PR#4: Add Containerfiles & script for periodc builds & rpmdb test - centos-sig-hyperscale/containers-releng

centos-sig-hyperscale / containers-releng

#4 Add Containerfiles & script for periodc builds & rpmdb test

Merged 2 years ago by dcavalca. Opened 2 years ago by oidoming.

centos-sig-hyperscale/ oidoming/containers-releng main into main

Change rpmdb verify

Oscar Dominguez • 2 years ago

54068c5

Add Containerfiles & script for periodc builds & rpmdb test

Oscar Dominguez • 2 years ago

8100183

Containerfile.c8s

file added

+62

		`@@ -0,0 +1,62 @@`
		`+ FROM quay.io/centoshyperscale/centos:stream8`
		`+`
		`+ # Based on https://developers.redhat.com/blog/2019/08/14/best-practices-for-running-buildah-in-a-container`
		`+ # https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md`
		`+ # https://github.com/containers/buildah/blob/main/contrib/buildahimage/stable/Containerfile`
		`+`
		`+ ENV _BUILDAH_STARTED_IN_USERNS=""`
		`+ ENV BUILDAH_ISOLATION=chroot`
		`+ ENV STORAGE_DRIVER=vfs`
		`+ ENV VERSION=8`
		`+ # Date for next build`
		`+ ENV DATE="08:00 next Fri"`
		`+`
		`+ # Add user for rootless build`
		`+ RUN adduser build`
		`+`
		`+ RUN dnf -y update`
		`+ RUN dnf -y install vi buildah`
		`+ RUN dnf -y clean all && \`
		`+ rm -rf /var/cache /var/log/dnf*`
		`+`
		`+ RUN chmod u-s /usr/bin/newuidmap && \`
		`+ chmod u-s /usr/bin/newgidmap`
		`+`
		`+ # Define uid/gid ranges for our user`
		`+ # https://github.com/containers/buildah/issues/3053`
		`+ RUN touch /etc/subgid /etc/subuid && \`
		`+ chmod g=u /etc/subgid /etc/subuid /etc/passwd && \`
		`+ echo build:10000:65536 > /etc/subuid && \`
		`+ echo build:10000:65536 > /etc/subgid`
		`+`
		`+ RUN (echo '[engine]';echo 'cgroup_manager = "cgroupfs"') > /etc/containers/containers.conf`
		`+ RUN chmod 644 /etc/containers/containers.conf`
		`+`
		`+ RUN echo "export BUILDAH_ISOLATION=chroot" >> /home/build/.bashrc`
		`+ RUN mkdir -p /home/build/.local/share/containers`
		`+`
		`+ # Adjust storage.conf to enable VFS since fuse dosen't work on Openshift`
		`+ RUN mkdir -p /home/build/.config/containers && \`
		`+ (echo '[storage]';echo 'driver = "vfs"') > /home/build/.config/containers/storage.conf`
		`+`
		`+ RUN mkdir -p /var/lib/shared/vfs-images \`
		`+ /var/lib/shared/vfs-layers && \`
		`+ touch /var/lib/shared/vfs-images/images.lock && \`
		`+ touch /var/lib/shared/vfs-layers/layers.lock`
		`+`
		`+ COPY make-hyperscale-container.sh /home/build`
		`+ COPY runner.sh /home/build`
		`+ COPY validate/verify_rpmdb.sh /home/build`
		`+ RUN chmod a+x /home/build/make-hyperscale-container.sh`
		`+ RUN chmod a+x /home/build/runner.sh`
		`+ RUN chmod a+x /home/build/verify_rpmdb.sh`
		`+`
		`+ RUN chown build:build -R /home/build`
		`+`
		`+ VOLUME /var/lib/containers`
		`+ VOLUME /home/build/.local/share/containers`
		`+`
		`+ USER build`
		`+ WORKDIR /home/build`
		`+`
		`+ ENTRYPOINT ["./runner.sh"]`

