#4 Add Containerfiles & script for periodc builds & rpmdb test
Opened 2 months ago by oidoming. Modified a month ago
centos-sig-hyperscale/ oidoming/containers-releng main  into  main

file added
+62
@@ -0,0 +1,62 @@ 

+ FROM quay.io/centoshyperscale/centos:stream8

+ 

+ # Based on https://developers.redhat.com/blog/2019/08/14/best-practices-for-running-buildah-in-a-container

+ # https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md

+ # https://github.com/containers/buildah/blob/main/contrib/buildahimage/stable/Containerfile

+ 

+ ENV _BUILDAH_STARTED_IN_USERNS=""

+ ENV BUILDAH_ISOLATION=chroot

+ ENV STORAGE_DRIVER=vfs

+ ENV VERSION=8

+ # Date for next build

+ ENV DATE="08:00 next Fri"

+ 

+ # Add user for rootless build

+ RUN adduser build

+ 

+ RUN dnf -y update

+ RUN dnf -y install vi buildah

+ RUN dnf -y clean all && \

+     rm -rf /var/cache /var/log/dnf*

+ 

+ RUN chmod u-s /usr/bin/newuidmap && \

+     chmod u-s /usr/bin/newgidmap

+ 

+ # Define uid/gid ranges for our user

+ # https://github.com/containers/buildah/issues/3053

+ RUN touch /etc/subgid /etc/subuid && \

+     chmod g=u /etc/subgid /etc/subuid /etc/passwd && \

+     echo build:10000:65536 > /etc/subuid && \

+     echo build:10000:65536 > /etc/subgid

+ 

+ RUN (echo '[engine]';echo 'cgroup_manager = "cgroupfs"') > /etc/containers/containers.conf

+ RUN chmod 644 /etc/containers/containers.conf

+ 

+ RUN echo "export BUILDAH_ISOLATION=chroot" >> /home/build/.bashrc

+ RUN mkdir -p /home/build/.local/share/containers

+ 

+ # Adjust storage.conf to enable VFS since fuse dosen't work on Openshift

+ RUN mkdir -p /home/build/.config/containers && \

+     (echo '[storage]';echo 'driver = "vfs"') > /home/build/.config/containers/storage.conf

+ 

+ RUN mkdir -p /var/lib/shared/vfs-images \

+              /var/lib/shared/vfs-layers && \

+     touch /var/lib/shared/vfs-images/images.lock && \

+     touch /var/lib/shared/vfs-layers/layers.lock

+ 

+ COPY make-hyperscale-container.sh /home/build

+ COPY runner.sh /home/build

+ COPY validate/verify_rpmdb.sh /home/build

+ RUN chmod a+x /home/build/make-hyperscale-container.sh

+ RUN chmod a+x /home/build/runner.sh

+ RUN chmod a+x /home/build/verify_rpmdb.sh

+ 

+ RUN chown build:build -R /home/build

+ 

+ VOLUME /var/lib/containers

+ VOLUME /home/build/.local/share/containers

+ 

+ USER build

+ WORKDIR /home/build

+ 

+ ENTRYPOINT ["./runner.sh"]

file added
+62
@@ -0,0 +1,62 @@ 

+ FROM quay.io/centoshyperscale/centos:stream9

+ 

+ # Based on https://developers.redhat.com/blog/2019/08/14/best-practices-for-running-buildah-in-a-container

+ # https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md

+ # https://github.com/containers/buildah/blob/main/contrib/buildahimage/stable/Containerfile

+ 

+ ENV _BUILDAH_STARTED_IN_USERNS=""

+ ENV BUILDAH_ISOLATION=chroot

+ ENV STORAGE_DRIVER=vfs

+ ENV VERSION=9

+ # Date for next build

+ ENV DATE="08:00 next Fri"

+ 

+ # Add user for rootless build

+ RUN adduser build

+ 

+ RUN dnf -y update

+ RUN dnf -y install vi buildah sqlite

+ RUN dnf -y clean all && \

+     rm -rf /var/cache /var/log/dnf*

+ 

+ RUN chmod u-s /usr/bin/newuidmap && \

+     chmod u-s /usr/bin/newgidmap

+ 

+ # Define uid/gid ranges for our user

+ # https://github.com/containers/buildah/issues/3053

+ RUN touch /etc/subgid /etc/subuid && \

+     chmod g=u /etc/subgid /etc/subuid /etc/passwd && \

+     echo build:10000:65536 > /etc/subuid && \

+     echo build:10000:65536 > /etc/subgid

+ 

+ RUN (echo '[engine]';echo 'cgroup_manager = "cgroupfs"') > /etc/containers/containers.conf

