From d6d260174253e1a31a0fbcbc3bc3744c344d19d3 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Tue, 5 Mar 2024 14:51:58 -0500 Subject: [PATCH] [CI:DOCS] Migrate podman container image Moved to: https://github.com/containers/image_build Signed-off-by: Chris Evich --- contrib/podmanimage/README.md | 90 +------------------ contrib/podmanimage/stable/Containerfile | 61 ------------- contrib/podmanimage/stable/containers.conf | 12 --- .../podmanimage/stable/podman-containers.conf | 5 -- contrib/podmanimage/testing/Containerfile | 66 -------------- contrib/podmanimage/upstream/Containerfile | 68 -------------- 6 files changed, 2 insertions(+), 300 deletions(-) delete mode 100644 contrib/podmanimage/stable/Containerfile delete mode 100644 contrib/podmanimage/stable/containers.conf delete mode 100644 contrib/podmanimage/stable/podman-containers.conf delete mode 100644 contrib/podmanimage/testing/Containerfile delete mode 100644 contrib/podmanimage/upstream/Containerfile diff --git a/contrib/podmanimage/README.md b/contrib/podmanimage/README.md index 043af6d2dd..1e92bb7ac0 100644 --- a/contrib/podmanimage/README.md +++ b/contrib/podmanimage/README.md @@ -1,88 +1,2 @@ -[comment]: <> (***ATTENTION*** ***WARNING*** ***ALERT*** ***CAUTION*** ***DANGER***) -[comment]: <> () -[comment]: <> (ANY changes made to this file, once committed/merged must) -[comment]: <> (be manually copy/pasted -in markdown- into the description) -[comment]: <> (field on Quay at the following locations:) -[comment]: <> () -[comment]: <> (https://quay.io/repository/containers/podman) -[comment]: <> (https://quay.io/repository/podman/stable) -[comment]: <> (https://quay.io/repository/podman/testing) -[comment]: <> (https://quay.io/repository/podman/upstream) -[comment]: <> () -[comment]: <> (***ATTENTION*** ***WARNING*** ***ALERT*** ***CAUTION*** ***DANGER***) - -![PODMAN logo](https://raw.githubusercontent.com/containers/common/main/logos/podman-logo-full-vert.png) - -# podmanimage - -## Overview - -This directory contains the Containerfiles necessary to create the podmanimage container -images that are housed on quay.io under the Podman account. All repositories where -the images live are public and can be pulled without credentials. These container images are secured and the -resulting containers can run safely with privileges within the container. - -The container images are built using the latest Fedora and then Podman is installed into them. -The PATH in the container images is set to the default PATH provided by Fedora. Also, the -ENTRYPOINT and the WORKDIR variables are not set within these container images, as such they -default to `/`. - -The container images are: - - * `quay.io/containers/podman:` and `quay.io/podman/stable:` - - These images are built daily. They are intended to contain an unchanging - and stable version of podman. For the most recent `` tags (`vX`, - `vX.Y`, and `vX.Y.Z`) the image contents will be updated daily to incorporate - (especially) security upgrades. For build details, please [see the - configuration file](stable/Containerfile). - * `quay.io/containers/podman:latest` and `quay.io/podman/stable:latest` - - Built daily using the same Containerfile as above. The Podman version - will remain the "latest" available in Fedora, however the other image - contents may vary compared to the version-tagged images. - * `quay.io/podman/testing:latest` - This image is built daily, using the - latest version of Podman that was in the Fedora `updates-testing` repository. - The image is Built with [the testing Containerfile](testing/Containerfile). - * `quay.io/podman/upstream:latest` - This image is built daily using the latest - code found in this GitHub repository. Due to the image changing frequently, - it's not guaranteed to be stable or even executable. The image is built with - [the upstream Containerfile](upstream/Containerfile). Note the actual compilation - of upstream podman [occurs continuously in - COPR](https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/). - -## Sample Usage - - -``` -podman pull docker://quay.io/podman/stable:latest - -podman run --privileged stable podman version - -# Create a directory on the host to mount the container's -# /var/lib/container directory to so containers can be -# run within the container. -mkdir /var/lib/mycontainer - -# Run the image detached using the host's network in a container name -# podmanctr, turn off label and seccomp confinement in the container -# and then do a little shell hackery to keep the container up and running. -podman run --detach --name=podmanctr --net=host --security-opt label=disable --security-opt seccomp=unconfined --device /dev/fuse:rw -v /var/lib/mycontainer:/var/lib/containers:Z --privileged stable sh -c 'while true ;do sleep 100000 ; done' - -podman exec -it podmanctr /bin/sh - -# Now inside of the container - -podman pull alpine - -podman images - -exit -``` - -**Note:** If you encounter a `fuse: device not found` error when running the container image, it is likely that -the fuse kernel module has not been loaded on your host system. Use the command `modprobe fuse` to load the -module and then run the container image. To enable this automatically at boot time, you can add a configuration -file to `/etc/modules.load.d`. See `man modules-load.d` for more details. - -### Blog Post with Details - -Dan Walsh wrote a blog post on the [Enable Sysadmin](https://www.redhat.com/sysadmin/) site titled [How to use Podman inside of a container](https://www.redhat.com/sysadmin/podman-inside-container). In it, he details how to use these images as a rootful and as a rootless user. Please refer to this blog for more detailed information. +The podman container image build context and automation have been +moved to [https://github.com/containers/image_build/tree/main/podman](https://github.com/containers/image_build/tree/main/podman) diff --git a/contrib/podmanimage/stable/Containerfile b/contrib/podmanimage/stable/Containerfile deleted file mode 100644 index fa776ead17..0000000000 --- a/contrib/podmanimage/stable/Containerfile +++ /dev/null @@ -1,61 +0,0 @@ -# stable/Containerfile -# -# Build a Podman container image from the latest -# stable version of Podman on the Fedoras Updates System. -# https://bodhi.fedoraproject.org/updates/?search=podman -# This image can be used to create a secured container -# that runs safely with privileges within the container. -# -FROM registry.fedoraproject.org/fedora:latest - -# Don't include container-selinux and remove -# directories used by dnf that are just taking -# up space. -# TODO: rpm --setcaps... needed due to Fedora (base) image builds -# being (maybe still?) affected by -# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3 -RUN dnf -y update && \ - rpm --setcaps shadow-utils 2>/dev/null && \ - dnf -y install podman fuse-overlayfs openssh-clients \ - --exclude container-selinux && \ - dnf clean all && \ - rm -rf /var/cache /var/log/dnf* /var/log/yum.* - -RUN useradd podman; \ -echo -e "podman:1:999\npodman:1001:64535" > /etc/subuid; \ -echo -e "podman:1:999\npodman:1001:64535" > /etc/subgid; - -ARG _REPO_URL="https://raw.githubusercontent.com/containers/podman/main/contrib/podmanimage/stable" -ADD $_REPO_URL/containers.conf /etc/containers/containers.conf -ADD $_REPO_URL/podman-containers.conf /home/podman/.config/containers/containers.conf - -RUN mkdir -p /home/podman/.local/share/containers && \ - chown podman:podman -R /home/podman && \ - chmod 644 /etc/containers/containers.conf - -# Copy & modify the defaults to provide reference if runtime changes needed. -# Changes here are required for running with fuse-overlay storage inside container. -RUN sed -e 's|^#mount_program|mount_program|g' \ - -e '/additionalimage.