From 70db82198c4bd0a6a0dd78221c2fae4bc7e9682f Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Fri, 1 May 2020 07:52:31 -0500 Subject: [PATCH] Write buildkitd.toml in use-buildset-registry It's a generally useful file for people using buildkitd. It's also more appropriate to write it in use-buildset-registry and then just have build-docker-image copy it. Do the same thing with writing the cert - we don't need to know which path on the host use-buildset-registry wrote the file to, we can just write the content from the dir into the container, and then it's just a consistent command to apply it. Change-Id: Iaa485c2e8628900dccbed1f4b0773b6d1b5f7983 --- .../tasks/setup-buildx.yaml | 45 ++++++------ .../templates/buildkitd.toml.j2 | 8 --- roles/build-docker-image/vars/CentOS.yaml | 2 - roles/build-docker-image/vars/default.yaml | 2 - .../library/modify_buildkitd_toml.py | 70 +++++++++++++++++++ .../library/modify_registries_conf.py | 2 +- roles/use-buildset-registry/tasks/main.yaml | 13 ++++ 7 files changed, 106 insertions(+), 36 deletions(-) delete mode 100644 roles/build-docker-image/templates/buildkitd.toml.j2 delete mode 100644 roles/build-docker-image/vars/CentOS.yaml delete mode 100644 roles/build-docker-image/vars/default.yaml create mode 100644 roles/use-buildset-registry/library/modify_buildkitd_toml.py diff --git a/roles/build-docker-image/tasks/setup-buildx.yaml b/roles/build-docker-image/tasks/setup-buildx.yaml index dcef744b7..818e89bdb 100644 --- a/roles/build-docker-image/tasks/setup-buildx.yaml +++ b/roles/build-docker-image/tasks/setup-buildx.yaml @@ -1,31 +1,10 @@ -- name: Include OS-specific variables - include_vars: "{{ zj_distro_os }}" - with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yaml" - - "{{ ansible_distribution }}.{{ ansible_architecture }}.yaml" - - "{{ ansible_distribution }}.yaml" - - "{{ ansible_os_family }}.yaml" - - "default.yaml" - loop_control: - loop_var: zj_distro_os - -- name: Make tempfile for buildkit.toml - tempfile: - state: file - register: buildkit_toml_tmp - -- name: Write buildkit.toml file - template: - dest: '{{ buildkit_toml_tmp.path }}' - src: buildkitd.toml.j2 - - name: Run binfmt container command: docker run --rm --privileged docker/binfmt:a7996909642ee92942dcd6cff44b9b95f08dad64 environment: DOCKER_CLI_EXPERIMENTAL: enabled - name: Create builder - command: 'docker buildx create --name mybuilder --driver-opt network=host --config {{ buildkit_toml_tmp.path }}' + command: docker buildx create --name mybuilder --driver-opt network=host --config /etc/buildkit/buildkitd.toml environment: DOCKER_CLI_EXPERIMENTAL: enabled @@ -39,11 +18,31 @@ environment: DOCKER_CLI_EXPERIMENTAL: enabled +- name: Make tempfile for registry TLS certificate + tempfile: + state: file + register: buildkit_cert_tmp + +- name: Write buildset registry TLS certificate + become: true + copy: + content: "{{ buildset_registry.cert }}" + dest: "{{ buildkit_cert_tmp.path }}" + when: buildset_registry is defined and buildset_registry.cert + - name: Copy buildset registry TLS cert into worker container - command: "docker cp {{ ca_dir }}/buildset-registry.crt buildx_buildkit_mybuilder0:/usr/local/share/ca-certificates" + command: "docker cp {{ buildkit_cert_tmp.path }} buildx_buildkit_mybuilder0:/usr/local/share/ca-certificates" + when: buildset_registry is defined and buildset_registry.cert - name: Update CA certs in worker container command: docker exec buildx_buildkit_mybuilder0 update-ca-certificates + when: buildset_registry is defined and buildset_registry.cert + +- name: Remove TLS cert tempfile + file: + state: absent + path: '{{ buildkit_cert_tmp.path }}' + when: buildset_registry is defined and buildset_registry.cert - name: Make tempfile for /etc/hosts tempfile: diff --git a/roles/build-docker-image/templates/buildkitd.toml.j2 b/roles/build-docker-image/templates/buildkitd.toml.j2 deleted file mode 100644 index 61d6f37ac..000000000 --- a/roles/build-docker-image/templates/buildkitd.toml.j2 +++ /dev/null @@ -1,8 +0,0 @@ -[registry."docker.io"] - mirrors = ["{{ buildset_registry_alias }}:{{ buildset_registry.port }}"] - -[registry."quay.io"] - mirrors = ["{{ buildset_registry_alias }}:{{ buildset_registry.port }}/quay.io"] - -[registry."gcr.io"] - mirrors = ["{{ buildset_registry_alias }}:{{ buildset_registry.port }}/gcr.io"] diff --git a/roles/build-docker-image/vars/CentOS.yaml b/roles/build-docker-image/vars/CentOS.yaml deleted file mode 100644 index c2b260ab2..000000000 --- a/roles/build-docker-image/vars/CentOS.yaml +++ /dev/null @@ -1,2 +0,0 @@ -ca_dir: /etc/pki/ca-trust/source/anchors -ca_command: update-ca-trust diff --git a/roles/build-docker-image/vars/default.yaml b/roles/build-docker-image/vars/default.yaml deleted file mode 100644 index 7bea1b23b..000000000 --- a/roles/build-docker-image/vars/default.yaml +++ /dev/null @@ -1,2 +0,0 @@ -ca_dir: /usr/local/share/ca-certificates -ca_command: update-ca-certificates diff --git a/roles/use-buildset-registry/library/modify_buildkitd_toml.py b/roles/use-buildset-registry/library/modify_buildkitd_toml.py new file mode 100644 index 000000000..22c416f21 --- /dev/null +++ b/roles/use-buildset-registry/library/modify_buildkitd_toml.py @@ -0,0 +1,70 @@ +# Copyright 2019 Red Hat, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import os + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils import remarshal + + +def get_location(prefix, location): + # To support usage with both docker and podman, the buildset + # registry keeps "docker.io" entries un-namespaced. + if prefix == 'docker.io': + return location + else: + return location + '/' + prefix + + +def ansible_main(): + module = AnsibleModule( + argument_spec=dict( + path=dict(required=True, type='path'), + buildset_registry=dict(type='raw'), + buildset_registry_alias=dict(type='str'), + namespaces=dict(type='raw'), + ) + ) + p = module.params + location = '%s:%s' % (p['buildset_registry_alias'], + p['buildset_registry']['port']) + + if os.path.exists(p['path']): + with open(p['path'], 'rb') as f: + input_data = f.read() + data = remarshal.decode('toml', input_data, True) + else: + input_data = None + data = {} + + if 'registry' not in data: + data['registry'] = {} + for namespace in set(p['namespaces']): + n_config = data['registry'].setdefault(namespace, {}) + mirrors = n_config.setdefault('mirrors', []) + new_loc = get_location(namespace, location) + if not mirrors or new_loc != mirrors[0]: + mirrors.insert(0, new_loc) + + output_data = remarshal.encode_toml(data, True) + changed = input_data is None or input_data != output_data + if changed: + with open(p['path'], 'wb') as f: + f.write(output_data.encode('utf8')) + + module.exit_json(changed=changed, data=data) + + +if __name__ == '__main__': + ansible_main() diff --git a/roles/use-buildset-registry/library/modify_registries_conf.py b/roles/use-buildset-registry/library/modify_registries_conf.py index 8945d942f..40f623e51 100644 --- a/roles/use-buildset-registry/library/modify_registries_conf.py +++ b/roles/use-buildset-registry/library/modify_registries_conf.py @@ -58,7 +58,7 @@ def ansible_main(): continue mirrors = reg.setdefault('mirror', []) new_loc = dict(location=get_location(reg['prefix'], location)) - if mirrors and new_loc != mirrors[0]: + if not mirrors or new_loc != mirrors[0]: mirrors.insert(0, new_loc) for prefix in unseen: mirrors = [{'location': get_location(prefix, location)}, diff --git a/roles/use-buildset-registry/tasks/main.yaml b/roles/use-buildset-registry/tasks/main.yaml index 9db6cd60f..684bc2bc9 100644 --- a/roles/use-buildset-registry/tasks/main.yaml +++ b/roles/use-buildset-registry/tasks/main.yaml @@ -95,6 +95,19 @@ buildset_registry_alias: "{{ buildset_registry_alias }}" namespaces: "{{ buildset_registry_namespaces }}" +- name: Ensure buildkit directory exists + become: yes + file: + state: directory + path: /etc/buildkit/ +- name: Modify buildkitd.toml + become: yes + modify_buildkitd_toml: + path: /etc/buildkit/buildkitd.toml + buildset_registry: "{{ buildset_registry }}" + buildset_registry_alias: "{{ buildset_registry_alias }}" + namespaces: "{{ buildset_registry_namespaces }}" + # We use 'block' here to cause the become to apply to all the tasks # (which does not automatically happen with include_tasks). - name: Update docker user config to use buildset registry