+ RUN chmod 644 /etc/containers/containers.conf

+ 

+ RUN echo "export BUILDAH_ISOLATION=chroot" >> /home/build/.bashrc

+ RUN mkdir -p /home/build/.local/share/containers

+ 

+ # Adjust storage.conf to enable VFS since fuse dosen't work on Openshift

+ RUN mkdir -p /home/build/.config/containers && \

+     (echo '[storage]';echo 'driver = "vfs"') > /home/build/.config/containers/storage.conf

+ 

+ RUN mkdir -p /var/lib/shared/vfs-images \

+              /var/lib/shared/vfs-layers && \

+     touch /var/lib/shared/vfs-images/images.lock && \

+     touch /var/lib/shared/vfs-layers/layers.lock

+ 

+ COPY make-hyperscale-container.sh /home/build

+ COPY runner.sh /home/build

+ COPY validate/verify_rpmdb.sh /home/build

+ RUN chmod a+x /home/build/make-hyperscale-container.sh

+ RUN chmod a+x /home/build/runner.sh

+ RUN chmod a+x /home/build/verify_rpmdb.sh

+ 

+ RUN chown build:build -R /home/build

+ 

+ VOLUME /var/lib/containers

+ VOLUME /home/build/.local/share/containers

+ 

+ USER build

+ WORKDIR /home/build

+ 

+ ENTRYPOINT ["./runner.sh"]

file added
+36
@@ -0,0 +1,36 @@ 

+ #!/bin/sh

+ 

+ set -eu

+ 

+ export TZ='America/Los_Angeles'

+ 

+ # Hyperscale Centos Stream version, default 8

+ VERSION="${VERSION:-8}"

+ 

+ # Date for next build

+ DATE="${DATE:-'8:00 next Fri'}"

+ 

+ # Push to quay.io

+ Push () {

+   buildah login -u $USERNAME -p $PASSWORD quay.io

+   buildah tag centos-stream-hyperscale-${VERSION} quay.io/centoshyperscale/centos:stream${VERSION}

+   buildah push quay.io/centoshyperscale/centos:stream${VERSION}

+   buildah logout quay.io

+ }

+ 

+ # Always run once immediately for easy testing.

+ ./make-hyperscale-container.sh $VERSION

+ ./verify_rpmdb.sh

+ Push

+ 

+ while true; do

+   TIME=$(($(date -d "$DATE" +%s) - $(date +%s)))

+   echo "Next build at $(date -d "$DATE")"

+   sleep "$TIME"

+   echo "Starting at $(date)"

+   ./make-hyperscale-container.sh $VERSION

+   ./verify_rpmdb.sh

+   Push

+   echo "Done at $(date)"

+   echo

+ done

@@ -0,0 +1,36 @@ 

+ #!/bin/sh

+ 

+ set -eux

+ 

+ # start container for testing

+ ctr=$(buildah from "centos-stream-hyperscale-${VERSION}")

+ 

+ RPMDB_PATH=$(buildah run $ctr -- rpm -E "%{_dbpath}")

+ RPMDB_BACKEND=$(buildah run $ctr -- rpm -E "%{_db_backend}")

+ 

+ # Check if the container is using sqlite or bdb backend

+ if [ "${RPMDB_BACKEND}" != "sqlite" ] && [ "${RPMDB_BACKEND}" != "bdb" ]; then

+        echo "script only works with sqlite or bdb rpmdb backend"

+        buildah rm $ctr

+        exit 1

+ fi

+ 

+ # Simple rpmdb verification

+ # for c9s mount container to avoid install sqlite every time

+ if [ "${RPMDB_BACKEND}" == "sqlite" ]; then

+   mnt=$(buildah unshare -- sh -c "buildah mount $ctr")

+   sqlite3 "$mnt${RPMDB_PATH}"/rpmdb.sqlite "pragma integrity_check;"

+   buildah unshare -- sh -c "buildah unmount $ctr"

+ else

+     buildah run $ctr -- /usr/lib/rpm/rpmdb_verify "${RPMDB_PATH}"/Packages

+ fi

+ 

+ buildah run $ctr -- rpmdb -vv --verifydb

+ 

+ # Query all headers in the DB

+ buildah run $ctr -- rpm -qa 1> /dev/null

+ 

+ # Remove container

+ buildah rm $ctr

+ 

+ exit 0

Added buildah base vfs containerfiles for rootless builds on Openshift (fuse doesn't work, https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md).

