bib/composer integration: add manifest job for osbuild processing (HMS-4843) #4452
Conversation
| func buildManifestCommand(args *worker.BootcManifestJob) *exec.Cmd { | ||
| baseArgs := []string{ | ||
| "sudo", "podman", "run", | ||
| "--privileged", |
There was a problem hiding this comment.
Using --privileged mode with Podman is a security concern.
Currently, rootless Podman fails to run bib in unprivileged mode for manifest creation due to limitations with nested containers.
Two potential approaches on my mind to address this:
- Investigate fixes for the nested container environment to support rootless, non-privileged execution.
- Embed the manifest creation process directly within the worker during its build, reducing the need for privileged Podman in the runtime environment.
With this change: - Bib is used to generate a manifest without initiating a full build. - Composer’s osbuild job can now process the manifest independently. This setup improves modularity and prepares for future enhancements in the osbuild processing pipeline.
amirfefer
force-pushed
the
bootc-manifest
branch
from
877debe to
248c1ba
Compare
ezr-ondrej
changed the title
|
|
||
| func buildManifestCommand(args *worker.BootcManifestJob) *exec.Cmd { | ||
| baseArgs := []string{ | ||
| "sudo", "podman", "run", |
There was a problem hiding this comment.
Note that the worker runs as a root, so sudo is not needed for rootful. If we want to run podman rootless, we need to find a way to do it.
There was a problem hiding this comment.
I've been trying to enable bib for manifest generation in a rootless unprivileged podman with no success so far, I asked @mvo5 for an advice here. A different solution would be to able to embed bib into the worker (just for the manifest part), or using a secure instance to run this in a rootful and privileged env.
| "--privileged", | ||
| "--rm", | ||
| "--pull=missing", | ||
| "--storage-driver=vfs", |
There was a problem hiding this comment.
It's a leftover, I needed it for my local env when I used bib as whole to generate the image's artifact. vfs worked well for mapping the output folder across nested containers.
| "--rm", | ||
| "--pull=missing", | ||
| "--storage-driver=vfs", | ||
| "--cgroup-manager=cgroupfs", |
There was a problem hiding this comment.
Is this really needed? If it is, a comment would be nice explaining it.
| "--pull=missing", | ||
| "--storage-driver=vfs", | ||
| "--cgroup-manager=cgroupfs", | ||
| "--runtime=runc", |
There was a problem hiding this comment.
Is this really needed? If it is, a comment would be nice explaining it.
There was a problem hiding this comment.
I use docker for loca devl setup, so the worker runs on a docker instance. using crun ended with bunch of errors, so I switched it to runc with cgroupfs v2. In our production's k8s environment we probably can use crun, but this needs a verification.
| "--runtime=runc", | ||
| "--security-opt=label=type:unconfined_t", | ||
| "quay.io/centos-bootc/bootc-image-builder:latest", | ||
| "manifest", |
There was a problem hiding this comment.
Adding --local, and running podman pull REF before bib is the preferred way, see osbuild/bootc-image-builder#423
| "sudo", "podman", "run", | ||
| "--privileged", | ||
| "--rm", | ||
| "--pull=missing", |
There was a problem hiding this comment.
missing is the default, I suggest dropping it.
|
This PR is stale because it has been open 30 days with no activity. Remove "Stale" label or comment or this will be closed in 7 days. |
|
This PR was closed because it has been stalled for 30+7 days with no activity. |
With this change:
This setup improves modularity and prepares for future enhancements in the osbuild processing pipeline.
This pull request includes: