Within a container, caps need to be set on /usr/bin/new{uid,gid}map
which reflect the (inner) podman user's root namespaced ID of 10000.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
Recently, I believe an update or packaging problem has been causing
podman to throw errors like:
```
level=error msg="running `/usr/bin/newuidmap ...`: newuidmap: open of
uid_map failed: Permission denied\n"
```
This seems to have something to do with the shadow-utils package, which
owns this binary. I've examined the file attribuites and permissions
along with /etc/sub{uid,gid} contents. The only thing that seems to
resolve the issue is reinstalling shadow-utils. Attempt that fix here
and hope it clears up the problem (present in v2.0.0)
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
* Add note about volume-mounts being cumulative with base-image
* Fix register & run labels to use (correct) base image's
`/home/podman/.local/share/containers/` instead of defining
a new (wrong/useless) `storage` volume.
* Fix register & run labels to mask over `/var/lib/containers`
with a read-only tmpfs to block any nested rootful use of
podman as a security precaution.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
This reverts commit 4c1af406f7. For
whatever reason, trying to build this using the community runners always
results in an out-of-diskspace error.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
This vastly improves build performance at the cost of some extra
registry server storage (which there is plenty of). Note: The cache
TTL needs to be coordinated with the registry server's tag-cleanup
policy.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
The podman base-image is intended to support running nested-podman both
root and rootless. Since pipglr only ever runs rootless, eliminate the
nested usernamespace mapping needed to support nested-root usage.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
They were preventing builds on main and on tags. Rather than try and
debug them, just kill them as they're mostly unnecessary for this repo.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
Observations show the runtime is about the same (since performance is mostly
storage-io bound. However, buildah images are more compact and there
are simpler possibilities for build-caching available for future use.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
The function was defined but never called, resulting in immediate exit
of the maintenance script. Fix this, also add a configuration build-arg and
ENV to control the cleaning interval.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
This CI environment is using a busybox `sh` so doesn't support all the
advanced features of bash. Reimplement IMAGE_TAG processing so it
functions as intended.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
It's often hard to debug/maintain/improve a job when you can't observe
any of the (many!) auto-generated CI env. vars. Print them all out on
every job.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
For whatever reason, line-breaks must be used regardless of
string-block marker `|` or `>-`. Fix this.
Also, support a fork/pull/MR model allowing contributors to run
pipelines on their fork w/ push to their registry. In this case, images
should be tagged by MR number to be helpful.
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
Prevent any possiblilty of confusion for tags (prefixed with a `v`) vs MR tags
(previously no prefix).
Signed-off-by: Chris Evich <chris_gitlab@icuc.me>
When given the "run" argument, in addition to launching `podman system
service` in the background, also start a small periodic maintenance
script. It's only job is to clean up stale images, containers, and
volumes from old jobs. Currently hard-coded to trigger every 2 days,
this could be tweaked via build-args or env. var.
Signed-off-by: Chris Evich <cevich@redhat.com>
For tag-pipelines, tag image with the repo. tag
For MR's, tag the image with the MR number
For Branches, use the branch name except for `main` use `latest`.
Signed-off-by: Chris Evich <cevich@redhat.com>