*/a "/var/lib/shared",' \ - -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \ - /usr/share/containers/storage.conf \ - > /etc/containers/storage.conf - -# Setup internal Podman to pass subscriptions down from host to internal container -RUN printf '/run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement\n/run/secrets/rhsm:/run/secrets/rhsm\n' > /etc/containers/mounts.conf - -# Note VOLUME options must always happen after the chown call above -# RUN commands can not modify existing volumes -VOLUME /var/lib/containers -VOLUME /home/podman/.local/share/containers - -RUN mkdir -p /var/lib/shared/overlay-images \ - /var/lib/shared/overlay-layers \ - /var/lib/shared/vfs-images \ - /var/lib/shared/vfs-layers && \ - touch /var/lib/shared/overlay-images/images.lock && \ - touch /var/lib/shared/overlay-layers/layers.lock && \ - touch /var/lib/shared/vfs-images/images.lock && \ - touch /var/lib/shared/vfs-layers/layers.lock - -ENV _CONTAINERS_USERNS_CONFIGURED="" diff --git a/contrib/podmanimage/stable/containers.conf b/contrib/podmanimage/stable/containers.conf deleted file mode 100644 index 220c1f850c..0000000000 --- a/contrib/podmanimage/stable/containers.conf +++ /dev/null @@ -1,12 +0,0 @@ -[containers] -netns="host" -userns="host" -ipcns="host" -utsns="host" -cgroupns="host" -cgroups="disabled" -log_driver = "k8s-file" -[engine] -cgroup_manager = "cgroupfs" -events_logger="file" -runtime="crun" diff --git a/contrib/podmanimage/stable/podman-containers.conf b/contrib/podmanimage/stable/podman-containers.conf deleted file mode 100644 index 2bdd95a3b5..0000000000 --- a/contrib/podmanimage/stable/podman-containers.conf +++ /dev/null @@ -1,5 +0,0 @@ -[containers] -volumes = [ - "/proc:/proc", -] -default_sysctls = [] diff --git a/contrib/podmanimage/testing/Containerfile b/contrib/podmanimage/testing/Containerfile deleted file mode 100644 index da9f740203..0000000000 --- a/contrib/podmanimage/testing/Containerfile +++ /dev/null @@ -1,66 +0,0 @@ -# testing/Containerfile -# -# Build a Podman container image from the latest -# stable version of Podman on the Fedoras Updates System. -# https://bodhi.fedoraproject.org/updates/?search=podman -# This image can be used to create a secured container -# that runs safely with privileges within the container. -# -FROM registry.fedoraproject.org/fedora:latest - -# Don't include container-selinux and remove -# directories used by dnf that are just taking -# up space. -# TODO: rpm --setcaps... needed due to Fedora (base) image builds -# being (maybe still?) affected by -# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3 -RUN dnf -y update && \ - rpm --setcaps shadow-utils 2>/dev/null && \ - dnf -y install podman fuse-overlayfs openssh-clients \ - --exclude container-selinux --enablerepo updates-testing && \ - dnf clean all && \ - rm -rf /var/cache /var/log/dnf* /var/log/yum.* - -RUN useradd podman; \ -echo -e "podman:1:999\npodman:1001:64535" > /etc/subuid; \ -echo -e "podman:1:999\npodman:1001:64535" > /etc/subgid; - -ARG _REPO_URL="https://raw.githubusercontent.com/containers/podman/main/contrib/podmanimage/stable" -ADD $_REPO_URL/containers.conf /etc/containers/containers.conf -ADD $_REPO_URL/podman-containers.conf /home/podman/.config/containers/containers.conf - -RUN mkdir -p /home/podman/.local/share/containers && \ - chown podman:podman -R /home/podman - -# Copy & modify the defaults to provide reference if runtime changes needed. -# Changes here are required for running with fuse-overlay storage inside container. -RUN sed -e 's|^#mount_program|mount_program|g' \ - -e '/additionalimage.*/a "/var/lib/shared",' \ - -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \ - /usr/share/containers/storage.conf \ - > /etc/containers/storage.conf - -# Setup internal Podman to pass secrets/subscriptions down from host to internal container -RUN printf '/run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement\n/run/secrets/rhsm:/run/secrets/rhsm\n' > /etc/containers/mounts.conf - -# Note VOLUME options must always happen after the chown call above -# RUN commands can not modify existing volumes -VOLUME /var/lib/containers -VOLUME /home/podman/.local/share/containers - -# chmod containers.conf and adjust storage.conf to enable Fuse storage. -RUN chmod 644 /etc/containers/containers.conf && \ - sed -i -e 's|^#mount_program|mount_program|g' \ - -e '/additionalimage.