Containerfile.c9s

file added

+62

		`@@ -0,0 +1,62 @@`
		`+ FROM quay.io/centoshyperscale/centos:stream9`
		`+`
		`+ # Based on https://developers.redhat.com/blog/2019/08/14/best-practices-for-running-buildah-in-a-container`
		`+ # https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md`
		`+ # https://github.com/containers/buildah/blob/main/contrib/buildahimage/stable/Containerfile`
		`+`
		`+ ENV _BUILDAH_STARTED_IN_USERNS=""`
		`+ ENV BUILDAH_ISOLATION=chroot`
		`+ ENV STORAGE_DRIVER=vfs`
		`+ ENV VERSION=9`
		`+ # Date for next build`
		`+ ENV DATE="08:00 next Fri"`
		`+`
		`+ # Add user for rootless build`
		`+ RUN adduser build`
		`+`
		`+ RUN dnf -y update`
		`+ RUN dnf -y install vi buildah sqlite`
		`+ RUN dnf -y clean all && \`
		`+ rm -rf /var/cache /var/log/dnf*`
		`+`
		`+ RUN chmod u-s /usr/bin/newuidmap && \`
		`+ chmod u-s /usr/bin/newgidmap`
		`+`
		`+ # Define uid/gid ranges for our user`
		`+ # https://github.com/containers/buildah/issues/3053`
		`+ RUN touch /etc/subgid /etc/subuid && \`
		`+ chmod g=u /etc/subgid /etc/subuid /etc/passwd && \`
		`+ echo build:10000:65536 > /etc/subuid && \`
		`+ echo build:10000:65536 > /etc/subgid`
		`+`
		`+ RUN (echo '[engine]';echo 'cgroup_manager = "cgroupfs"') > /etc/containers/containers.conf`
		`+ RUN chmod 644 /etc/containers/containers.conf`
		`+`
		`+ RUN echo "export BUILDAH_ISOLATION=chroot" >> /home/build/.bashrc`
		`+ RUN mkdir -p /home/build/.local/share/containers`
		`+`
		`+ # Adjust storage.conf to enable VFS since fuse dosen't work on Openshift`
		`+ RUN mkdir -p /home/build/.config/containers && \`
		`+ (echo '[storage]';echo 'driver = "vfs"') > /home/build/.config/containers/storage.conf`
		`+`
		`+ RUN mkdir -p /var/lib/shared/vfs-images \`
		`+ /var/lib/shared/vfs-layers && \`
		`+ touch /var/lib/shared/vfs-images/images.lock && \`
		`+ touch /var/lib/shared/vfs-layers/layers.lock`
		`+`
		`+ COPY make-hyperscale-container.sh /home/build`
		`+ COPY runner.sh /home/build`
		`+ COPY validate/verify_rpmdb.sh /home/build`
		`+ RUN chmod a+x /home/build/make-hyperscale-container.sh`
		`+ RUN chmod a+x /home/build/runner.sh`
		`+ RUN chmod a+x /home/build/verify_rpmdb.sh`
		`+`
		`+ RUN chown build:build -R /home/build`
		`+`
		`+ VOLUME /var/lib/containers`
		`+ VOLUME /home/build/.local/share/containers`
		`+`
		`+ USER build`
		`+ WORKDIR /home/build`
		`+`
		`+ ENTRYPOINT ["./runner.sh"]`

runner.sh

file added

+36

		`@@ -0,0 +1,36 @@`
		`+ #!/bin/sh`
		`+`
		`+ set -eu`
		`+`
		`+ export TZ='America/Los_Angeles'`
		`+`
		`+ # Hyperscale Centos Stream version, default 8`
		`+ VERSION="${VERSION:-8}"`
		`+`
		`+ # Date for next build`
		`+ DATE="${DATE:-'8:00 next Fri'}"`
		`+`
		`+ # Push to quay.io`
		`+ Push () {`
		`+ buildah login -u $USERNAME -p $PASSWORD quay.io`
		`+ buildah tag centos-stream-hyperscale-${VERSION} quay.io/centoshyperscale/centos:stream${VERSION}`
		`+ buildah push quay.io/centoshyperscale/centos:stream${VERSION}`
		`+ buildah logout quay.io`
		`+ }`
		`+`
		`+ # Always run once immediately for easy testing.`
		`+ ./make-hyperscale-container.sh $VERSION`
		`+ ./verify_rpmdb.sh`
		`+ Push`
		`+`
		`+ while true; do`
		`+ TIME=$(($(date -d "$DATE" +%s) - $(date +%s)))`
		`+ echo "Next build at $(date -d "$DATE")"`
		`+ sleep "$TIME"`
		`+ echo "Starting at $(date)"`
		`+ ./make-hyperscale-container.sh $VERSION`
		`+ ./verify_rpmdb.sh`
		`+ Push`
		`+ echo "Done at $(date)"`
		`+ echo`
		`+ done`

