create an osc container for package maintenance

Co-authored-by: Dmitri Popov <[email protected]> Co-authored-by: Daniel Mach <[email protected]>
SUSE · Sep 11, 2024 · d4af88b · d4af88b
1 parent 574f40c
commit d4af88b
Show file tree

Hide file tree

Showing 4 changed files with 213 additions and 0 deletions.
diff --git a/src/bci_build/package/__init__.py b/src/bci_build/package/__init__.py
@@ -1563,6 +1563,7 @@ def generate_disk_size_constraints(size_gb: int) -> str:
 from .appcontainers import GRAFANA_CONTAINERS  # noqa: E402
 from .appcontainers import HELM_CONTAINERS  # noqa: E402
 from .appcontainers import NGINX_CONTAINERS  # noqa: E402
+from .appcontainers import OSC_CONTAINER  # noqa: E402
 from .appcontainers import PCP_CONTAINERS  # noqa: E402
 from .appcontainers import PROMETHEUS_CONTAINERS  # noqa: E402
 from .appcontainers import REGISTRY_CONTAINERS  # noqa: E402
@@ -1636,6 +1637,7 @@ def generate_disk_size_constraints(size_gb: int) -> str:
         *TOMCAT_CONTAINERS,
         *GCC_CONTAINERS,
         *SPACK_CONTAINERS,
+        OSC_CONTAINER,
     )
 }
 

