ContainerImages
/
jenkins-shared-libs
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: ContainerImages:testing
Branches Tags
ContainerImages:bci2-resources
ContainerImages:main
ContainerImages:testing
...
pull from: ContainerImages:main
Branches Tags
ContainerImages:bci2-resources
ContainerImages:main
ContainerImages:testing

11 Commits
testing ... main

Author SHA1 Message Date
Dustin b98e6a99ae bci2: Add resources argument 
Instead of a top-level boolean that says whether or not the build
can/should run on a Raspberry Pi, we'll expose a `resources` argument
that allows jobs to specify their compute requirements.  If they're not
specified, then the job can run anywhere.  Otherwise, if the
requirements are too large for a Pi, then the autoscaler will launch a
cloud worker to handle the build.
 2025-09-26 10:16:26 -05:00
Dustin a2248404cf podTemplate2: Pin to Buildah v1.37 for now 
Buildah 1.38 and 1.39 have a bug that prevents them being able to build
containers in a Kubernetes pod.  Whenever I try, I get:

> error stat()ing intended root directory
> "/var/tmp/buildah3537271510/mnt/rootfs": no such file or directory

I have not identified the root cause yet, but reverting to 1.37 works
around the issue for now.
 2025-05-05 09:17:14 -05:00
Dustin 18c0cdda1b bci2: Tolerate du5t1n.me/jenkins taint 
For aarch64 builds that cannot run on Raspberry Pi nodes, the pod must
tolerate the `du5t1n.me/jenkins` taint, which is applied to ephemeral
nodes in EC2.  Without this toleration, the pod can never be scheduled,
as there are no aarch64 nodes besides Rasberry Pis that do not have that
taint.
 2024-05-25 11:50:12 -05:00
Dustin c9eb592e0a bci2: Correctly handle default branch w/ manifest 
Fix hard-coded default branch name of *main* when pushing multi-arch
image manifests.
 2024-01-19 14:40:53 -06:00
Dustin 1b37d9510d bci2: Allow jobs to choose if they run on an RPi 
Jobs that need to compile code, as opposed to simply installing
prebuilt packages and/or copying in files, probably do not want to run
on a Raspberry Pi.  To allow such jobs to opt out of running on a Pi and
wait for the Cluster Autoscaler to bring up an aarch64 node in AWS, the
`buildContainerImage2` function now takes an optional `pi` argument.
The argument defaults to `true`, so existing jobs that expect to run on
a Pi will continue to do so.
 2024-01-14 17:16:26 -06:00
Dustin 6cc6c5ef36 bci2: Add defaultBranch keyword argument 
Passing the `defaultBranch` argument to `buildContainerImage2()` allows
setting the `latest` for projects where the default branch is not
*main*.  For example:

```groovy
buildContainerImage2(defaultBranch: 'master')
```

This will update the `latest` tag whenever a new build is created on the
*master* branch.
 2024-01-11 09:49:50 -06:00
Dustin 008bae5cee bci2: Allow setting custom schedule 
The `buildContainerImage2` function now accepts an optional `schedule`
argument.  If specified, the value will be used as the cron expression
for triggering a build periodically.
 2023-11-01 10:10:01 -05:00
Dustin 14cb41d4d9 bci2: Allow running on a Raspberry Pi 
In order to keep "big" applications that just happen to have arm64
container images, like Argo CD and Jenkins, from running on Raspberry
Pis instead of VMs, I added a `du5t1n.me/machine=raspberrypi:NoExecute`
taint to them.  This requires any workload that should be allowed to run
on a Raspberry Pi to explicitly indicate as much.  Since the point of
adding *k8s-aarch64-n1.pyrocufflink.blue* to the cluster was to be able
to build container images, the pod template for container image jobs
needs to include this toleration.
 2023-10-28 09:58:47 -05:00
Dustin a4e9602ca9 buildContainerImage2: Unstash single-arch image 
If the image being built is only for a single architecture, the step to
unstash the OCI archive file was missing.  This caused the build to fail
at the Push step, since there was noting to push.
 2023-10-24 19:34:27 -05:00
Dustin 93da924aab buildContainerImage2: Handle names with slashes 
If the provided container image name includes a `/` character, the build
will fail when copying the OCI image to a tarball:

> + buildah push git.pyrocufflink.net/containerimages/build/selinux:dev-ci oci-archive:/home/jenkins/agent/workspace/ainerImages_build.selinux_dev_ci/build/selinux-amd64.tar
> Error: lstat /home/jenkins/agent/workspace/ainerImages_build.selinux_dev_ci/build: no such file or directory

To resolve this, we need to escape the image name when constructing the
path to the tar file.
 2023-10-24 18:34:11 -05:00
Dustin 96f4e59cbc buildContainerImage2: Support multiarch OCI images 
The `buildContainerImage2` function is an improvement on the existing
`buildContainerImage` function, with a couple of enhancements.
Primarily, it supports building images for multiple architectures.  For
each listed architecture, a pod is launched on a matching worker node to
build the image natively.  The image is exported to an OCI archive and
"stashed" in the Jenkins workspace.  After images for all architectures
are built, another pod is launched and all of the stashed archives are
copied there and assembled into a manifest list.  Finally, the manifest
list is published to the OCI repository as usual, creating tags for the
Git branch and build number.

