Need an official Fedora container image with a sudo enabled user inside for testing user related workflows in CI (for example https://gitlab.com/gitlab-org/gitlab-development-kit/-/merge_requests/4362).
sudo
Basically this:
FROM fedora:latest # add `fedora` user to admin group and disable `sudo` password for it RUN adduser fedora -G wheel \ && echo "fedora ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/fedora USER fedora
I asked here https://github.com/fedora-cloud/docker-brew-fedora/issues/118 but two weeks no decision.
Then here https://gitlab.com/fedora/infrastructure/konflux/infra-deployments/-/issues/8 no answers.
Then @kevin here https://discussion.fedoraproject.org/t/enable-image-repository-on-gitlab/142905 gave me the pointer to Pagure https://pagure.io/fedora-infrastructure/
Then I opened https://pagure.io/fedora-infrastructure/issue/12369 and after a month @kevin said I should ask you guys.
Can you help me understand why it needs to be an official image?
If the CI in question needs a particular package installed, or a non-root user, it's normal to build an image to use in CI and have it pull from there. If you want to keep it up-to-date, add a job to run once a week (for example) and pushes a new image to the registry.
That seems to be what you're doing in that PR you linked, so it's not clear to me why Fedora shipping an image with a user and sudo installed is generally useful.
To be constantly updated and save trees.
If the CI in question needs a particular package installed, or a non-root user, it's normal to build an image to use in CI and have it pull from there.
Installation scripts run from userspace, so the CI in question needs three images. One just to have a user inside. Another to install and build stuff, and third one to test. And when people fork the repo, it breaks, because they don't have the same access to registry. With official image they could at least run the build locally.
Can you help me understand why it needs to be an official image? To be constantly updated and save trees. If the CI in question needs a particular package installed, or a non-root user, it's normal to build an image to use in CI and have it pull from there. Installation scripts run from userspace, so the CI in question needs three images. One just to have a user inside. Another to install and build stuff, and third one to test. And when people fork the repo, it breaks, because they don't have the same access to registry. With official image they could at least run the build locally.
Could you not separate the "build the container for the CI job" from the CI job itself so users don't see the job breakage?
What do you mean?
Could you not separate the "build the container for the CI job" from the CI job itself so users don't see the job breakage? What do you mean?
As in, if part of your CI job is trying to push a base image to a registry, do that elsewhere. For example, I've got a CI image with a containerfile in the repository. I build and push it to quay.io. If I wanted it updated on a regular basis I'd make a separate job to build and push it, but it wouldn't be part of the normal CI run so users don't need credentials to run CI.
Obviously this container is more complicated than creating a user and installing an additional package, but the idea is the same. I don't think we want to be building lots of tweaked images for people to use in CI since they need documenting, make it more confusing to find the "right" image, and so on.
I feel stuck in https://en.wikipedia.org/wiki/XY_problem loop and the growing hate towards my choice to get native support for developing GitLab in Fedora.
The root of the problem with all the bloody developer experience I am passing through is simply because Ubuntu container ships with a user in and Fedora doesn't.
➜ gdk git:(makefile-convention) ✗ podman run -it --rm ubuntu bash root@903307f4deb7:/# ls -la /hom ls: cannot access '/hom': No such file or directory root@903307f4deb7:/# ls -la /home total 16 drwxr-xr-x. 3 root root 4096 Oct 11 02:09 . dr-xr-xr-x. 1 root root 4096 Feb 21 05:00 .. drwxr-x---. 2 ubuntu ubuntu 4096 Oct 11 02:09 ubuntu root@903307f4deb7:/# exit ➜ gdk git:(makefile-convention) ✗ podman run -it --rm fedora bash [root@324b7c9154c5 /]# ls -la /home total 12 drwxr-xr-x. 2 root root 4096 Jul 17 2024 . dr-xr-xr-x. 1 root root 4096 Feb 21 05:01 ..
I understand the frustration of being bounced around from group to group, but I still genuinely do not understand why Fedora needs to make the image. The whole point of a base image is to be the base for customization.
If the goal is to have a base image with a user mimicking what we have in cloud images, we can make one. It's not that big of a deal to produce it.
We can talk about it in the next cloud-sig meeting and see if we want to make it.
Metadata Update from @ngompa: - Issue tagged with: Container, meeting
@ngompa yep. It would also be nice to get all containers listed on https://fedoraproject.org/ and measure their popularity over the time.
Discussed in meeting. Need a specific bootc container base, Need to add the user and sudo config to container image. Need to publish to multiple container registries.
@davdunc did discussion touch this? Need to make different Fedora container images more discoverable by users.
Log in to comment on this ticket.