*/a "/var/lib/shared",' \ - -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \ - /etc/containers/storage.conf -RUN mkdir -p /var/lib/shared/overlay-images \ - /var/lib/shared/overlay-layers \ - /var/lib/shared/vfs-images \ - /var/lib/shared/vfs-layers && \ - touch /var/lib/shared/overlay-images/images.lock && \ - touch /var/lib/shared/overlay-layers/layers.lock && \ - touch /var/lib/shared/vfs-images/images.lock && \ - touch /var/lib/shared/vfs-layers/layers.lock - -ENV _CONTAINERS_USERNS_CONFIGURED="" diff --git a/contrib/podmanimage/upstream/Containerfile b/contrib/podmanimage/upstream/Containerfile deleted file mode 100644 index e31b94746f..0000000000 --- a/contrib/podmanimage/upstream/Containerfile +++ /dev/null @@ -1,68 +0,0 @@ -# upstream/Containerfile -# -# Build a Podman container image from the latest -# upstream version of Podman on GitHub. -# https://github.com/containers/podman -# This image can be used to create a secured container -# that runs safely with privileges within the container. -# The containers created by this image also come with a -# Podman development environment in /root/podman. -# -FROM registry.fedoraproject.org/fedora:latest - -# Don't include container-selinux and remove -# directories used by dnf that are just taking -# up space. The latest podman + deps. come from -# https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/ -# TODO: rpm --setcaps... needed due to Fedora (base) image builds -# being (maybe still?) affected by -# https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3 -RUN dnf -y update && \ - rpm --setcaps shadow-utils 2>/dev/null && \ - dnf -y install 'dnf-command(copr)' --enablerepo=updates-testing && \ - dnf -y copr enable rhcontainerbot/podman-next && \ - dnf -y install podman fuse-overlayfs openssh-clients \ - --exclude container-selinux \ - --enablerepo=updates-testing && \ - dnf clean all && \ - rm -rf /var/cache /var/log/dnf* /var/log/yum.* - -RUN useradd podman; \ -echo -e "podman:1:999\npodman:1001:64535" > /etc/subuid; \ -echo -e "podman:1:999\npodman:1001:64535" > /etc/subgid; - -ARG _REPO_URL="https://raw.githubusercontent.com/containers/podman/main/contrib/podmanimage/stable" -ADD $_REPO_URL/containers.conf /etc/containers/containers.conf -ADD $_REPO_URL/podman-containers.conf /home/podman/.config/containers/containers.conf - -RUN mkdir -p /home/podman/.local/share/containers && \ - chown podman:podman -R /home/podman && \ - chmod 644 /etc/containers/containers.conf - -# Copy & modify the defaults to provide reference if runtime changes needed. -# Changes here are required for running with fuse-overlay storage inside container. -RUN sed -e 's|^#mount_program|mount_program|g' \ - -e '/additionalimage.*/a "/var/lib/shared",' \ - -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \ - /usr/share/containers/storage.conf \ - > /etc/containers/storage.conf - -# Setup internal Podman to pass secrets/subscriptions down from host to internal container -RUN printf '/run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement\n/run/secrets/rhsm:/run/secrets/rhsm\n' > /etc/containers/mounts.conf - -# Note VOLUME options must always happen after the chown call above -# RUN commands can not modify existing volumes -VOLUME /var/lib/containers -VOLUME /home/podman/.local/share/containers - -RUN mkdir -p /var/lib/shared/overlay-images \ - /var/lib/shared/overlay-layers \ - /var/lib/shared/vfs-images \ - /var/lib/shared/vfs-layers && \ - touch /var/lib/shared/overlay-images/images.lock && \ - touch /var/lib/shared/overlay-layers/layers.lock && \ - touch /var/lib/shared/vfs-images/images.lock && \ - touch /var/lib/shared/vfs-layers/layers.lock - -ENV _CONTAINERS_USERNS_CONFIGURED="" \ - BUILDAH_ISOLATION=chroot