Add KubeVirt containerdisk build and upload

[rmohr]

Create a KubeVirt containerdisk ociarchive and upload it to arbitrary container registries. buildah is used for building the ociarchive, skopeo is used to push the image to a container registry.

Build the ociarchive

$ cosa buildextend-kubevirt
[...]
+ qemu-img convert -f qcow2 -O qcow2 /srv/tmp/tmpjibmiol_/fedora-coreos-35.20220401.dev.0-qemu.x86_64.qcow2.working /srv/tmp/tmpjibmiol_/fedora-coreos-35.20220401.dev.0-kubevirt.x86_64.qcow2
+ qemu-img info --output=json /srv/tmp/tmpjibmiol_/fedora-coreos-35.20220401.dev.0-kubevirt.x86_64.qcow2
[INFO]: Processing work image callback
+ buildah from scratch             
+ buildah add --chmod 0555 working-container /srv/tmp/tmpjibmiol_/fedora-coreos-35.20220401.dev.0-kubevirt.x86_64.qcow2 /disk/coreos.img             
c386adf15887856a35dfbae95eb8983c6ac173e697515be147ca7332cf13e071
+ buildah commit working-container           
Getting image source signatures
Copying blob d1f3d1874ef8 done  
Copying config dd323e4c49 done  
Writing manifest to image destination
Storing signatures
+ buildah push --format oci dd323e4c49fc353503a5c80e265025c144c2a31e8ce5a4493b7471263c7ab3e6 oci-archive:/srv/builds/35.20220401.dev.0/x86_64/fedora-coreos-35.20220401.dev.0-kubevirt.x86_64.ociarchive           
Getting image source signatures
Copying blob d1f3d1874ef8 done  
Copying config dd323e4c49 done  
Writing manifest to image destination
Storing signatures
[INFO]: Calculating metadata for fedora-coreos-35.20220401.dev.0-kubevirt.x86_64.ociarchive
[INFO]: Finished building artifacts
[INFO]: finishing ore processing
+ rc=0
+ set +x

Upload the OCI archive

[rmohr@fedora fcos]$ cosa buildextend-kubevirt --upload --repository "quay.io/rmohr"
[...]
[INFO]: Processed build for: Fedora CoreOS testing-devel (FEDORA-COREOS-x86_64) 35.20220401.dev.0
[INFO]: operating on fedora-coreos-35.20220401.dev.0-kubevirt.x86_64.ociarchive
[INFO]: executing upload commands for ore
+ skopeo inspect oci-archive:builds/35.20220401.dev.0/x86_64/fedora-coreos-35.20220401.dev.0-kubevirt.x86_64.ociarchive -f {{.Digest}}
[INFO]: pushing quay.io/rmohr/fedora-coreos:35.20220401.dev.0-x86_64 with digest sha256:2040a78a66d3b2189d6511c45a0cf4eedb21db556338056cd18c3c3d42543810
+ skopeo copy oci-archive:builds/35.20220401.dev.0/x86_64/fedora-coreos-35.20220401.dev.0-kubevirt.x86_64.ociarchive docker://quay.io/rmohr/fedora-coreos:35.20220401.dev.0-x86_64
Getting image source signatures
Copying blob 1e305a849202 done  
Copying config dd323e4c49 done  
Writing manifest to image destination
Storing signatures
[INFO]: finishing ore processing
+ rc=0
+ set +x

Generate and inspect metadata

[rmohr@fedora fcos]$ cosa generate-release-meta
COREOS_ASSEMBLER_CONTAINER=localhost/coreos-assembler
COREOS_ASSEMBLER_GIT=/home/rmohr/coreos-assembler
+ podman run --rm -ti --security-opt label=disable --privileged --uidmap=1000:0:1 --uidmap=0:1:1000 --uidmap 1001:1001:64536 -v /home/rmohr/fcos:/srv/ --device /dev/kvm --device /dev/fuse -v /home/rmohr/.docker/config.json:/home/builder/a
Creating release.json for build 35.20220401.dev.0
testing-devel stream
  x86_64 images:
   - kubevirt
   - qemu
Successfully wrote release file at builds/35.20220401.dev.0/release.json
+ rc=0
+ set +x
[rmohr@fedora fcos]$ cat builds/35.20220401.dev.0/release.json | jq
{
  "release": "35.20220401.dev.0",
  "stream": "testing-devel",
  "architectures": {
    "x86_64": {
      "media": {
        "kubevirt": {
          "artifacts": {
            "ociarchive": {
              "disk": {
                "location": "https://builds.coreos.fedoraproject.org/prod/streams/testing-devel/builds/35.20220401.dev.0/x86_64/fedora-coreos-35.20220401.dev.0-kubevirt.x86_64.ociarchive",
                "signature": "https://builds.coreos.fedoraproject.org/prod/streams/testing-devel/builds/35.20220401.dev.0/x86_64/fedora-coreos-35.20220401.dev.0-kubevirt.x86_64.ociarchive.sig",
                "sha256": "d24d902a7729a81f351f3cb040891a91d7f1ab7a6c5bb2a4ddeddb02e16506f6",
                "uncompressed-sha256": null
              }
            }
          },
          "image": {
            "image": "quay.io/rmohr/fedora-coreos@sha256:2040a78a66d3b2189d6511c45a0cf4eedb21db556338056cd18c3c3d42543810"
          }
        },
[...]
}

[openshift-ci]

Hi @rmohr. Thanks for your PR.

I'm waiting for a coreos member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rmohr]

/cc @miabbott
/cc @cgwalters

Would be happy to get your feedback on this (@cgwalters due to the interest in publishing for fcos). The build and the push seems to work as expected. I plan to tackle the rhcos.json modification in a follow-up.

