Fixes for current RC images

* Make jobs uploads unique and match security context of peridot
* change image build, fix extraction of build artifacts
This commit is contained in:
Neil Hanlon 2022-06-18 15:03:53 -04:00
parent 4587287e1e
commit 0603620773
Signed by untrusted user: neil
GPG Key ID: 705BC21EC3C70F34
3 changed files with 17 additions and 18 deletions

View File

@ -1,17 +1,10 @@
FROM golang:1.18 as skbn FROM ghcr.io/neilhanlon/skbn:latest as skbn
ADD images/get_arch /get_arch
RUN git clone https://github.com/rubroboletus/skbn.git /usr/src/app/skbn.git
WORKDIR /usr/src/app/skbn.git
RUN CGO_ENABLED=0 GOOS=linux GOARCH=$(/get_arch) go build \
-ldflags "-X main.GitTag=$(git describe --tags --always) -X main.GitCommit=$(git rev-parse --short HEAD)" \
-o skbn cmd/skbn.go
FROM quay.io/centos/centos:stream9 FROM quay.io/centos/centos:stream9
ADD images/get_arch /get_arch
COPY --from=skbn /usr/src/app/skbn.git/skbn /usr/local/bin/skbn COPY --from=skbn /usr/src/app/skbn.git/skbn /usr/local/bin/skbn
COPY --from=skbn /get_arch /get_arch
ENV TINI_VERSION v0.19.0 ENV TINI_VERSION v0.19.0
RUN curl -o /tini -L "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-$(/get_arch)" RUN curl -o /tini -L "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-$(/get_arch)"
@ -69,7 +62,7 @@ RUN chown peridotbuilder:mock /etc/yum.conf && chown -R peridotbuilder:mock /etc
RUN pip install 'git+https://git.rockylinux.org/release-engineering/public/toolkit.git@feature/iso-kube#egg=empanadas&subdirectory=iso/empanadas' RUN pip install 'git+https://git.rockylinux.org/release-engineering/public/toolkit.git@feature/iso-kube#egg=empanadas&subdirectory=iso/empanadas'
RUN echo "nameserver 1.1.1.1 > /etc/resolv.conf" RUN echo "nameserver 1.1.1.1" > /etc/resolv.conf
ENV USER=1002 ENV USER=1002
USER 1002 USER 1002

View File

@ -35,10 +35,11 @@ def run():
architecture=arch, architecture=arch,
backoffLimit=4, backoffLimit=4,
command=["build-iso", "--release", "9", "--rc", "--isolation", "simple"], command=["build-iso", "--release", "9", "--rc", "--isolation", "simple"],
containerName="buildiso", containerName=f"buildiso-{major}-{arch}",
imageName="ghcr.io/neilhanlon/sig-core-toolkit:latest", imageName="ghcr.io/neilhanlon/sig-core-toolkit:latest",
jobName=f"build-iso-{arch}", jobName=f"build-iso-{arch}",
namespace="empanadas", namespace="empanadas",
major=major,
restartPolicy="Never", restartPolicy="Never",
) )

View File

@ -11,9 +11,6 @@ spec:
- name: {{ containerName }} - name: {{ containerName }}
image: {{ imageName }} image: {{ imageName }}
command: {{ command }} command: {{ command }}
securityContext:
runAsUser: 1002
privileged: true
lifecycle: lifecycle:
preStop: preStop:
exec: exec:
@ -21,10 +18,18 @@ spec:
"skbn", "skbn",
"cp", "cp",
"--src", "--src",
"/mnt/compose/9/latest-Rocky-9/", "/var/lib/mock/rocky-{{ major }}-{{ architecture }}/root/builddir/lorax-*`",
"--dst", "--dst",
"s3://resf-empanadas/{{ containerName }}/" "s3://resf-empanadas/{{ containerName }}/$(date +%s)/",
"--parallel",
"2"
] ]
securityContext:
runAsUser: 0
runAsGroup: 0
privileged: true
runAsNonRoot: false
allowPrivilegeEscalation: true
env: env:
- name: AWS_REGION - name: AWS_REGION
value: us-east-2 value: us-east-2
@ -38,11 +43,11 @@ spec:
secretKeyRef: secretKeyRef:
name: empanadas-s3 name: empanadas-s3
key: SECRET key: SECRET
restartPolicy: {{ restartPolicy }}
tolerations: tolerations:
- effect: NoSchedule - effect: NoSchedule
key: peridot.rockylinux.org/workflow-tolerates-arch key: peridot.rockylinux.org/workflow-tolerates-arch
operator: Equal operator: Equal
value: {{ architecture }} value: {{ architecture }}
restartPolicy: {{ restartPolicy }}
backoffLimit: {{ backoffLimit }} backoffLimit: {{ backoffLimit }}