validate/verify_rpmdb.sh

file added

+36

		`@@ -0,0 +1,36 @@`
		`+ #!/bin/sh`
		`+`
		`+ set -eux`
		`+`
		`+ # start container for testing`
		`+ ctr=$(buildah from "centos-stream-hyperscale-${VERSION}")`
		`+`
		`+ RPMDB_PATH=$(buildah run $ctr -- rpm -E "%{_dbpath}")`
		`+ RPMDB_BACKEND=$(buildah run $ctr -- rpm -E "%{_db_backend}")`
		`+`
		`+ # Check if the container is using sqlite or bdb backend`
		`+ if [ "${RPMDB_BACKEND}" != "sqlite" ] && [ "${RPMDB_BACKEND}" != "bdb" ]; then`
		`+ echo "script only works with sqlite or bdb rpmdb backend"`
		`+ buildah rm $ctr`
		`+ exit 1`
		`+ fi`
		`+`
		`+ # Simple rpmdb verification`
		`+ # for c9s mount container to avoid install sqlite every time`
		`+ if [ "${RPMDB_BACKEND}" == "sqlite" ]; then`
		`+ mnt=$(buildah unshare -- sh -c "buildah mount $ctr")`
		`+ sqlite3 "$mnt${RPMDB_PATH}"/rpmdb.sqlite "pragma integrity_check;"`
		`+ buildah unshare -- sh -c "buildah unmount $ctr"`
		`+ else`
		`+ buildah run $ctr -- /usr/lib/rpm/rpmdb_verify "${RPMDB_PATH}"/Packages`
		`+ fi`
		`+`
		`+ buildah run $ctr -- rpmdb -vv --verifydb`
		`+`
		`+ # Query all headers in the DB`
		`+ buildah run $ctr -- rpm -qa 1> /dev/null`
		`+`
		`+ # Remove container`
		`+ buildah rm $ctr`
		`+`
		`+ exit 0`

oidoming commented 2 years ago

Added buildah base vfs containerfiles for rootless builds on Openshift (fuse doesn't work, https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md).

Added a runner.sh for periodic builds and pushing (took it from systemd-releng :)), by default it is configured to run a weekly build (configurable).

Also added test_rpmdb.sh to verify the rpmdb and verify that the correct files are available for each backend (ndb, bdb, sqlite).

oidoming commented 2 years ago

I created test_rpmdb.sh because with the current centos 8 stream hyperscale image when update rpm (dnf update -y or dnf update -y rpm) the rpmdb backend is changed to ndb but then this warning appears when using dnf or rpm:

warning: Found BDB Packages database while attempting ndb backend: using bdb backend.

It doesn't find the Packages.db and the bdb files still available

I tried to rebuild the rpmdb but it fails:

error: failed to replace old database with new database!
error: replace files in /var/lib/rpm with files from /var/lib/rpmrebuilddb.8 to recover

I replaced the files manually and the warning goes away (also if I rebuild the image inside the containers the warning goes away).

The test_rpmdb.sh basically replace the rpmdb files if needed and verify the rpmdb.

I didn’t add this test file to the periodic builds yet because when I fix the rpmdb ndb warning and run rpmdb -vv –verifydb it returns a 2 status code and this output:

