chore(imagebuilder): use podman replace docker

Author: duanhongyi

.woodpecker/build-linux.yml

@@ -13,8 +13,8 @@ pipeline:
   image: bash
   commands:
   - export VERSION=$([ -z $CI_COMMIT_TAG ] && echo latest || echo $CI_COMMIT_TAG)-$(sed 's#/#-#g' <<< $CI_SYSTEM_ARCH)
-  - echo $CONTAINER_PASSWORD | docker login $DRYCC_REGISTRY --username $CONTAINER_USERNAME --password-stdin > /dev/null 2>&1
-  - make docker-build docker-immutable-push
+  - echo $CONTAINER_PASSWORD | podman login $DRYCC_REGISTRY --username $CONTAINER_USERNAME --password-stdin > /dev/null 2>&1
+  - make podman-build podman-immutable-push
   secrets:
   - codename
   - dev_registry

.woodpecker/manifest.yml

@@ -19,14 +19,14 @@ pipeline:
 - name: publish-manifest
   image: bash
   commands:
-  - docker run --rm
+  - podman run --rm
     -e PLUGIN_SPEC=.woodpecker/manifest.tmpl
     -e PLUGIN_USERNAME=$CONTAINER_USERNAME
     -e PLUGIN_PASSWORD=$CONTAINER_PASSWORD
     -e DRONE_TAG=$CI_COMMIT_TAG
     -v $(pwd):$(pwd)
     -w $(pwd)
-    plugins/manifest
+    docker.io/plugins/manifest
   secrets:
   - container_username
   - container_password

Makefile

@@ -16,25 +16,22 @@ SHELL_SCRIPTS = $(wildcard _scripts/*.sh) \
 # and other build options
 DEV_ENV_IMAGE := ${DEV_REGISTRY}/drycc/go-dev
 DEV_ENV_WORK_DIR := /opt/drycc/go/src/${REPO_PATH}
-DEV_ENV_CMD := docker run --rm -v ${CURDIR}:${DEV_ENV_WORK_DIR} -w ${DEV_ENV_WORK_DIR} ${DEV_ENV_IMAGE}
-DEV_ENV_CMD_INT := docker run -it --rm -v ${CURDIR}:${DEV_ENV_WORK_DIR} -w ${DEV_ENV_WORK_DIR} ${DEV_ENV_IMAGE}
+DEV_ENV_CMD := podman run --rm -v ${CURDIR}:${DEV_ENV_WORK_DIR} -w ${DEV_ENV_WORK_DIR} ${DEV_ENV_IMAGE}
+DEV_ENV_CMD_INT := podman run -it --rm -v ${CURDIR}:${DEV_ENV_WORK_DIR} -w ${DEV_ENV_WORK_DIR} ${DEV_ENV_IMAGE}
 
-all: build docker-build docker-push
+all: build podman-build podman-push
 
 bootstrap:
 	@echo Nothing to do.
 
 build:
 	@echo Nothing to do.
 
-docker-build:
-	docker build ${DOCKER_BUILD_FLAGS} --build-arg CODENAME=${CODENAME} -t ${IMAGE} -f rootfs/Dockerfile rootfs
-	docker tag ${IMAGE} ${MUTABLE_IMAGE}
+podman-build:
+	podman build ${CONTAINER_BUILD_FLAGS} --build-arg CODENAME=${CODENAME} -t ${IMAGE} -f rootfs/Dockerfile rootfs
+	podman tag ${IMAGE} ${MUTABLE_IMAGE}
 
-docker-buildx:
-	docker buildx build --build-arg CODENAME=${CODENAME} --platform ${PLATFORM} ${DOCKER_BUILD_FLAGS} -t ${IMAGE} -f rootfs/Dockerfile rootfs --push
-
-deploy: docker-build docker-push
+deploy: podman-build podman-push
 
 kube-pod: kube-service
 	kubectl create -f ${POD}
@@ -61,5 +58,5 @@ test-style:
 test-functional:
 	@echo "Implement functional tests in _tests directory"
 
-.PHONY: all bootstrap build docker-build docker-push deploy kube-pod kube-secrets \
+.PHONY: all bootstrap build podman-build podman-push deploy kube-pod kube-secrets \
 	secrets kube-service kube-clean test

charts/imagebuilder/templates/imagebuilder-networkpolicy.yaml

@@ -0,0 +1,53 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: imagebuilder-networkpolicy
+spec:
+  podSelector:
+    matchLabels:
+      app: drycc-imagebuilder
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    - podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - protocol: UDP
+      port: 53
+  - to:
+    - ipBlock:
+        cidr: ::/0
+        except:
+        - fc00::/7
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - 192.168.0.0/16
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ .Release.Name }}
+    - podSelector:
+        matchLabels:
+          app: drycc-registry
+    ports:
+    - protocol: TCP
+      port: 5000
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ .Release.Name }}
+    - podSelector:
+        matchLabels:
+          app: drycc-storage-metanode-weed
+    ports:
+    - protocol: TCP
+      port: 8333

charts/imagebuilder/values.yaml

@@ -5,4 +5,4 @@ imageRegistry: "registry.drycc.cc"
 codename: bookworm
 containerRegistries: |
   unqualified-search-registries = ["registry.drycc.cc"]
-  short-name-mode="permissive"
+  short-name-mode="permissive"

rootfs/Dockerfile

@@ -4,10 +4,10 @@ FROM registry.drycc.cc/drycc/base:${CODENAME}
 ENV DRYCC_UID=1001 \
   DRYCC_GID=1001 \
   DRYCC_HOME_DIR=/home/drycc \
-  PODMAN_VERSION="4.6.0" \
-  MC_VERSION="2023.07.21.20.44.27" \
+  PODMAN_VERSION="4.7.1" \
+  MC_VERSION="2023.09.20.15.22.31" \
   CADDY_VERSION="2.7.1" \
-  PACK_VERSION="0.29.0" \
+  PACK_VERSION="0.31.0" \
   GOSU_VERSION="1.16"
 
