Install podman in container for container-based builds

This installs podman inside the nodepool container, which is used by the dependent change in DIB to extract initial chroot environments from upstream containers. This eliminates the need to run non-native tools on build hosts (rpm/zypper on Ubuntu, etc.). As noted in the config, podman defaults to assuming systemd is installed and using various systemd interfaces. Additionally, we map the a volume into the container which allows nested podman to do what it needs to do. Needed-By: https://review.opendev.org/700083 Change-Id: I6722aa2b32db57e099dae4417955a8a2cd28847e
2020-10-08 17:59:29 +11:00 · 2020-10-08 17:59:29 +11:00 · a07bb0a0ae
commit a07bb0a0ae
parent 341bf727d5
3 changed files with 38 additions and 0 deletions
--- a/11
+++ b/11
@ -69,10 +69,13 @@ RUN echo "nodepool ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nodepool-sudo \
 #    are incoporated into the openstack-ci-core version
 COPY tools/openstack-ci-core-ppa.asc /etc/apt/trusted.gpg.d/
 COPY tools/kubic.asc /etc/apt/trusted.gpg.d/
 RUN \
  echo "deb http://ppa.launchpad.net/openstack-ci-core/vhd-util/ubuntu focal main" >> /etc/apt/sources.list \
  && echo "deb http://ppa.launchpad.net/openstack-ci-core/debootstrap/ubuntu focal main" >> /etc/apt/sources.list \
  && echo "deb https://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list \
  && echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /" > "/etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" \
  && apt-get update \
  && apt-get install -y \
      curl \
@ -90,9 +93,17 @@ RUN \
      yum \
      yum-utils \
      zypper \
      libseccomp2/buster-backports \
      podman \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 # Podman defaults to trying to use systemd to do cgroup things (insert
 # hand-wavy motion) but it's not in the container.
 RUN \
  mkdir -p /etc/containers \
  && echo 'cgroup_manager="cgroupfs"' >> /etc/containers/libpod.conf
 CMD _DAEMON_FLAG=${DEBUG:+-d} && \
    _DAEMON_FLAG=${_DAEMON_FLAG:--f} && \
    /usr/local/bin/nodepool-builder ${_DAEMON_FLAG}
--- a/playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2
+++ b/playbooks/nodepool-functional-container-openstack/templates/docker-compose.yaml.j2
@ -1,4 +1,8 @@
 version: '3.0'
 volumes:
  nested_var_lib_containers:
 services:
  nodepool-builder:
    image: zuul/nodepool-builder{{ nodepool_container_tag|default('') }}
@ -23,6 +27,8 @@ services:
      - /var/log/nodepool:/var/log/nodepool
      # devstack tls-proxy puts CA here that is referenced by cloud config
      - /opt/stack/data:/opt/stack/data:ro
      # for nested podman/docker runs (container elements)
      - nested_var_lib_containers:/var/lib/containers
      # zookeeper certs
      - /opt/zookeeper/ca:/opt/zookeeper/ca:ro
--- a/tools/kubic.asc
+++ b/tools/kubic.asc
@ -0,0 +1,21 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1.4.5 (GNU/Linux)
 mQENBFtkV0cBCADStSTCG5qgYtzmWfymHZqxxhfwfS6fdHJcbGUeXsI5dxjeCWhs
 XarZm6rWZOd5WfSmpXhbKOyM6Ll+6bpSl5ICHLa6fcpizYWEPa8fpg9EGl0cF12G
 GgVLnnOZ6NIbsoW0LHt2YN0jn8xKVwyPp7KLHB2paZh+KuURERG406GXY/DgCxUx
 Ffgdelym/gfmt3DSq6GAQRRGHyucMvPYm53r+jVcKsf2Bp6E1XAfqBrD5r0maaCU
 Wvd7bi0B2Q0hIX0rfDCBpl4rFqvyaMPgn+Bkl6IW37zCkWIXqf1E5eDm/XzP881s
 +yAvi+JfDwt7AE+Hd2dSf273o3WUdYJGRwyZABEBAAG0OGRldmVsOmt1YmljIE9C
 UyBQcm9qZWN0IDxkZXZlbDprdWJpY0BidWlsZC5vcGVuc3VzZS5vcmc+iQE+BBMB
 CAAoBQJfcJJOAhsDBQkIKusHBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBN
 ZDkDdQYKpB0xCACmtCT6ruPiQa4l0DEptZ+u3NNbZfSVGH4fE4hyTjLbzrCxqcoh
 xJvDKxspuJ85wWFWMtl57+lFFE1KP0AX2XTT+/v2vN1PIfwgOSw3yp2sgWuIXFAi
 89YSjSh8G0SGAH90A9YFMnTbllzGoGURjSX03iasW3A408ljbDehA6rpS3t3FD7P
 PnUF6204orYu00Qvc54an/xVJzxupb69MKW5EeK7x8MJnIToT8hIdOdGVD6axsis
 x+1U71oMK1gBke7p4QPUdhJFpSUd6kT8bcO+7rYouoljFNYkUfwnqtUn7525fkfg
 uDqqXvOJMpJ/sK1ajHOeehp5T4Q45L/qUCb3iEYEExECAAYFAltkV0cACgkQOzAR
 t2udZSOoswCdF44NTN09DwhPFbNYhEMb9juP5ykAn0bcELvuKmgDwEwZMrPQkG8t
 Pu9n
 =42uC
 -----END PGP PUBLIC KEY BLOCK-----