release: build OCI images with shell scripts
ClosedPublic
Actions

Authored by dfr on Jan 21 2025, 2:04 PM.

Details

Reviewers

cperciva
dch

Commits

rGf60149306ccf: release: build OCI images with shell scripts
rGe8a5b9fd73f4: release: build OCI images with shell scripts

Summary

This avoids the need for buildah and skopeo for building releases.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

dfr created this revision.Jan 21 2025, 2:04 PM

Herald added subscribers: jrtc27, imp. · View Herald TranscriptJan 21 2025, 2:04 PM

dfr requested review of this revision.Jan 21 2025, 2:04 PM

Harbormaster completed remote builds in B61863: Diff 149662.Jan 21 2025, 2:04 PM

This version also sets a default command of "/bin/sh" for the minimal image which is common practice for Linux base images but perhaps that should be separated out.

Looks like this only makes single-layer images, whereas I think the old code had minimal being a layer on top of dynamic which was a layer on top of static. I'm not sure if this is something we care about, or even which is better if we do care about it, but I thought I should mention it.

release/Makefile.oci
28–29	Can we pass the string `container-image-${_IMG}.txz` to `make-oci-image.sh` and use it there rather than having the script reconstruct that path? Just to make it a bit more obvious how this works.
release/scripts/make-oci-image.sh
70	Can we make this list exhaustive, i.e. add amd64) ;; *) echo "Don't know how to build containers on ${arch}" >/dev/stderr exit 1 or something like that? Just to leave some breadcrumbs for when a new architecture causes confusion.
95	This could be `sha256 -q < foo` rather than `sha256sum < foo \| cut -w -f1`, I think? (And also in other places.)

Ping?

Review feedback

Harbormaster completed remote builds in B62663: Diff 151618.Thu, Feb 27, 2:26 PM

Addressed review feedback.

To make the script simpler, I chose to squash everything into a single layer per image. In theory, it might be possible to construct 'delta' layers e.g. by parsing the output of diff but it doesn't gain much given that the static and dynamic images are so small.

In D48574#1121221, @dfr wrote:

To make the script simpler, I chose to squash everything into a single layer per image. In theory, it might be possible to construct 'delta' layers e.g. by parsing the output of diff but it doesn't gain much given that the static and dynamic images are so small.

Makes sense, just wanted to check that it was deliberate.

cperciva added inline comments.Thu, Feb 27, 7:36 PM

release/scripts/make-oci-image.sh
134	I think ${PWD} is not defined here?
142	We don't use ${m}, so let's drop this and also the `echo` line at the end of create_container?

dfr marked 2 inline comments as done.Fri, Feb 28, 2:04 PM

dfr added inline comments.

release/scripts/make-oci-image.sh
134	PWD is managed by /bin/sh - the manpage is fairly clear, "This is used and updated by the shell". I confirmed it by adding a debug echo to the script.
142	The value of $m was being used by the various tools/oci-image-foo.conf scripts but it is fairly redundant at this point so I changed them to use ${workdir} instead.