
inner-container. inner-container.
* `RUNNER_VERSION` - Allows specifying an exact gitlab runner version. * `RUNNER_VERSION` - Allows specifying an exact gitlab runner version.
By default the `latest` is used, assuming the user is building a tagged By default the `latest` is used, assuming the user is building a tagged
image anyway. Valid versions may be found on the [runner image anyway. Valid versions may be found on the [runner
release page](https://gitlab.com/gitlab-org/gitlab-runner/-/releases). release page](https://gitlab.com/gitlab-org/gitlab-runner/-/releases).
* `DNFCMD` - By default this is set to `dnf --setopt=tsflags=nodocs -y`.
However, if you'd like to volume-mount in `/var/cache/dnf` then you'll
need to use
`--build-arg DNFCMD="dnf --setopt=tsflags=nodocs -y --setopt keepcache=true`"
Note: Changing `DNFCMD` will cause build-time cache cleanup to be disabled.
* `TARGETARCH` - Supports inclusion of non-x86_64 gitlab runners. This * `TARGETARCH` - Supports inclusion of non-x86_64 gitlab runners. This
value is assumed to match the image's architecture. If using the value is assumed to match the image's architecture. If using the
`--platform` build argument, it will be set automatically. `--platform` build argument, it will be set automatically.