 RUN groupadd drycc --gid ${DRYCC_GID} \
@@ -41,4 +41,3 @@ RUN install-packages procps psmisc \
 WORKDIR /workspace
 
 ENTRYPOINT ["init-stack", "/imagebuilder/prebuild", "/imagebuilder/build"]
-

rootfs/imagebuilder/build

@@ -1,7 +1,14 @@
 #!/usr/bin/env bash
 set -eo pipefail
 shopt -s expand_aliases
-alias podman="podman --cgroup-manager=cgroupfs --events-backend=file"
+
+log_level="error"
+if [[ "${DRYCC_DEBUG}" ]]; then
+    log_level="debug"
+    unset DRYCC_DEBUG
+fi
+
+alias podman='podman --log-level ${log_level} --cgroup-manager=cgroupfs --events-backend=file'
 
 function clean_before_exit {
     # delay before exiting, so stdout/stderr flushes through the logging system
@@ -29,12 +36,6 @@ function waiting_process {
     done
 }
 
-log_level="error"
-if [[ "${DRYCC_DEBUG}" ]]; then
-    log_level="debug"
-    unset DRYCC_DEBUG
-fi
-
 CONTAINERS_CONFIG_DIR="${HOME}"/.config/containers
 mkdir -p "${CONTAINERS_CONFIG_DIR}"
 from_registries_file="/etc/imagebuilder/registries.conf"
@@ -43,6 +44,8 @@ if [ -f "${from_registries_file}" ]; then
     install -D  "${from_registries_file}" "${CONTAINERS_CONFIG_DIR}"/registries.conf
 fi
 
+# The directory cannot be changed, the position is hard coded, pack cli needs to be used.
+# https://github.com/buildpacks/pack/blob/main/internal/docker/context.go
 REGISTRY_AUTH_FILE="${HOME}"/.docker/config.json
 readonly REGISTRY_AUTH_FILE
 from_auths_file="/etc/imagebuilder/auths.json"
@@ -100,23 +103,27 @@ image_latest_name="${image_base_name}":latest
 # Building
 if [[ "${DRYCC_STACK}" == "container" ]] ; then
     echo "---> Building container"
-    if [[ $log_level == "debug" ]] ; then
-        podman build --tag"${IMAGE_NAME}" --network host .
-        podman push "${IMAGE_NAME}" --tls-verify=false
-    else
-        podman build --quiet --tag "${IMAGE_NAME}" --network host .
-        podman push "${IMAGE_NAME}" --quiet --tls-verify=false
+    podman_build="podman build . --tag ${IMAGE_NAME} --network host"
+    podman_push="podman push ${IMAGE_NAME} --tls-verify=false"
+    if [[ -f .build-env ]] ; then
+        for build_arg in $( < .build-env )
+        do
+            podman_build="$podman_build --build-arg $build_arg"
+        done
     fi
+    $podman_build
+    $podman_push
 else
     echo "---> Building pack"
     echo "---> Using builder ${pack_builder}"
     # podman connection
-    DOCKER_HOST="unix://$(podman info -f "{{.Host.RemoteSocket.Path}}")"
+    DOCKER_HOST="unix://$(podman info -f '{{.Host.RemoteSocket.Path}}')"
     readonly DOCKER_HOST
     export DOCKER_HOST
 
     pack_build="pack build ${IMAGE_NAME} \
             --builder ${pack_builder} \
+            --lifecycle-image ${pack_builder} \
             --env DRYCC_APP=${drycc_app} \
             --docker-host ${DOCKER_HOST} \
             --previous-image ${image_latest_name} \

versioning.mk

@@ -1,6 +1,6 @@
 MUTABLE_VERSION ?= canary
 VERSION ?= git-$(shell git rev-parse --short HEAD)
-DOCKER_BUILD_FLAGS ?= --pull
+CONTAINER_BUILD_FLAGS ?= --pull
 
 IMAGE := ${DRYCC_REGISTRY}/${IMAGE_PREFIX}/${SHORT_NAME}:${VERSION}
 MUTABLE_IMAGE := ${DRYCC_REGISTRY}/${IMAGE_PREFIX}/${SHORT_NAME}:${MUTABLE_VERSION}
@@ -11,13 +11,13 @@ info:
 	@echo "Immutable tag:   ${IMAGE}"
 	@echo "Mutable tag:     ${MUTABLE_IMAGE}"
 
-.PHONY: docker-push
-docker-push: docker-immutable-push docker-mutable-push
+.PHONY: podman-push
+podman-push: podman-immutable-push podman-mutable-push
 
-.PHONY: docker-immutable-push
-docker-immutable-push:
-	docker push ${IMAGE}
+.PHONY: podman-immutable-push
+podman-immutable-push:
+	podman push ${IMAGE}
 
-.PHONY: docker-mutable-push
-docker-mutable-push:
-	docker push ${MUTABLE_IMAGE}
+.PHONY: podman-mutable-push
+podman-mutable-push:
+	podman push ${MUTABLE_IMAGE}