WIP: workflows: podvm_mkosi: multistage

Simplify the podvm_mkosi binaries building process by combining the builder and binaries into a single multistage dockerfile Signed-off-by: stevenhorsman <[email protected]>
stevenhorsman · Dec 10, 2024 · fcf0e5b · fcf0e5b
1 parent e181107
commit fcf0e5b
Show file tree

Hide file tree

Showing 3 changed files with 138 additions and 7 deletions.
diff --git a/.github/workflows/podvm_mkosi.yaml b/.github/workflows/podvm_mkosi.yaml
@@ -120,17 +120,17 @@ jobs:
         with:
           version: ${{ env.ORAS_VERSION }}
 
-      - name: Build builder
-        id: build_builder
-        working-directory: src/cloud-api-adaptor/podvm-mkosi
-        run: make fedora-binaries-builder
-        env:
-          ARCH: ${{ inputs.arch }}
+      # - name: Build builder
+      #   id: build_builder
+      #   working-directory: src/cloud-api-adaptor/podvm-mkosi
+      #   run: make fedora-binaries-builder
+      #   env:
+      #     ARCH: ${{ inputs.arch }}
 
       - name: Build binaries
         id: build_binaries
         working-directory: src/cloud-api-adaptor/podvm-mkosi
-        run: make binaries
+        run: make multi-stage-binaries
         env:
           ARCH: ${{ inputs.arch }}
 

diff --git a/src/cloud-api-adaptor/podvm-mkosi/Makefile b/src/cloud-api-adaptor/podvm-mkosi/Makefile
@@ -67,6 +67,35 @@ endif
 		-o type=local,dest="./resources/binaries-tree" \
 		-f ../podvm/Dockerfile.podvm_binaries.fedora ../../
 
+multi-stage-binaries:
+	@echo "Building binaries..."
+	rm -rf ./resources/binaries-tree
+ifeq ($(IS_DEBIAN),true)
+	docker buildx use default
+endif
+	docker buildx build \
+		-t $(PODVM_BINARIES_IMAGE) \
+		--progress=plain \
+		--build-arg GO_VERSION=$(GO_VERSION) \
+		--build-arg ARCH=$(ARCH) \
+		--build-arg PROTOC_VERSION=$(PROTOC_VERSION) \
+		--build-arg YQ_VERSION=$(YQ_VERSION) \
+		--build-arg YQ_CHECKSUM=$(YQ_CHECKSUM) \
+		--build-arg YQ_ARCH=$(ARCH) \
+		--build-arg PROTOC_ARCH=$(if $(filter amd64,$(ARCH)),x86_64,s390x) \
+		--build-arg ORAS_VERSION=$(ORAS_VERSION) \
+		--build-arg TEE_PLATFORM=$(TEE_PLATFORM) \
+		--build-arg PAUSE_REPO=$(PAUSE_REPO) \
+		--build-arg PAUSE_VERSION=$(PAUSE_VERSION) \
+		--build-arg PAUSE_BIN=$(PAUSE_BIN) \
+		--build-arg IMAGE_NAME=mkosi-podvm-binaries \
+		--build-arg VERIFY_PROVENANCE=$(VERIFY_PROVENANCE) \
+		$(if $(AUTHFILE),--build-arg AUTHFILE=$(AUTHFILE),) \
+		$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
+		$(if $(filter $(PUSH),true),,-o type=local,dest="./resources/binaries-tree") \
+		$(DOCKER_OPTS) \
+		-f ../podvm/Dockerfile.podvm.fedora ../../
+
 PHONY: image
 image:
 	@echo "Enabling production preset..."

diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm.fedora b/src/cloud-api-adaptor/podvm/Dockerfile.podvm.fedora
@@ -0,0 +1,102 @@
+# syntax=docker/dockerfile:1.5-labs
+# Copyright Confidential Containers Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Build binaries for mkosi podvm image
+#
+FROM registry.fedoraproject.org/fedora:40 AS builder
+
+ARG ARCH="amd64"
+ARG YQ_ARCH="amd64"
+# PROTOC_ARCH="x86_64" | "s390_64"
+ARG PROTOC_ARCH="x86_64"
+ARG GO_VERSION
+ARG PROTOC_VERSION
+ARG YQ_VERSION
+ARG YQ_CHECKSUM
+ARG ORAS_VERSION
+
+RUN dnf groupinstall -y 'Development Tools' && \
+    dnf install -y yum-utils gnupg git perl-core pkg-config libseccomp-devel gpgme-devel \
+    device-mapper-devel unzip libassuan-devel \
+    perl-FindBin openssl-devel tpm2-tss-devel \
+    clang which xz jq && \
+    dnf clean all
+
+ADD https://dl.google.com/go/go${GO_VERSION}.linux-${ARCH}.tar.gz go${GO_VERSION}.linux-${ARCH}.tar.gz
+RUN rm -rf /usr/local/go && tar -C /usr/local -xzf go${GO_VERSION}.linux-${ARCH}.tar.gz && rm -f go${GO_VERSION}.linux-${ARCH}.tar.gz
+
+ENV PATH="/usr/local/go/bin:$PATH"
+
+RUN if [ "$(uname -m)" != "s390x" ]; then dnf install 'dnf-command(config-manager)' && \
+    dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo && \
+    dnf install -y gh --repo gh-cli; else git clone https://github.com/cli/cli.git gh-cli && \
+    cd gh-cli && mkdir -p /usr/local/gh && make install prefix=/usr/local/gh && cd .. && \
+    rm -rf gh-cli; fi
+
+ENV PATH="/usr/local/gh/bin:$PATH"
+
+ADD https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${YQ_ARCH} /usr/local/bin/yq
+RUN echo "${YQ_CHECKSUM#sha256:} /usr/local/bin/yq" | sha256sum -c
+RUN chmod a+x /usr/local/bin/yq
+
+ADD https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip
+RUN unzip protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip -d /usr/local && rm -f protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip
+
+ADD https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_${ARCH}.tar.gz oras_${ORAS_VERSION}_linux_${ARCH}.tar.gz
+RUN rm -rf /usr/local/bin/oras && tar -C /usr/local/bin -xzf oras_${ORAS_VERSION}_linux_${ARCH}.tar.gz && rm -f oras_${ORAS_VERSION}_linux_${ARCH}.tar.gz
+
+WORKDIR /src
+
+ENV GOPATH=/src
+
+FROM builder AS podvm_binaries_builder
+
+ARG CLOUD_PROVIDER
+ARG PODVM_DISTRO=rhel
+ARG GUEST_COMPONENTS_VERSION
+ARG GUEST_COMPONENTS_REPO
+# By default AA will be built with the `all-attesters` feature,
+# which doesn't compile on fedora.
+ARG TEE_PLATFORM=none
+# If not provided, uses system architecture
+ARG ARCH
+#This is the name of the policy file under
+#files/etc/kata-opa
+ARG DEFAULT_AGENT_POLICY_FILE=allow-all.rego
+ARG AUTHFILE
+ARG PAUSE_REPO
+ARG PAUSE_VERSION
+ARG PAUSE_BIN
+ARG IMAGE_NAME
+ARG VERIFY_PROVENANCE
+
+ENV AUTHFILE=${AUTHFILE}
+ENV PAUSE_REPO=${PAUSE_REPO}
+ENV PAUSE_VERSION=${PAUSE_VERSION}
+ENV PAUSE_BIN=${PAUSE_BIN}
+ENV CLOUD_PROVIDER=${CLOUD_PROVIDER}
+ENV PODVM_DISTRO=${PODVM_DISTRO}
+ENV GUEST_COMPONENTS_VERSION=${GUEST_COMPONENTS_VERSION}
+ENV GUEST_COMPONENTS_REPO=${GUEST_COMPONENTS_REPO}
+ENV TEE_PLATFORM=${TEE_PLATFORM}
+ENV ARCH=${ARCH}
+ENV DEFAULT_AGENT_POLICY_FILE=${DEFAULT_AGENT_POLICY_FILE}
+ENV IMAGE_NAME=${IMAGE_NAME}
+ENV VERIFY_PROVENANCE=${VERIFY_PROVENANCE}
+
+# Set these as they are required in the Makefile
+ENV IMAGE_URL="none"
+ENV IMAGE_CHECKSUM="none"
+
+COPY . /src
+
+WORKDIR /src/cloud-api-adaptor/podvm
+# Installs add-ons for foreign target, if required
+RUN ./hack/cross-build-extras.sh
+
+RUN LIBC=gnu make binaries
+
+FROM scratch
+COPY --from=podvm_binaries_builder /src/cloud-api-adaptor/podvm/files /