ufdio:       1 reads,    17154 total bytes in 0.000007 secs
D: opening  db index       /var/lib/rpm/Packages.db mode=0x0
D: opening  db index       /var/lib/rpm/Index.db mode=0x0
D: opening  db index       Name tag=1000
D: opening  db index       Basenames tag=1117
D: opening  db index       Group tag=1016
D: opening  db index       Requirename tag=1049
D: opening  db index       Providename tag=1047
D: opening  db index       Conflictname tag=1054
D: opening  db index       Obsoletename tag=1090
D: opening  db index       Triggername tag=1066
D: opening  db index       Dirnames tag=1118
D: opening  db index       Installtid tag=1128
D: opening  db index       Sigmd5 tag=261
D: opening  db index       Sha1header tag=269
D: opening  db index       Filetriggername tag=5069
D: opening  db index       Transfiletriggername tag=5079
D: opening  db index       Recommendname tag=5046
D: opening  db index       Suggestname tag=5049
D: opening  db index       Supplementname tag=5052
D: opening  db index       Enhancename tag=5055
D: closed   db index       Enhancename
D: closed   db index       Supplementname
D: closed   db index       Suggestname
D: closed   db index       Recommendname
D: closed   db index       Transfiletriggername
D: closed   db index       Filetriggername
D: closed   db index       Sha1header
D: closed   db index       Sigmd5
D: closed   db index       Installtid
D: closed   db index       Dirnames
D: closed   db index       Triggername
D: closed   db index       Obsoletename
D: closed   db index       Conflictname
D: closed   db index       Providename
D: closed   db index       Requirename
D: closed   db index       Group
D: closed   db index       Basenames
D: closed   db index       Name

Apparently, it doesn’t close the /var/lib/rpm/Packages.db and /var/lib/rpm/Index.db files but everting seems to work correctly (when installing packages, rpm queries, etc.), so I don’t know what’s going on here.

Edited 2 years ago by oidoming

chantra commented 2 years ago

warning: Found BDB Packages database while attempting ndb backend: using bdb backend.

You can ignore the warning. This is because of https://git.centos.org/rpms/rpm/c/e62c0500274012ca77817a24814de38944c8abd4?branch=c8s-sig-hyperscale-experimental which makes ndb default, but I am reverting it in https://git.centos.org/rpms/rpm/c/b6080710d76af755c4f05ffe26f22b28520790da?branch=c8s-sig-hyperscale-experimental

I think if you want to test individual DBs, you may need to use --root with RPM, --installroot with dnf.

1 new commit added

Change rpmdb verify

2 years ago

oidoming commented 2 years ago

Modified the test/verify rpmdb script and added it to the containers.

Btw, to run rootless buildah builds it's needed to have the anyid Openshift SCC to avoid uid issues (as mentioned here) but I don’t have the permissions to give that SSC to a service account,
@dcavalca do you have permission? you can try by running this command, it will add the anyuid scc to the buildah-sa service account (I created this account for testing):

oc adm policy add-scc-to-user anyuid -z buildah-sa

Another option is to use custom build strategy to run a build in a privileged container but also requires special permissions.

dcavalca commented 2 years ago

That fails for me as well so I've filed https://pagure.io/centos-infra/issue/840 for Infra to take a look.

dcavalca commented 2 years ago

@oidoming can you retry now? Infra has run that command on our behalf so we should be good to go here.

oidoming commented 2 years ago

I tried again but still fails, I leave a comment in the infra issue with more info, thanks

dcavalca commented 2 years ago

@oidoming can you try again? It looks like we should have the right permissions now.

1 new commit added

change quay.io login

2 years ago

1 new commit added

fix buildah login

2 years ago

2 new commits added

Change rpmdb verify
Add Containerfiles & script for periodc builds & rpmdb test

2 years ago

oidoming commented 2 years ago

Problem solved, now is running in openshift and working, made new image builds https://quay.io/repository/centoshyperscale/centos?tab=tags

Pull-Request has been merged by dcavalca

2 years ago

Metadata

Assignee

None

Tags

No Tags

Changes Summary 4

file added

file added

file added

file added

validate/verify_rpmdb.sh

centos-sig-hyperscale / containers-releng

Source Code

#4 Add Containerfiles & script for periodc builds & rpmdb test Merged 2 years ago by dcavalca. Opened 2 years ago by oidoming. centos-sig-hyperscale/ oidoming/containers-releng main into main

Metadata

Changes Summary 4

#4 Add Containerfiles & script for periodc builds & rpmdb test

Merged 2 years ago by dcavalca. Opened 2 years ago by oidoming.

centos-sig-hyperscale/ oidoming/containers-releng main into main