diff --git a/src/bci_build/package/appcontainers.py b/src/bci_build/package/appcontainers.py
@@ -486,3 +486,89 @@ def _get_nginx_kwargs(os_version: OsVersion):
     )
     for os_version in (OsVersion.TUMBLEWEED,)
 ]
+
+
+_BASE_PODMAN_OSC_CMD = (
+    "podman run --rm -it --privileged "
+    + r"-v \$HOME/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z "
+    + r"-v \$HOME/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:z"
+)
+
+OSC_CONTAINER = ApplicationStackContainer(
+    name="osc",
+    pretty_name="Packaging",
+    package_name="packaging-image",
+    os_version=OsVersion.TUMBLEWEED,
+    is_latest=True,
+    # we want all the recommends from osc & build
+    no_recommends=False,
+    version_in_uid=False,
+    version="%%osc_version%%",
+    replacements_via_service=[
+        Replacement(regex_in_build_description="%%osc_version%%", package_name="osc")
+    ],
+    extra_files={
+        "entrypoint.sh": (Path(__file__).parent / "osc" / "entrypoint.sh").read_bytes()
+    },
+    extra_labels={
+        "run": f"{_BASE_PODMAN_OSC_CMD} IMAGE",
+        "runcwd": f"{_BASE_PODMAN_OSC_CMD} -v .:/root/osc-workdir:z IMAGE",
+    },
+    package_list=[
+        # osc + osc build
+        "osc",
+        "build",
+        "cpio",
+        # all the services
+        "obs-service-appimage",
+        "obs-service-cargo",
+        "obs-service-cdi_containers_meta",
+        "obs-service-compose_kiwi_description",
+        "obs-service-docker_label_helper",
+        "obs-service-download_assets",
+        "obs-service-download_files",
+        "obs-service-download_url",
+        "obs-service-extract_file",
+        "obs-service-format_spec_file",
+        "obs-service-go_modules",
+        "obs-service-kiwi_label_helper",
+        "obs-service-kiwi_metainfo_helper",
+        "obs-service-kubevirt_containers_meta",
+        "obs-service-node_modules",
+        "obs-service-obs_scm",
+        "obs-service-product_converter",
+        "obs-service-recompress",
+        "obs-service-refresh_patches",
+        "obs-service-replace_using_env",
+        "obs-service-replace_using_package_version",
+        "obs-service-set_version",
+        "obs-service-snapcraft",
+        "obs-service-source_validator",
+        "obs-service-tar",
+        "obs-service-tar_scm",
+        "obs-service-verify_file",
+        *OsVersion.TUMBLEWEED.release_package_names,
+        # for convenience
+        "bash-completion",
+        # for scmsync packages
+        "git",
+        "obs-scm-bridge",
+        # IBS access
+        "openssh-common",
+        "openssh-clients",
+        # for building
+        "podman",
+        "runc",
+    ],
+    cmd=["/bin/bash"],
+    custom_end="""WORKDIR /root/osc-workdir
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+ENV OSC_VM_TYPE=podman
+""",
+    entrypoint=["/usr/local/bin/entrypoint.sh"],
+    volumes=[
+        # default location of the build root & package cache
+        "/var/tmp"
+    ],
+)
diff --git a/src/bci_build/package/osc/README.md.j2 b/src/bci_build/package/osc/README.md.j2
@@ -0,0 +1,108 @@
+# OSC Packaging Container
+
+{% include 'badges.j2' %}
+
+This is the openSUSE packaging container image that includes all the required
+tools for creating and modifying packages in the [Open Build
+Service](https://build.opensuse.org/) using
+[osc](https://github.com/openSUSE/osc/).
+
+
+## How to use this container image
+
+The container image is intended for interactive usage with a `.oscrc` configuration file and
+the osc cookiejar mounted into the container:
+
+```ShellSession
+# podman run --rm -it \
+      -v ~/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z \
+      -v ~/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:rw,z \
+      {{ image.pretty_reference }}
+```
+
+The command launches an interactive shell environment that uses the local osc
+configuration. You can then check out packages, perform modifications, and send
+submissions to OBS.
+
+To work on an already checked out package, mount the current working directory:
+
+```ShellSession
+# podman run --rm -it \
+      -v ~/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z \
+      -v ~/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:z \
+      -v .:/root/osc-workdir:z \
+      {{ image.pretty_reference }}
+```
+
+The container entrypoint recognizes whether you are launching it for interactive
+usage or invoking `osc` directly. You can omit the command `osc` in the second
+case. For example:
+
+```ShellSession
+# podman run --rm -it \
+      -v ~/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z \
+      -v ~/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:z \
+      {{ image.pretty_reference }} \
+          ls openSUSE:Factory
+```
+
+The command automatically forwards the arguments to `osc` and calls
+`osc ls openSUSE:Factory`.
+
+
+### Building packages
+
+The container image can be used to build packages using the podman build
+backend. You **must** launch the container in privileged mode for building.
+
+
+### Using the image labels
+
+The image provides two labels: `run` and `runcwd`. The first includes the full
+command, to run the `osc` container, while the second to run the container with
+the local working directory mounted.
+
+To view the labels, use the following command:
+
+```ShellSession
+# podman container runlabel run --display {{ image.pretty_reference }}
+# podman container runlabel runcwd --display {{ image.pretty_reference }}
+```
+
+The labels can be used to run the container with Podman version 5.1.0 or later:
+```ShellSession
+# podman container runlabel run \
+      {{ image.pretty_reference }} \
+          ls openSUSE:Factory
+```
+
+
+### Connecting to build.suse.de
+
+build.suse.de uses an SSH-based authentication, which requires additional
+resources to be available in the container. You also must provide the internal certificate to the container:
+
+```ShellSession
+# podman run --rm -it \
+      -v ~/.config/osc/oscrc:/root/.config/osc/oscrc:ro,z \
+      -v ~/.local/state/osc/cookiejar:/root/.local/state/osc/cookiejar:z \
+      -v /etc/ssl/ca-bundle.pem:/etc/ssl/ca-bundle.pem:ro,z \
+      -v $SSH_AUTH_SOCK:/run/user/0/ssh-agent.socket:z \
+      -e SSH_AUTH_SOCK=/var/run/user/0/ssh-agent.socket:z \
+      -v "$PWD":/root/osc-workdir:z \
+      {{ image.pretty_reference }}
+```
+
+
+## Limitations
+
+- Currently, it is not possible to build packages in a container.
+- The `runlabel run` command only works with Podman 5.1.0 and newer.
+
+
+## Volumes
+
+The container image is preconfigured to put `/var/tmp` into a volume. This
+directory is used by `osc` to store the buildroot and the package cache.
+
+{% include 'licensing_and_eula.j2' %}
diff --git a/src/bci_build/package/osc/entrypoint.sh b/src/bci_build/package/osc/entrypoint.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [[ ! -e /root/.config/osc/oscrc ]]; then
+    cat << EOF
+This container is expected to be launched with your oscrc mounted to
+/root/.config/osc/oscrc
+
+Please consult the README or the label 'run' for the full invocation.
+EOF
+fi
+
+if [[ "-h --help -v --verbose -q --quiet --debug --debugger --post-mortem --traceback -H --http-debug --http-full-debug -A --apiurl --config --setopt --no-keyring add addchannels addcontainers addremove ar aggregatepac api branch getpac bco branchco browse build wipe shell chroot buildconfig buildhistory buildhist buildinfo buildlog buildlogtail blt bl cat less blame changedevelrequest changedevelreq cr checkconstraints checkout co clean cleanassets ca clone comment commit checkin ci config copypac create-pbuild-config cpc createincident createrequest creq delete remove del rm deleterequest deletereq droprequest dropreq dr dependson detachbranch develproject dp bsdevelproject diff di ldiff linkdiff distributions dists downloadassets da enablechannels enablechannel fork getbinaries help importsrcpkg info init jobhistory jobhist linkpac linktobranch list LL lL ll ls localbuildlog lbl lock log maintainer bugowner maintenancerequest mr mbranch maintained sm meta mkpac mv my patchinfo pdiff prdiff projdiff projectdiff prjresults pr pull pull_request rdelete rdiff rebuild rebuildpac release releaserequest remotebuildlog remotebuildlogtail rbuildlogtail rblt rbuildlog rbl repairlink repairwc repo repositories platforms repos repourls request review rq requestmaintainership reqbs reqms reqmaintainership requestbugownership reqbugownership resolved restartbuild abortbuild results r revert rpmlintlog lint rpmlint rremove search bse se sendsysrq service setdevelproject sdp setlinkrev showlinked signkey staging status st submitrequest submitpac submitreq sr token triggerreason tr undelete unlock update up updatepacmetafromspec updatepkgmetafromspec metafromspec vc version whatdependson whois user who wipebinaries unpublish workerinfo" =~ (^|[[:space:]])$1($|[[:space:]]) ]]; then
+    # looks like the user is executing the container as the osc command
+    osc "$@"
+else
+    exec "$@"
+fi