refactor: use umoci+skopeo for rootless OCI image creation

pierrelf.com / grain

fork atom

Rust implementation of OCI Distribution Spec with granular access control

fork atom

pierrelf.com 3 months ago 7a776fd0 23aaa769

build.yml

failed 1m 34s

+28 -19

1 changed file

expand all

.tangled

workflows

build.yml

+28 -19

.tangled/workflows/build.yml

··· 13 13 - gcc 14 14 - pkg-config 15 15 - curl 16 - - podman 17 16 - skopeo 17 + - umoci 18 + - jq 18 19 - bash 19 20 - coreutils 20 21 - findutils ··· 33 34 command: | 34 35 set -ex 35 36 36 - # Create a simple Dockerfile for podman build 37 - cat > Dockerfile.ci << 'DOCKERFILEEND' 38 - FROM gcr.io/distroless/cc-debian12:nonroot 39 - WORKDIR /app 40 - COPY target/release/grain /app/grain 41 - COPY target/release/grainctl /app/grainctl 42 - ENV RUST_LOG=info 43 - EXPOSE 8888 44 - CMD ["/app/grain", "--host", "0.0.0.0:8888", "--users-file", "/data/users.json"] 45 - LABEL org.opencontainers.image.source="https://tangled.org/@pierrelf.com/grain" 46 - LABEL org.opencontainers.image.description="Grain OCI Registry" 47 - LABEL org.opencontainers.image.version="${TANGLED_COMMIT_SHA:0:7}" 48 - DOCKERFILEEND 37 + # Use umoci to create OCI image from distroless base 38 + echo "Pulling distroless base..." 39 + skopeo copy docker://gcr.io/distroless/cc-debian12:nonroot oci:base:latest 40 + 41 + echo "Unpacking base image..." 42 + umoci unpack --image base:latest bundle 43 + 44 + echo "Adding binaries to rootfs..." 45 + mkdir -p bundle/rootfs/app 46 + cp target/release/grain bundle/rootfs/app/grain 47 + cp target/release/grainctl bundle/rootfs/app/grainctl 48 + chmod +x bundle/rootfs/app/grain bundle/rootfs/app/grainctl 49 + 50 + echo "Repacking with modifications..." 51 + umoci repack --image grain-oci:latest bundle 49 52 50 - echo "Building image with podman..." 51 - podman build --isolation=chroot -t grain:latest -t grain:${TANGLED_COMMIT_SHA:0:7} -f Dockerfile.ci . 53 + echo "Configuring image..." 54 + umoci config --image grain-oci:latest \ 55 + --config.workingdir /app \ 56 + --config.env RUST_LOG=info \ 57 + --config.exposedports 8888 \ 58 + --config.cmd /app/grain --config.cmd --host --config.cmd 0.0.0.0:8888 --config.cmd --users-file --config.cmd /data/users.json \ 59 + --author "Grain CI" \ 60 + --created "$(date -u +%Y-%m-%dT%H:%M:%SZ)" 52 61 53 62 echo "Logging in to Docker Hub..." 54 - echo "$DOCKER_PASS" | podman login --username "$DOCKER_USER" --password-stdin docker.io 63 + skopeo login --username "$DOCKER_USER" --password "$DOCKER_PASS" docker.io 55 64 56 65 echo "Pushing to Docker Hub..." 57 - podman push grain:latest docker://docker.io/pierrelf/grain:latest 58 - podman push grain:${TANGLED_COMMIT_SHA:0:7} docker://docker.io/pierrelf/grain:${TANGLED_COMMIT_SHA:0:7} 66 + skopeo copy oci:grain-oci:latest docker://docker.io/pierrelf/grain:latest 67 + skopeo copy oci:grain-oci:latest docker://docker.io/pierrelf/grain:${TANGLED_COMMIT_SHA:0:7} 59 68 60 69 echo "Build and push completed successfully!"