ci: set up container to build containers within podman #3

Merged
marc merged 3 commits from fix/image-building-ci into main 2024-11-07 02:32:22 +00:00
3 changed files with 77 additions and 10 deletions
Showing only changes of commit f0e5a4f260 - Show all commits

View file

@ -16,12 +16,9 @@ jobs:
webhook-url: ${{secrets.DISCORD_WEBHOOK_URL}} webhook-url: ${{secrets.DISCORD_WEBHOOK_URL}}
status: "Started" status: "Started"
init: true init: true
build-images: build-runner:
needs: [pre-run] needs: [pre-run]
runs-on: imagefactory-latest runs-on: imagefactory-latest
strategy:
matrix:
image-name: ['debian-12.6-slim']
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/setup-python@v5 - uses: actions/setup-python@v5
@ -33,21 +30,21 @@ jobs:
id: image-metadata id: image-metadata
run: | run: |
echo "image-tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT echo "image-tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
echo "full-image-name=${{ matrix.image-name }}:$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT echo "full-image-name=debian-12.6-slim:$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Build image - name: Build image
run: python ./build_image.py ${{ steps.image-metadata.outputs.full-image-name }} ./images/${{ matrix.image-name }}/Dockerfile run: python ./build_image.py ${{ steps.image-metadata.outputs.full-image-name }} ./images/debian-12.6-slim/Dockerfile
- name: Tag image as latest - name: Tag image as latest
run: podman tag ${{ steps.image-metadata.outputs.full-image-name }} ${{ matrix.image-name }}:latest run: podman tag ${{ steps.image-metadata.outputs.full-image-name }} debian-12.6-slim:latest
- name: List images - name: List images
run: podman image ls run: podman image ls
- name: Push tagged image to registry - name: Push tagged image to registry
if: ${{ github.event_name == "push" }} if: ${{ github.event_name == 'push' }}
run: | run: |
podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ steps.image-metadata.outputs.full-image-name }} podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ steps.image-metadata.outputs.full-image-name }}
podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/${{ matrix.image-name }}:latest podman push ${{ steps.image-metadata.outputs.full-image-name }} ${{ env.REGISTRY_ENDPOINT }}/forge-runners/debian-12.6-slim:latest
post-run: post-run:
runs-on: imagefactory-latest runs-on: imagefactory-latest
needs: [build-images] needs: [build-runner]
steps: steps:
- uses: https://forge.karnov.club/marc/push-status-to-discord-action@main - uses: https://forge.karnov.club/marc/push-status-to-discord-action@main
if: ${{success()}} if: ${{success()}}

View file

@ -18,11 +18,13 @@ RUN apt update && \
python3 \ python3 \
python3-pip \ python3-pip \
pipx \ pipx \
fuse-overlayfs \
--no-install-recommends \ --no-install-recommends \
--autoremove && \ --autoremove && \
apt-get clean apt-get clean
COPY ./files/registries.conf /etc/containers/registries.conf COPY ./files/registries.conf /etc/containers/registries.conf
COPY ./files/storage.conf /etc/containers/storage.conf
FROM skeleton as runner FROM skeleton as runner

View file

@ -0,0 +1,68 @@
[storage]
driver = "overlay"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids. Note multiple UIDs will be
# squashed down to the default uid in the container. These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
#ignore_chown_errors = "false"
# Inodes is used to set a maximum inodes of the container image.
# inodes = ""
# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
mount_program = "/usr/bin/fuse-overlayfs"
# mountopt specifies comma separated list of extra mount options
mountopt = "nodev"
# Set to skip a PRIVATE bind mount on the storage home directory.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# skip_mount_home = "false"
# Set to use composefs to mount data layers with overlay.
# This is a "string bool": "false" | "true" (cannot be native TOML boolean)
# use_composefs = "false"
# Size is used to set a maximum size of the container image.
# size = ""
# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
# "": No value specified.
# All files/directories, get set with the permissions identified within the
# image.
# "private": it is equivalent to 0700.
# All files/directories get set with 0700 permissions. The owner has rwx
# access to the files. No other users on the system can access the files.
# This setting could be used with networked based homedirs.
# "shared": it is equivalent to 0755.
# The owner has rwx access to the files and everyone else can read, access
# and execute them. This setting is useful for sharing containers storage
# with other users. For instance have a storage owned by root but shared
# to rootless users as an additional store.
# NOTE: All files within the image are made readable and executable by any
# user on the system. Even /etc/shadow within your image is now readable by
# any user.
#
# OCTAL: Users can experiment with other OCTAL Permissions.
#
# Note: The force_mask Flag is an experimental feature, it could change in the
# future. When "force_mask" is set the original permission mask is stored in
# the "user.containers.override_stat" xattr and the "mount_program" option must
# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
# extended attribute permissions to processes within containers rather than the
# "force_mask" permissions.
#
# force_mask = ""