Added a runner.sh for periodic builds and pushing (took it from systemd-releng :)), by default it is configured to run a weekly build (configurable).

Also added test_rpmdb.sh to verify the rpmdb and verify that the correct files are available for each backend (ndb, bdb, sqlite).

I created test_rpmdb.sh because with the current centos 8 stream hyperscale image when update rpm (dnf update -y or dnf update -y rpm) the rpmdb backend is changed to ndb but then this warning appears when using dnf or rpm:

warning: Found BDB Packages database while attempting ndb backend: using bdb backend.

It doesn't find the Packages.db and the bdb files still available

I tried to rebuild the rpmdb but it fails:

error: failed to replace old database with new database!
error: replace files in /var/lib/rpm with files from /var/lib/rpmrebuilddb.8 to recover

I replaced the files manually and the warning goes away (also if I rebuild the image inside the containers the warning goes away).

The test_rpmdb.sh basically replace the rpmdb files if needed and verify the rpmdb.

I didn’t add this test file to the periodic builds yet because when I fix the rpmdb ndb warning and run rpmdb -vv –verifydb it returns a 2 status code and this output:

ufdio:       1 reads,    17154 total bytes in 0.000007 secs
D: opening  db index       /var/lib/rpm/Packages.db mode=0x0
D: opening  db index       /var/lib/rpm/Index.db mode=0x0
D: opening  db index       Name tag=1000
D: opening  db index       Basenames tag=1117
D: opening  db index       Group tag=1016
D: opening  db index       Requirename tag=1049
D: opening  db index       Providename tag=1047
D: opening  db index       Conflictname tag=1054
D: opening  db index       Obsoletename tag=1090
D: opening  db index       Triggername tag=1066
D: opening  db index       Dirnames tag=1118
D: opening  db index       Installtid tag=1128
D: opening  db index       Sigmd5 tag=261
D: opening  db index       Sha1header tag=269
D: opening  db index       Filetriggername tag=5069
D: opening  db index       Transfiletriggername tag=5079
D: opening  db index       Recommendname tag=5046
D: opening  db index       Suggestname tag=5049
D: opening  db index       Supplementname tag=5052
D: opening  db index       Enhancename tag=5055
D: closed   db index       Enhancename
D: closed   db index       Supplementname
D: closed   db index       Suggestname
D: closed   db index       Recommendname
D: closed   db index       Transfiletriggername
D: closed   db index       Filetriggername
D: closed   db index       Sha1header
D: closed   db index       Sigmd5
D: closed   db index       Installtid
D: closed   db index       Dirnames
D: closed   db index       Triggername
D: closed   db index       Obsoletename
D: closed   db index       Conflictname
D: closed   db index       Providename
D: closed   db index       Requirename
D: closed   db index       Group
D: closed   db index       Basenames
D: closed   db index       Name

Apparently, it doesn’t close the /var/lib/rpm/Packages.db and /var/lib/rpm/Index.db files but everting seems to work correctly (when installing packages, rpm queries, etc.), so I don’t know what’s going on here.

warning: Found BDB Packages database while attempting ndb backend: using bdb backend.

You can ignore the warning. This is because of https://git.centos.org/rpms/rpm/c/e62c0500274012ca77817a24814de38944c8abd4?branch=c8s-sig-hyperscale-experimental which makes ndb default, but I am reverting it in https://git.centos.org/rpms/rpm/c/b6080710d76af755c4f05ffe26f22b28520790da?branch=c8s-sig-hyperscale-experimental

I think if you want to test individual DBs, you may need to use --root with RPM, --installroot with dnf.

1 new commit added

  • Change rpmdb verify
a month ago

Modified the test/verify rpmdb script and added it to the containers.

Btw, to run rootless buildah builds it's needed to have the anyid Openshift SCC to avoid uid issues (as mentioned here) but I don’t have the permissions to give that SSC to a service account,
@dcavalca do you have permission? you can try by running this command, it will add the anyuid scc to the buildah-sa service account (I created this account for testing):

oc adm policy add-scc-to-user anyuid -z buildah-sa 

Another option is to use custom build strategy to run a build in a privileged container but also requires special permissions.

That fails for me as well so I've filed https://pagure.io/centos-infra/issue/840 for Infra to take a look.

@oidoming can you retry now? Infra has run that command on our behalf so we should be good to go here.

I tried again but still fails, I leave a comment in the infra issue with more info, thanks