In addition to adding support for multiarch images, the
`buildContainerImage2` performs image builds in *unprivileged* pods.
Whereas the old function performed builds in a rootful container, the
new one configures requests pods with unique user namespaces.  The build
runs as *root* in the container, but that user is mapped to an arbitrary
unprivileged user on the host.
 2023-10-05 22:12:09 -05:00
2 changed files with 190 additions and 0 deletions
Show Stats Expand all files Collapse all files

21
resources/podTemplate2.yaml Normal file
View File

@ -0,0 +1,21 @@
spec:
containers:
- name: buildah
image: quay.io/containers/buildah:v1.37
command:
- cat
stdin: true
tty: true
securityContext:
capabilities:
add:
- SYS_ADMIN
- MKNOD
- SYS_CHROOT
- SETFCAP
resources:
limits:
github.com/fuse: 1
hostUsers: false
tolerations:
- key: du5t1n.me/jenkins

169
vars/buildContainerImage2.groovy Normal file
View File

@ -0,0 +1,169 @@
// vim: set sw=4 sts=4 ts=4 et :
def call(args) {
def registry = args?.registry
def project = args?.project
def name = args?.name
def tag = args?.tag
def archlist = args?.archlist
def schedule = args?.schedule
def defaultBranch = args?.defaultBranch
def pi = args?.pi
def resources = args?.resources
properties([
pipelineTriggers([cron(schedule ?: 'H H H * *')])
])
if (registry == null) {
registry = 'git.pyrocufflink.net'
}
if (project == null) {
project = 'containerimages'
}
if (name == null) {
name = escapeImageName(env.JOB_NAME.split('/')[1])
}
if (tag == null) {
tag = escapeImageName(env.BRANCH_NAME)
}
if (archlist == null) {
archlist = ['amd64']
}
if (defaultBranch == null) {
defaultBranch = 'main'
}
def repo = "${registry}/${project}/${name}"
def full_name = "${repo}:${tag}"
def stages = [:]
archlist.each { arch ->
def stageName = "Build ${arch}"
stages[stageName] = {
stage(stageName) {
buildStage(
name: name,
full_name: full_name,
registry: registry,
arch: arch,
resources: resources,
)
}
}
}
parallel stages
runInPod {
container('buildah') {
withBuildahCreds(registry) {
if (archlist.size() > 1) {
stage('Build Manifest') {
sh "buildah manifest create '${full_name}'"
archlist.each { arch ->
unstash arch
sh "buildah manifest add '${full_name}' oci-archive:\${PWD}/${escapeImageName(name)}-${arch}.tar:${full_name}"
}
}
}
stage('Push') {
if (archlist.size() > 1) {
sh "buildah manifest push --all ${full_name} docker://${full_name}-${env.BUILD_NUMBER}"
sh "buildah manifest push ${full_name} docker://${full_name}"
if (env.BRANCH_NAME == defaultBranch) {
sh "buildah manifest push ${full_name} docker://${repo}:latest"
}
} else {
archlist.each { arch ->
unstash arch
sh "buildah pull oci-archive:\${PWD}/${escapeImageName(name)}-${arch}.tar:${full_name}"
}
sh "buildah push ${full_name} ${full_name}-${env.BUILD_NUMBER}"
sh "buildah push ${full_name}"
if (env.BRANCH_NAME == defaultBranch) {
sh "buildah push ${full_name} ${repo}:latest"
}
}
}
}
}
}
}
def buildStage(args) {
def name = args.name
def full_name = args.full_name
def registry = args.registry
def arch = args.arch
def resources = args?.resources
runInPod(arch: arch, resources: resources) {
checkout scm
container('buildah') {
withBuildahCreds(registry) {
sh "buildah build -t '${full_name}' ."
sh "buildah push '${full_name}' oci-archive:\${PWD}/${escapeImageName(name)}-${arch}.tar:${full_name}"
stash name: arch, includes: "${escapeImageName(name)}-*.tar"
}
}
}
}
def runInPod(block) {
runInPod(null, block)
}
def runInPod(args, block) {
def arch = args?.arch
def resources = args?.resources
def podTemplateYaml = libraryResource('podTemplate2.yaml')
if (resources) {
def tmpl = readYaml(text: podTemplateYaml)
tmpl.spec.containers.each { c ->
c.resources = c.resources ?: [:]
c.resources.putAll([
requests: (c.resources.requests ?: [:]) + resources,
limits: (c.resources.limits ?: [:]) + resources,
])
}
podTemplateYaml = writeYaml(data: tmpl, returnText: true)
}
podTemplate(
yaml: podTemplateYaml,
nodeSelector: arch ? "kubernetes.io/arch=${arch}" : null,
workspaceVolume: emptyDirWorkspaceVolume(),
) {
node(POD_LABEL) {
block()
}
}
}
def withBuildahCreds(registry, block) {
withEnv([
"REGISTRY_AUTH_FILE=${env.WORKSPACE_TMP}/auth.json"
]) {
withCredentials([usernamePassword(
credentialsId: 'jenkins-packages',
usernameVariable: 'BUILDAH_USERNAME',
passwordVariable: 'BUILDAH_PASSWORD',
)]) {
sh """
buildah login \
--username \${BUILDAH_USERNAME} \
--password \${BUILDAH_PASSWORD} \
${registry}
"""
}
block()
}
}
def escapeImageName(name) {
return name.
toLowerCase().
replaceAll('[^a-zA-z0-9._-]', '-').
replaceAll('^[.-]', '_')
}