[rmohr]

/cc @davidvossel FYI

[openshift-ci]

@rmohr: GitHub didn't allow me to request PR reviews from the following users: davidvossel.

Note that only coreos members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @davidvossel

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[miabbott]

/ok-to-test

[rmohr]

/retest

[rmohr]

/retest

[miabbott]

/retest

[jlebon]

Is there a link with more background on this? Is this part of an OCP epic?

[miabbott]

@jlebon This artifact is useful for OCP Virtualization + Hypershift: https://issues.redhat.com/browse/COS-1232

See also: https://issues.redhat.com/browse/RFE-2501

[rmohr]

/hold

needs coreos/stream-metadata-go#41 merged and referenced first.

Edit: Need an official release tag, but referencing now the merged code already.

[cgwalters]

This is probably worth factoring out as a separate preparatory commit.

[rmohr]

Do you mean a preparatory PR, or just creating a dedicated commit with the vendoring in a follow-up commit to make it more visible?

[bgilbert]

Separate commit in the same PR should be fine.

[rmohr]

Done.

[cgwalters]

Offhand this library looks sane, but it also duplicates a lot of what we already have vendored in the repositories from github.com/containers.

(Now personally, I would say we should stop vendoring all of podman in this repo, but that's a different discussion)

A possible alternative is to fork off buildah; we already do that for the other containers.

One specific reason to do that instead of using this library is to ensure that we have a single code path for e.g. authentication, and fewer places we need to change for things like "upload in oci format" (xref #2726 ). I'm guessing go-containerregistry only does v2s2?

[cgwalters]

But to be clear, I'm OK with this as is.

[rmohr]

(Now personally, I would say we should stop vendoring all of podman in this repo, but that's a different discussion)

A possible alternative is to fork off buildah; we already do that for the other containers.

If you do that already I can definitely change it. I missed that you already build containers in go in coreos-assembler.

[rmohr]

But to be clear, I'm OK with this as is.

Oh nice :)

[bgilbert]

stream-metadata-go update in #2754.

[jlebon]

LGTM!

[jlebon]

(I restarted CI so that it builds on top of #2808, which will verify that the schema was updated correctly.)

[rmohr]

(I restarted CI so that it builds on top of #2808, which will verify that the schema was updated correctly.)

And it detected issues. Fixing. 👍

[rmohr]

Can you also add it as an artifact to the .cci.jenkinsfile so it's tested by CI?

@jlebon can it be that the pipeline changes only get picked up after a merge?

[jlebon]

Can you also add it as an artifact to the .cci.jenkinsfile so it's tested by CI?

@jlebon can it be that the pipeline changes only get picked up after a merge?

Ahh yup, indeed. Jenkins is wary of you. :)

11:30:07  Loading trusted files from base branch main at f6991e5fedf40426b82f9c296bd6760dce8a7769 rather than 808b53c5ddaa6c4d71990f49da643c952f429b37
11:30:07  Obtained .cci.jenkinsfile from f6991e5fedf40426b82f9c296bd6760dce8a7769
11:30:07  ‘.cci.jenkinsfile’ has been modified in an untrusted revision

I think we just need to add you to the org. Let me sort that out.

[jlebon]

[2022-04-11T17:29:59.796Z] error adding content to container "working-container": error mounting build
container "4b745604dcfcf72d6a4b27ade77c70a8b194827be838510e0961670bfce60167": error creating overlay m
ount to /home/jenkins/agent/workspace/coreos-assembler_PR-2750/.local/share/containers/storage/overlay
/5fa288fbb3d22588f79bc8c7925e4f555e56f893aedbe2a2c2c95b0df4c107f5/merged, mount_data=",lowerdir=/home/
jenkins/agent/workspace/coreos-assembler_PR-2750/.local/share/containers/storage/overlay/5fa288fbb3d22
588f79bc8c7925e4f555e56f893aedbe2a2c2c95b0df4c107f5/empty,upperdir=/home/jenkins/agent/workspace/coreo
s-assembler_PR-2750/.local/share/containers/storage/overlay/5fa288fbb3d22588f79bc8c7925e4f555e56f893ae
dbe2a2c2c95b0df4c107f5/diff,workdir=/home/jenkins/agent/workspace/coreos-assembler_PR-2750/.local/shar
e/containers/storage/overlay/5fa288fbb3d22588f79bc8c7925e4f555e56f893aedbe2a2c2c95b0df4c107f5/work,vol
atile": using mount program /usr/bin/fuse-overlayfs: fuse: device not found, try 'modprobe fuse' first
[2022-04-11T17:29:59.796Z] fuse-overlayfs: cannot mount: No such file or directory
[2022-04-11T17:29:59.796Z] : exit status 1
[2022-04-11T17:29:59.796Z] time="2022-04-11T17:29:57Z" level=error msg="exit status 125"
[2022-04-11T17:29:59.796Z] Error running command buildah

OK right, this won't work. Hmm, but how does the existing buildah bits in the oscontainer code work in the RHCOS pipeline currently then? Ahhh OK, I think it's this bit:

coreos-assembler/src/oscontainer.py

Lines 119 to 121 in f6991e5

	if os.environ.get('container') is not None:
	print("Using nested container mode due to container environment variable")
	buildah_base_argv.extend(NESTED_BUILD_ARGS)

coreos-assembler/src/oscontainer.py

Line 27 in f6991e5

NESTED_BUILD_ARGS = ['--storage-driver', 'vfs']

@rmohr Can you try adding that to write_oci?

[rmohr]

@rmohr Can you try adding that to write_oci?

That did the trick! 👍

[jlebon]

Nice work!